From raulcuza at gmail.com Mon Dec 5 09:25:01 2022 From: raulcuza at gmail.com (Raul Cuza) Date: Mon, 5 Dec 2022 09:25:01 -0500 Subject: [talk] PingForShell Message-ID: I made up that name for CVE-2022-23093 and release it under CopyHumor license. But seriously am I bonkers to think Hacker news is yellow journalism when it says ping can be used to take over a FreeBSD box ( https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html)? The FreeBSD announcement https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc clearly says it runs in a sandbox and has limited execution options. Someone who knows more please enlighten. Thank you. R -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpb at jimby.name Mon Dec 5 20:13:58 2022 From: jpb at jimby.name (jpb) Date: Mon, 5 Dec 2022 20:13:58 -0500 Subject: [talk] PingForShell In-Reply-To: References: Message-ID: <20221205201358.3d9b098c.jpb@jimby.name> On Mon, 5 Dec 2022 09:25:01 -0500 Raul Cuza wrote: > I made up that name for CVE-2022-23093 and release it under CopyHumor > license. > > But seriously am I bonkers to think Hacker news is yellow journalism > when it says ping can be used to take over a FreeBSD box ( > https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html)? > > The FreeBSD announcement > https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc > clearly says it runs in a sandbox and has limited execution options. > > Someone who knows more please enlighten. > > Thank you. R Hmmm... Ping was written in 1983. Ping code was added to FreeBSD as part of the BSD 4.4 Lite souces import in 1994. Is this one of those bugs that "has existed for years and nobody noticed it"? We're talking over 25 years of people digging around in the ping source code and nobody noticed? I find that hard to believe. The "sandbox" commment is a reference to restructuring the code to work under Robert Watson's Capsicum libraries. Apparently ping was was placed under capsicum capability handling in 2014 (by PJD). IIRC a number of utilities were modified for capsicum usage around that time. Any OpenBSD ppl want to comment on whether it's fixed in their tree? Jim B. From jim at netgate.com Mon Dec 5 23:34:07 2022 From: jim at netgate.com (Jim Thompson) Date: Mon, 5 Dec 2022 22:34:07 -0600 Subject: [talk] PingForShell In-Reply-To: <20221205201358.3d9b098c.jpb@jimby.name> References: <20221205201358.3d9b098c.jpb@jimby.name> Message-ID: <3F5CF6B4-54D7-41B5-9088-9D056C342400@netgate.com> > On Dec 5, 2022, at 7:15 PM, jpb wrote: > > ?On Mon, 5 Dec 2022 09:25:01 -0500 > Raul Cuza wrote: > >> I made up that name for CVE-2022-23093 and release it under CopyHumor >> license. >> >> But seriously am I bonkers to think Hacker news is yellow journalism >> when it says ping can be used to take over a FreeBSD box ( >> https://www.google.com/url?q=https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html&source=gmail-imap&ust=1670894160000000&usg=AOvVaw0kHe7bJxMcXirmm2yPRYPO)? >> >> The FreeBSD announcement >> https://www.google.com/url?q=https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc&source=gmail-imap&ust=1670894160000000&usg=AOvVaw13mXX0HEID32TR73wc_UzN >> clearly says it runs in a sandbox and has limited execution options. >> >> Someone who knows more please enlighten. >> >> Thank you. R > > Hmmm... > > Ping was written in 1983. Ping code was added to FreeBSD as part of > the BSD 4.4 Lite souces import in 1994. > > Is this one of those bugs that "has existed for years and nobody > noticed it"? We're talking over 25 years of people digging around in > the ping source code and nobody noticed? > I find that hard to believe. > > The "sandbox" commment is a reference to restructuring the code to work > under Robert Watson's Capsicum libraries. Capsicum is much more than ?libraries?. https://www.freebsd.org/cgi/man.cgi?capsicum(4) > Apparently ping was was > placed under capsicum capability handling in 2014 (by PJD). https://github.com/freebsd/freebsd-src/commit/49133c6d52243e3666e4eabdc4bf81b26b32ca7c > IIRC a number of utilities were modified for capsicum usage around that time. I?ve seen a bit of commentary where people inside and outside the FreeBSD project have looked at this. Here?s Ed Maste?s, which references a couple others. https://twitter.com/ed_maste/status/1598394085324242960?s=20 Remember: you have to get someone to use ping to contact a system that is ready to send back a custom payload. Unmentioned in the article that started this thread: ping drops its privileges quite early. That article is trash, imo. > Any OpenBSD ppl want to comment on whether it's fixed in their tree? This isn?t an official openbsd tree, and I?m not an openbsd person, but https://github.com/openbsd/src/commits/master/sbin/ping/ping.c Fixed (the second time) 4 days ago. The timestamp of the first attempt at a fix for openbsd is 2022/12/01 07:11:17 This bug was announced 6 days ago on 29 Nov 2022. The comment on the first attempt might be of interest. https://github.com/openbsd/src/commit/1c5a93032832712afc56c1f378208c802f7b2558 ?