| New User, Welcome! Login |
network stack
The unpacked packet is dispatched to the appropriate protocol handler
directly from the ipcomp protocol handler. This recursive implementation fails
to check for stack overflow, and is therefore vulnerable to a remote
pre-authentication kernel memory corruption vulnerability.
The NetBSD/KAME network stack is used as basis for various other
operating systems, such as Xnu, FTOS, various embedded devices and
network appliances, and earlier versions of FreeBSD/OpenBSD (the code
has since been refactored, but see the NOTES section regarding IPComp
quines, which still permit remote, pre-authentication, single-packet,
spoofed-source DoS in the latest versions).
> Interestingly enough, OpenBSD uses a flavor of this PRNG for
> another field, this time the IP fragmentation ID, part of the
> OpenBSD kernel network stack. The analysis carries out quite
> similarly to show that OpenBSD's IP ID is predictable as well,
> which gives way to O/S fingerprinting, idle-scanning, host alias
> detection, traffic analysis, and in some cases, even to TCP blind
> data injection.
Can you expound upon the blind TCP injection allowed by IP ID
prediction?
much like my earlier attacks on BIND 9, BIND 8 and Microsoft
Windows DNS server.
Interestingly enough, OpenBSD uses a flavor of this PRNG for
another field, this time the IP fragmentation ID, part of the
OpenBSD kernel network stack. The analysis carries out quite
similarly to show that OpenBSD's IP ID is predictable as well,
which gives way to O/S fingerprinting, idle-scanning, host alias
detection, traffic analysis, and in some cases, even to TCP blind
data injection.
Addonics NAS Adapter is prone to several post authentication buffer overflows. Each of these buffer overflows will crash the entire TCP/IP stack and the device will have to be power cycled to restore any functionality. Addonics currently has implemented GUI level (client side) controls for preventing long inputs, but by simply doing a direct HTTP GET request (the device doesn't use POST) this can be bypassed.
Addonics was notified of the buffer overflows via ticket 497283 on March 25, 2009. Vendor acknowledgment on March 26, 2009.
Exploiting these issues will crash the network stack and create a Denial of Service condition.
Firmware NASU2FW41 Loader1.17 are vulnerable; other versions may also be.
Exploit:
>
> Addonics NAS Adapter is prone to several post authentication buffer overflows. Each of these buffer overflows will crash the entire TCP/IP stack and the device will have to be power cycled to restore any functionality. Addonics currently has implemented GUI level (client side) controls for preventing long inputs, but by simply doing a direct HTTP GET request (the device doesn't use POST) this can be bypassed.
>
> Addonics was notified of the buffer overflows via ticket 497283 on March 25, 2009. Vendor acknowledgment on March 26, 2009.
>
> Exploiting these issues will crash the network stack and create a Denial of Service condition.
>
> Firmware NASU2FW41 Loader1.17 are vulnerable; other versions may also be.
>
> Exploit:
>
to extract the original data with access to only one of the two providers
between which the secret data is split.
* System processes started early after boot may receive predictable IDs.
* The 802.11 network stack uses arc4random(9) to generate initial vectors
(IV) for WEP encryption when operating in client mode and WEP
authentication challenges when operating in hostap mode, which may be
insecure.
* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
*Technical Description / Proof of Concept Code*
Android is a software stack for mobile devices that includes an
operating system, middleware and key applications. Android relies on
Linux version 2.6 for core system services such as security, memory
management, process management, network stack, and driver model. The
kernel also acts as an abstraction layer between the hardware and the
rest of the software stack.
