[talk] PingForShell

Jim Thompson jim at netgate.com
Mon Dec 5 23:34:07 EST 2022




> On Dec 5, 2022, at 7:15 PM, jpb <jpb at jimby.name> wrote:
> 
> On Mon, 5 Dec 2022 09:25:01 -0500
> Raul Cuza <raulcuza at gmail.com> wrote:
> 
>> I made up that name for CVE-2022-23093 and release it under CopyHumor
>> license.
>> 
>> But seriously am I bonkers to think Hacker news is yellow journalism
>> when it says ping can be used to take over a FreeBSD box (
>> https://www.google.com/url?q=https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html&source=gmail-imap&ust=1670894160000000&usg=AOvVaw0kHe7bJxMcXirmm2yPRYPO)?
>> 
>> The FreeBSD announcement
>> https://www.google.com/url?q=https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc&source=gmail-imap&ust=1670894160000000&usg=AOvVaw13mXX0HEID32TR73wc_UzN
>> clearly says it runs in a sandbox and has limited execution options.
>> 
>> Someone who knows more please enlighten.
>> 
>> Thank you. R
> 
> Hmmm...
> 
> Ping was written in 1983.  Ping code was added to FreeBSD as part of
> the BSD 4.4 Lite souces import in 1994.
> 
> Is this one of those bugs that "has existed for years and nobody
> noticed it"?  We're talking over 25 years of people digging around in
> the ping source code and nobody noticed?
> I find that hard to believe.
> 
> The "sandbox" commment is a reference to restructuring the code to work
> under Robert Watson's Capsicum libraries.

Capsicum is much more than “libraries”.

https://www.freebsd.org/cgi/man.cgi?capsicum(4)

>  Apparently ping was was
> placed under capsicum capability handling in 2014 (by PJD).   

https://github.com/freebsd/freebsd-src/commit/49133c6d52243e3666e4eabdc4bf81b26b32ca7c

> IIRC a number of utilities were modified for capsicum usage around that time.

I’ve seen a bit of commentary where people inside and outside the FreeBSD project have looked at this. 

Here’s Ed Maste’s, which references a couple others. 

https://twitter.com/ed_maste/status/1598394085324242960?s=20

Remember: you have to get someone to use ping to contact a system that is ready to send back a custom payload.

Unmentioned in the article that started this thread: ping drops its privileges quite early. 

That article is trash, imo.

> Any OpenBSD ppl want to comment on whether it's fixed in their tree?

This isn’t an official openbsd tree, and I’m not an openbsd person, but 

https://github.com/openbsd/src/commits/master/sbin/ping/ping.c

Fixed (the second time) 4 days ago. The timestamp of the first attempt at a fix for openbsd is 2022/12/01 07:11:17

This bug was announced 6 days ago on 29 Nov 2022. 

The comment on the first attempt might be of interest. 

https://github.com/openbsd/src/commit/1c5a93032832712afc56c1f378208c802f7b2558

—-
Make sure the length of an unknown IP option is sensible.
For example, an unknown option with length 0 would result in an
infinite loop.
bluhm points out that the network stack in the kernel would not let
such packets through to userland.
tweak & OK miod
OK bluhm
——

Jim

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20221205/1c71be70/attachment.htm>


More information about the talk mailing list