- Make sure the length of an unknown IP option is sensible. For example, an unknown option with length 0 would result in an infinite loop. bluhm points out that the network stack in the kernel would not let such packets through to userland. tweak & OK miod OK bluhm ?? Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: From george at ceetonetechnology.com Fri Dec 9 13:44:47 2022 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 9 Dec 2022 13:44:47 -0500 Subject: [talk] PingForShell In-Reply-To: <3F5CF6B4-54D7-41B5-9088-9D056C342400@netgate.com> References: <20221205201358.3d9b098c.jpb@jimby.name> <3F5CF6B4-54D7-41B5-9088-9D056C342400@netgate.com> Message-ID: <350d3389-da6f-7cf4-92b8-87be9be83e8f@ceetonetechnology.com> On 12/5/22 23:34, Jim Thompson wrote: > > > >> On Dec 5, 2022, at 7:15 PM, jpb wrote: >> >> ?On Mon, 5 Dec 2022 09:25:01 -0500 >> Raul Cuza wrote: >> >>> I made up that name for CVE-2022-23093 and release it under CopyHumor >>> license. >>> >>> But seriously am I bonkers to think Hacker news is yellow journalism >>> when it says ping can be used to take over a FreeBSD box ( >>> https://www.google.com/url?q=https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html&source=gmail-imap&ust=1670894160000000&usg=AOvVaw0kHe7bJxMcXirmm2yPRYPO)? >>> >>> The FreeBSD announcement >>> https://www.google.com/url?q=https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc&source=gmail-imap&ust=1670894160000000&usg=AOvVaw13mXX0HEID32TR73wc_UzN >>> clearly says it runs in a sandbox and has limited execution options. >>> >>> Someone who knows more please enlighten. >>> >>> Thank you. R >> >> Hmmm... >> >> Ping was written in 1983. Ping code was added to FreeBSD as part of >> the BSD 4.4 Lite souces import in 1994. >> >> Is this one of those bugs that "has existed for years and nobody >> noticed it"? We're talking over 25 years of people digging around in >> the ping source code and nobody noticed? >> I find that hard to believe. >> >> The "sandbox" commment is a reference to restructuring the code to work >> under Robert Watson's Capsicum libraries. > > Capsicum is much more than ?libraries?. > > https://www.freebsd.org/cgi/man.cgi?capsicum(4) > >> Apparently ping was was >> placed under capsicum capability handling in 2014 (by PJD). > > https://github.com/freebsd/freebsd-src/commit/49133c6d52243e3666e4eabdc4bf81b26b32ca7c > >> IIRC a number of utilities were modified for capsicum usage around that time. > > I?ve seen a bit of commentary where people inside and outside the FreeBSD project have looked at this. > > Here?s Ed Maste?s, which references a couple others. > > https://twitter.com/ed_maste/status/1598394085324242960?s=20 > > Remember: you have to get someone to use ping to contact a system that is ready to send back a custom payload. > > Unmentioned in the article that started this thread: ping drops its privileges quite early. > > That article is trash, imo. > >> Any OpenBSD ppl want to comment on whether it's fixed in their tree? > > This isn?t an official openbsd tree, and I?m not an openbsd person, but > > https://github.com/openbsd/src/commits/master/sbin/ping/ping.c > > Fixed (the second time) 4 days ago. The timestamp of the first attempt at a fix for openbsd is 2022/12/01 07:11:17 > > This bug was announced 6 days ago on 29 Nov 2022. > > The comment on the first attempt might be of interest. > > https://github.com/openbsd/src/commit/1c5a93032832712afc56c1f378208c802f7b2558 > > ?- > Make sure the length of an unknown IP option is sensible. > For example, an unknown option with length 0 would result in an > infinite loop. > bluhm points out that the network stack in the kernel would not let > such packets through to userland. > tweak & OK miod > OK bluhm This is from florian@ OpenBSD on the ping issue... https://tlakh.xyz/fuzzing-ping.html g From raulcuza at gmail.com Mon Dec 12 22:16:31 2022 From: raulcuza at gmail.com (Raul Cuza) Date: Mon, 12 Dec 2022 22:16:31 -0500 Subject: [talk] PingForShell In-Reply-To: <350d3389-da6f-7cf4-92b8-87be9be83e8f@ceetonetechnology.com> References: <20221205201358.3d9b098c.jpb@jimby.name> <3F5CF6B4-54D7-41B5-9088-9D056C342400@netgate.com> <350d3389-da6f-7cf4-92b8-87be9be83e8f@ceetonetechnology.com> Message-ID: On Fri, Dec 9, 2022 at 1:46 PM George Rosamond wrote: > > This is from florian@ OpenBSD on the ping issue... > > https://tlakh.xyz/fuzzing-ping.html > > g > That's a great read. Feels so good to see programmers doing something you expect them to do after spending day after day explaining why I won't accept the docker container they built on their laptop and run it in production.