Next Page >>
OpenBSD
Hash: SHA1
Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs
Stack-based buffer overflow vulnerability in OpenBSD’s DHCP server
*Advisory Information*
Title: Stack-based buffer overflow vulnerability in OpenBSD’s DHCP server
Update+Errata for "OpenBSD DNS Cache Poisoning and Multiple O/S
Predictable IP ID Vulnerability"
(http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf)
Update
******
OpenBSD
Hello BugTraq
Recently I've been looking at the OpenBSD PRNG implementation for
DNS transaction ID (OpenBSD ported BIND 9 into their code tree,
but rolled their own PRNG for the DNS transaction ID field). I
discovered a serious weakness in OpenBSD's PRNG, which allows an
attacker to predict the next transaction ID (typically up to 8-10
guesses) given a series of consecutive 12-15 transaction IDs. As
you may appreciate, this enables DNS cache poisoning for OpenBSD
much like my earlier attacks on BIND 9, BIND 8 and Microsoft
--------------------------------------------------------------------------------
Author : Rembrandt
Date : 2009-04-30
Found : 2009-04-09
Affected Software: PF (OpenBSD Packet Filter)
Affected OS : OpenBSD 4.2 up to 4.5 and HEAD branch up to 2009-04-11
NetBSD 5.x up to RC3 and HEAD branch up to 2009-04-13
MirOS #10 and earlier
MidnightBSD 0.3-current
Not affected OS : FreeBSD
! Is we think with our brain and ask: "how is
team OpenBSD lying to is public" well then is the proof is in the
!
We has OpenBSD tell us:
"We have never allowed US citizens or foreign citizens working in the
US to hack on crypto code"
http://marc.info/?l=openbsd-tech&m=129237675106730&w=2
> We has OpenBSD tell us:
>
> "We have never allowed US citizens or foreign citizens working in the
> US to hack on crypto code"
> http://marc.info/?l=3Dopenbsd-tech&m=3D129237675106730&w=3D2
That statement remains true.
IPSEC isn't 100% crypto; it is a complex layered subsystem with many
other elements to it. In particular our IPSEC stack also supports the
Helith - 0815
--------------------------------------------------------------------------------
Author : Rembrandt
Date : 2009-04-09
Affected Software: OpenBSD Kernel
Affected OS : OpenBSD 4.{3,4,5}, OpenBSD-current
Propably older versions are affected as well
Type : Denial of Service
OSVDB :
> Not really - what I am not doing is trying to beat up a firmware
> problem that whilst being quite bad can be mitigated by using native
> features of Solaris. Too bad if OpenBSD cannot do the same - I am not
> really sure about the benefits of OpenBSD on that scale of hardware
> anyway considering the lack of kernel threading and the parlous state
> of userland threading.
I don't think you get it. OpenBSD doesn't care a whit about
this. They stumbled upon it as the result of bringing up OpenBSD on
such a machine. No - currently I wouldn't run OpenBSD on an M-class
Original e-mail is from Theo DeRaadt
http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
I have received a mail regarding the early development of the OpenBSD
IPSEC stack. It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack. Around 2000-2001.
Since we had the first IPSEC stack available for free, large parts of
>
> Yet you don't know what it is that causes the issue? What's Sun's
> support arrangement for OpenBSD on SPARC? If it is reproduced in
> Solaris, then I'm sure Sun would address it, but where is the benefit
> for them to do so at present?
It's not about OpenBSD on sparc - the OpenBSD people don't
really care - the fact that it's possible at all means anyone with
clue and a less than black hat can go take an OpenBSD kernel, figure
out what it's doing there, and likely make a solaris kernel module
CVE: not assigned
SecurityRisk: Low
Affected Software:
This problem has been discovered on OpenBSD 4.3 .
- - Affected systems:
+ OpenBSD
+ NetBSD
+ FreeBSD
+ some linux
- --- 0.Description ---
Mac OS is the trademarked name for a series of graphical user interface-based operating systems developed by Apple Inc. (formerly Apple Computer, Inc.) for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface. The original form of what Apple would later name the "Mac OS" was the integral and unnamed system software first introduced in 1984 with the original Macintosh, usually referred to simply as the System software.
- --- 1. MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ---
The main problem exist in dtoa implementation. MacOS X has the same dtoa as OpenBSD, NetBSD etc. This problem affects not only libc/gdtoa. Affected is also strtod(3) function.
For more information, please see SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
version 4.2 is NOT affected, please alter it in advisory
http://secunia.com/advisories/28726/ and others.
Vendor fix this flaw in cvs on 10.10.2007.
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/bgplg/bgplg.c
Updated version OpenBSD 4.2 which was released Nov 1, 2007 is NOT
vulnerable.
I'm not surprised you didn't get any interest from Fujitsu/Sun
security people, for the reasons stated above. As for engineering, I
would expect they will only address the issue if they see a commercial
or reputational benefit in doing so (i.e. someone wants to spend a
*lot* of money on hardware to run OpenBSD, and this issue is a
show-stopper).