The WebKit application framework is included to facilitate development
of web client application functionality. The framework in turn uses
Reverse Engineering Dynamic Languages, a Focus on Python - Aaron
Portnoy & Ali Rizvi-Santiago, TippingPoint
All the Crap Aircrafts Receive and Send - Hendrik Scholz
Teflon: anti-stick for the browsers attack surface - Saumil Shah,
Net-Square
Hacking PXE without reboot (using the BIOS network stack for other
purposes) - Julien Vanegue, CESAR
LeakedOut: the Social Networks You Get Caught In - Jose Orlicki, Core
Dojos (September 28/29):
Reverse Code Engineering - Edgar Barbosa, COSEINC
>
> > Interestingly enough, OpenBSD uses a flavor of this PRNG
> for another
> > field, this time the IP fragmentation ID, part of the
> OpenBSD kernel
> > network stack. The analysis carries out quite similarly to
> show that
> > OpenBSD's IP ID is predictable as well, which gives way to O/S
> > fingerprinting, idle-scanning, host alias detection,
> traffic analysis,
> > and in some cases, even to TCP blind data injection.
I. Background
IPv6 is a new Internet Protocol, designed to replace (and avoid many of
the problems with) the current Internet Protocol (version 4). Many
properties of the FreeBSD IPv6 network stack can be configured via the
ioctl(2) interface.
II. Problem Description
The SIOCSIFINFO_IN6 ioctl is missing a necessary permissions check.
references have been audited across the entire module tree, with a
number of typos and other fixes corrected in the process.
Oracle exploit support has been implemented through a tag-team effort
between MC and Chris Gates, with assistance from Alexander Kornbrust.
Oracle modules have been developed for exploiting TNS protocol stack and
Web-based Oracle services, as well as post-authentication database-level
privilege escalation flaws. Microsoft SQL Server support has been
overhauled, with the addition of a brand new native Ruby TDS driver
exclusive to the Metasploit Framework and a large number of new modules.
Microsoft SQL Server 2000 through 2008 versions have been tested with
time (under 2 minutes) with a very small number of requests.
Also, this attack doesn't leave any obvious tracks in the logs (only a
bunch of POST requests) and can be executed through a proxy server.
Some operating systems will handle this condition very badly.
For example in one case (a FreeBSD 7.1), the network stack completely
crashed and the server was unreachable from the local network.
I had to manually restart it from the console.
On Linux (Ubuntu), the web server will not be reachable for hours after
being attacked for 1-2 minutes.
Robert E. Lee of Outpost24 has posted a new entry describing the recent state of TCP/IP issue,
i.e. discussion around the TCP/IP protocol stack Denial Of Service vulnerability.
There is a FAQ type section included too.
Link:
http://blog.robertlee.name/2008/10/more-detailed-response-to-gordons-post.html
Juha-Matti
> much like my earlier attacks on BIND 9, BIND 8 and Microsoft
> Windows DNS server.
>
> Interestingly enough, OpenBSD uses a flavor of this PRNG for
> another field, this time the IP fragmentation ID, part of the
> OpenBSD kernel network stack. The analysis carries out quite
> similarly to show that OpenBSD's IP ID is predictable as well,
> which gives way to O/S fingerprinting, idle-scanning, host alias
> detection, traffic analysis, and in some cases, even to TCP blind
> data injection.
>
Addonics NAS Adapter is prone to several post authentication buffer overflows. Each of these buffer overflows will crash the entire TCP/IP stack and the device will have to be power cycled to restore any functionality. Addonics currently has implemented GUI level (client side) controls for preventing long inputs, but by simply doing a direct HTTP GET request (the device doesn't use POST) this can be bypassed.
Addonics was notified of the buffer overflows via ticket 497283 submitted Monday, February 09, 2009 at 6:03:35 PM. I called Addonics 3/4/09 at 12:44, told that they have confirmed the BoF condition, and engineers are working on a fix. They released an update that did not address the fix (NASU2FW41 Loader 1.17) which made the buffer 2 characters longer in order to crash except for the SMB password.
Exploiting these issues will crash the network stack and create a Denial of Service condition.
Firmware R3282-1.33c LOADER32 1.15 , and NASU2FW41 Loader1.17 are vulnerable; other versions may also be.
Exploit:
http://www.milw0rm.com/exploits/8187
|
|
|
