7th May 2000 [SBWID-127]
COMMAND
kernel
SYSTEMS AFFECTED
NetBSD 1.4.x on SPARC and Alpha
PROBLEM
Following is based on NHC Research Advisory. It is possible to
cause a kernel panic on systems running NetBSD by sending a
packet remotely with an unaligned IP Timestamp option.
Affected configurations are NetBSD 1.4.x on SPARC and Alpha
platforms were tested and found to be vulnerable. Any platform
where a page fault is caused by an unaligned memory access should
also be vulnerable. Unaffected configurations are NetBSD 1.4.x
on arm32 and x86 platforms were tested and found to not panic.
However, this is only because these (and a few other untested)
platforms do not page fault on unaligned memory accesses.
This was originally reported to the NetBSD Security Alerts mailing
list on March 1, 2000, which was before the release of NetBSD
1.4.2.
How to reproduce?
1. Download, compile, and install libnet. It can be obtained
from http://www.packetfactory.net
2. Download and compile the ISIC suite of utilities. They are
at http://expert.cc.purdue.edu/~frantzen
3. After compiling the isic utilities, run the following from
your shell of choice:
icmpsic -s source -d dest -r 31337 -k 218504 -p 218505
where source is the source IP address (spoofed addresses
work just fine), and dest is the IP address of the NetBSD
machine.
For whatever reason, Linux mangles this packet before sending it.
NHC have found that it does work correctly when sent from FreeBSD
x86, NetBSD x86, and NetBSD arm32. On the vulnerable platforms
tested (listed above), a kernel panic results from an unaligned
memory access. Because of the ability to spoof the packet, and
the relative small packet size, an attacker could easily crash
many NetBSD machines on a given subnet with minimal effort.
SOLUTION
1.4.2 is ok.