[talk] PingForShell

Jim Thompson jim at netgate.com
Mon Dec 5 23:34:07 EST 2022

> On Dec 5, 2022, at 7:15 PM, jpb <jpb at jimby.name> wrote:
> On Mon, 5 Dec 2022 09:25:01 -0500
> Raul Cuza <raulcuza at gmail.com> wrote:
>> I made up that name for CVE-2022-23093 and release it under CopyHumor
>> license.
>> But seriously am I bonkers to think Hacker news is yellow journalism
>> when it says ping can be used to take over a FreeBSD box (
>> https://www.google.com/url?q=https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html&source=gmail-imap&ust=1670894160000000&usg=AOvVaw0kHe7bJxMcXirmm2yPRYPO)?
>> The FreeBSD announcement
>> https://www.google.com/url?q=https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc&source=gmail-imap&ust=1670894160000000&usg=AOvVaw13mXX0HEID32TR73wc_UzN
>> clearly says it runs in a sandbox and has limited execution options.
>> Someone who knows more please enlighten.
>> Thank you. R
> Hmmm...
> Ping was written in 1983.  Ping code was added to FreeBSD as part of
> the BSD 4.4 Lite souces import in 1994.
> Is this one of those bugs that "has existed for years and nobody
> noticed it"?  We're talking over 25 years of people digging around in
> the ping source code and nobody noticed?
> I find that hard to believe.
> The "sandbox" commment is a reference to restructuring the code to work
> under Robert Watson's Capsicum libraries.

Capsicum is much more than “libraries”.


>  Apparently ping was was
> placed under capsicum capability handling in 2014 (by PJD).   


> IIRC a number of utilities were modified for capsicum usage around that time.

I’ve seen a bit of commentary where people inside and outside the FreeBSD project have looked at this. 

Here’s Ed Maste’s, which references a couple others. 


Remember: you have to get someone to use ping to contact a system that is ready to send back a custom payload.

Unmentioned in the article that started this thread: ping drops its privileges quite early. 

That article is trash, imo.

> Any OpenBSD ppl want to comment on whether it's fixed in their tree?

This isn’t an official openbsd tree, and I’m not an openbsd person, but 


Fixed (the second time) 4 days ago. The timestamp of the first attempt at a fix for openbsd is 2022/12/01 07:11:17

This bug was announced 6 days ago on 29 Nov 2022. 

The comment on the first attempt might be of interest. 


Make sure the length of an unknown IP option is sensible.
For example, an unknown option with length 0 would result in an
infinite loop.
bluhm points out that the network stack in the kernel would not let
such packets through to userland.
tweak & OK miod
OK bluhm


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20221205/1c71be70/attachment.htm>

More information about the talk mailing list