OpenBSD flaw exploits IPv6 weakness
623 views 
Researchers released an advisory today disclosing a remote kernel buffer overflow flaw in the OpenBSD operating system that they claim is the first exploitable IPv6 vulnerability to be publicly disclosed with a proof-of-concept exploit.
Discovered by experts with Core Security, the vulnerability allows attackers to gain complete control of an OpenBSD machine by sending malformed IPv6 packets.
“In order to perform such an attack, the attacker must be either on the same network as the target system or on a network that can route packets to the target system,” said Ivan Arce, CTO of Core Security.
Arce said that Core Security worked with OpenBSD developers to close the security hole in the system before disclosing the flaw. Users are highly encouraged to download the patch and recompile the kernel to secure their systems from an attack.
He said that the vulnerability highlights the fact that no operating system is impervious to security bugs, even one as hardened as OpenBSD. He also explained that this flaw should act as a warning to those deploying the IPv6 protocol.
Technical Details on CoreSecurity
More technical details and pOc code available on Core Security
The vulnerability is due to improper handling of kernel memory buffers using mbuf structures. The vulnerability is triggered by OpenBSD-specific code at the mbuf layer and developed to accommodate the processing of IPv6 protocol packets.
By sending fragmented ICMPv6 packets an attacker can trigger an overflow of mbuf kernel memory structures resulting either in remote execution of arbitrary code in kernel mode or a kernel panic and subsequent system crash (a remote denial of service). Exploitation is accomplished by either:
1) Gaining control of execution flow by overwriting a function pointer, or;
2) Performing a mirrored 4 byte arbitrary memory overwrite similar to a user-space heap overflow.
The overflowed structure is an mbuf, the structure used to store network packets in kernel memory.
Post new comment