> On Tue, Sep 9, 2008 at 7:58 AM, Theo de Raadt <deraadt@cvs.openbsd.org> wrote:
>>
>> Sun/Fujitsu M4000-M9000 machines are very expensive multicpu sparc64
CVE: CVE-2009-0537
We are going informing all vendors, about this problem.
Affected Software (official):
- - OpenBSD 4.4
/usr/src/lib/libc/gen/fts.c
- - Microsoft Interix
6.0 10.0.6030.0 x86
- - Microsft Vista Enterprise
SearchIndexer.exe
- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. K-Meleon has the same dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in Firefox 3.5.4 and fix
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array.
This flaw has been detected in may 2009 and signed SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array.
The paper
(http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf)
describes how to predict IP ID of various (BSD style) operating systems.
This can be used for "blind TCP data injection" The latter term is a
technique described by Michal Zalewski, and the paper references 2
BugTraq submissions by Zalewski that nicely explain this concept. These
are (from the paper):
[27] “A new TCP/IP blind data injection technique?” (BugTraq mailing
The main problem exist in dtoa implementation. Camino has the same dtoa as Firefox, SeaMonkey, Chrome, Opera etc.
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
physical segmentation of the hardware obviously must be completely
secure and reliable to meet Sun's promises of high availability.
Sun's system partitioning domains are supposed to be the best of the
isolation schemes in the market. But perhaps even they have problems.
During the porting of OpenBSD/sparc64 to this family of machines it
was discovered that the OS kernel can trigger a fault. This fault is
caught by the systems management controller (the XSCF, Fujitsu's
version of LOM/RSC console) which then powers the domain down, marks
the mainboard in the chassis as faulty, and refuses to allow domains
relying on that mainboard to be started.
The main problem exist in dtoa implementation. Flock has the same dtoa as Firefox, SeaMonkey, Chrome, Opera etc.
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
[#DSECRG-08-007] Digital Security Research Group [DSecRG] Advisory
Application: OpenBSD BGPD daemon
Versions Affected: OpenBSD 4.1
Vendor URL: http://openbsd.org
Bugs: XSS
Exploits: YES
Reported: 10.10.2007
- --- 1. Opera 10.01 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. Opera has a very similar dtoa algorithm to the BSD, Chrome and Mozilla products. It is the same issue like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array.
> and apparently you cannot read the whole message - I said "too bad if
> OpenBSD cannot do this"...
>
> > If you put someone running OpenBSD into a zone, and that zone locks up
> > completely and cannot be reset because of a flaw Sun has now admitted,
> > then if you NEED that zone back, you have to power the machine down.
> >
>
> are you talking hardware zone or a Solaris zone? You are being sloppy
> with your terminology.
However, the web server is responding.
After I manually restart the Apache process, CPU usage gets back to normal.
However, those 65535 temporary files were not deleted.
4. PHP on OpenBSD 4.6
======================
PHP Version 5.2.10
Timeline:
12:00 - started the attack
> Interestingly enough, OpenBSD uses a flavor of this PRNG for
> another field, this time the IP fragmentation ID, part of the
> OpenBSD kernel network stack. The analysis carries out quite
> similarly to show that OpenBSD's IP ID is predictable as well,
> which gives way to O/S fingerprinting, idle-scanning, host alias
> detection, traffic analysis, and in some cases, even to TCP blind
> data injection.
Can you expound upon the blind TCP injection allowed by IP ID
prediction?
> On Sun, Sep 28, 2008 at 08:14:35PM -0600, Theo de Raadt wrote:
> >
> > OpenBSD of course cannot run in a Solaris zone.
> >
>
> Right. Glad that is clear.
>
> > OpenBSD can run in a hardware zone, and when something it does (which
> > we don't know yet) locks up that hardware zone, the only way to get
> > the hardware zone back is to POWER THE MACHINE OFF. That is a lack
On Sun, Sep 28, 2008 at 08:14:35PM -0600, Theo de Raadt wrote:
>
> OpenBSD of course cannot run in a Solaris zone.
>
Right. Glad that is clear.
> OpenBSD can run in a hardware zone, and when something it does (which
> we don't know yet) locks up that hardware zone, the only way to get
> the hardware zone back is to POWER THE MACHINE OFF. That is a lack
CORE FORCE is the first community oriented security solution for personal
computers that provides a comprehensive endpoint security solution for
Windows 2000 and Windows XP systems.
CORE FORCE provides inbound and outbound stateful packet filtering for
TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular
file system and registry access control and programs' integrity
validation. These capabilities can be configured and enforced system-wide
or on a per-application basis for specific programs such as email
readers, Web browsers, media players, messaging software, etc. The
security framework provided by CORE FORCE is leveraged by a community of
Next Page>>
|
