[talk] PingForShell

George Rosamond george at ceetonetechnology.com
Fri Dec 9 13:44:47 EST 2022


On 12/5/22 23:34, Jim Thompson wrote:
> 
> 
> 
>> On Dec 5, 2022, at 7:15 PM, jpb <jpb at jimby.name> wrote:
>>
>> On Mon, 5 Dec 2022 09:25:01 -0500
>> Raul Cuza <raulcuza at gmail.com> wrote:
>>
>>> I made up that name for CVE-2022-23093 and release it under CopyHumor
>>> license.
>>>
>>> But seriously am I bonkers to think Hacker news is yellow journalism
>>> when it says ping can be used to take over a FreeBSD box (
>>> https://www.google.com/url?q=https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html&source=gmail-imap&ust=1670894160000000&usg=AOvVaw0kHe7bJxMcXirmm2yPRYPO)?
>>>
>>> The FreeBSD announcement
>>> https://www.google.com/url?q=https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc&source=gmail-imap&ust=1670894160000000&usg=AOvVaw13mXX0HEID32TR73wc_UzN
>>> clearly says it runs in a sandbox and has limited execution options.
>>>
>>> Someone who knows more please enlighten.
>>>
>>> Thank you. R
>>
>> Hmmm...
>>
>> Ping was written in 1983.  Ping code was added to FreeBSD as part of
>> the BSD 4.4 Lite souces import in 1994.
>>
>> Is this one of those bugs that "has existed for years and nobody
>> noticed it"?  We're talking over 25 years of people digging around in
>> the ping source code and nobody noticed?
>> I find that hard to believe.
>>
>> The "sandbox" commment is a reference to restructuring the code to work
>> under Robert Watson's Capsicum libraries.
> 
> Capsicum is much more than “libraries”.
> 
> https://www.freebsd.org/cgi/man.cgi?capsicum(4)
> 
>>  Apparently ping was was
>> placed under capsicum capability handling in 2014 (by PJD).   
> 
> https://github.com/freebsd/freebsd-src/commit/49133c6d52243e3666e4eabdc4bf81b26b32ca7c
> 
>> IIRC a number of utilities were modified for capsicum usage around that time.
> 
> I’ve seen a bit of commentary where people inside and outside the FreeBSD project have looked at this. 
> 
> Here’s Ed Maste’s, which references a couple others. 
> 
> https://twitter.com/ed_maste/status/1598394085324242960?s=20
> 
> Remember: you have to get someone to use ping to contact a system that is ready to send back a custom payload.
> 
> Unmentioned in the article that started this thread: ping drops its privileges quite early. 
> 
> That article is trash, imo.
> 
>> Any OpenBSD ppl want to comment on whether it's fixed in their tree?
> 
> This isn’t an official openbsd tree, and I’m not an openbsd person, but 
> 
> https://github.com/openbsd/src/commits/master/sbin/ping/ping.c
> 
> Fixed (the second time) 4 days ago. The timestamp of the first attempt at a fix for openbsd is 2022/12/01 07:11:17
> 
> This bug was announced 6 days ago on 29 Nov 2022. 
> 
> The comment on the first attempt might be of interest. 
> 
> https://github.com/openbsd/src/commit/1c5a93032832712afc56c1f378208c802f7b2558
> 
> —-
> Make sure the length of an unknown IP option is sensible.
> For example, an unknown option with length 0 would result in an
> infinite loop.
> bluhm points out that the network stack in the kernel would not let
> such packets through to userland.
> tweak & OK miod
> OK bluhm

This is from florian@ OpenBSD on the ping issue...

https://tlakh.xyz/fuzzing-ping.html

g




More information about the talk mailing list