[talk] PingForShell
Jim Thompson
jim at netgate.com
Mon Dec 5 23:34:07 EST 2022
> On Dec 5, 2022, at 7:15 PM, jpb <jpb at jimby.name> wrote:
>
> On Mon, 5 Dec 2022 09:25:01 -0500
> Raul Cuza <raulcuza at gmail.com> wrote:
>
>> I made up that name for CVE-2022-23093 and release it under CopyHumor
>> license.
>>
>> But seriously am I bonkers to think Hacker news is yellow journalism
>> when it says ping can be used to take over a FreeBSD box (
>> https://www.google.com/url?q=https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html&source=gmail-imap&ust=1670894160000000&usg=AOvVaw0kHe7bJxMcXirmm2yPRYPO)?
>>
>> The FreeBSD announcement
>> https://www.google.com/url?q=https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc&source=gmail-imap&ust=1670894160000000&usg=AOvVaw13mXX0HEID32TR73wc_UzN
>> clearly says it runs in a sandbox and has limited execution options.
>>
>> Someone who knows more please enlighten.
>>
>> Thank you. R
>
> Hmmm...
>
> Ping was written in 1983. Ping code was added to FreeBSD as part of
> the BSD 4.4 Lite souces import in 1994.
>
> Is this one of those bugs that "has existed for years and nobody
> noticed it"? We're talking over 25 years of people digging around in
> the ping source code and nobody noticed?
> I find that hard to believe.
>
> The "sandbox" commment is a reference to restructuring the code to work
> under Robert Watson's Capsicum libraries.
Capsicum is much more than “libraries”.
https://www.freebsd.org/cgi/man.cgi?capsicum(4)
> Apparently ping was was
> placed under capsicum capability handling in 2014 (by PJD).
https://github.com/freebsd/freebsd-src/commit/49133c6d52243e3666e4eabdc4bf81b26b32ca7c
> IIRC a number of utilities were modified for capsicum usage around that time.
I’ve seen a bit of commentary where people inside and outside the FreeBSD project have looked at this.
Here’s Ed Maste’s, which references a couple others.
https://twitter.com/ed_maste/status/1598394085324242960?s=20
Remember: you have to get someone to use ping to contact a system that is ready to send back a custom payload.
Unmentioned in the article that started this thread: ping drops its privileges quite early.
That article is trash, imo.
> Any OpenBSD ppl want to comment on whether it's fixed in their tree?
This isn’t an official openbsd tree, and I’m not an openbsd person, but
https://github.com/openbsd/src/commits/master/sbin/ping/ping.c
Fixed (the second time) 4 days ago. The timestamp of the first attempt at a fix for openbsd is 2022/12/01 07:11:17
This bug was announced 6 days ago on 29 Nov 2022.
The comment on the first attempt might be of interest.
https://github.com/openbsd/src/commit/1c5a93032832712afc56c1f378208c802f7b2558
—-
Make sure the length of an unknown IP option is sensible.
For example, an unknown option with length 0 would result in an
infinite loop.
bluhm points out that the network stack in the kernel would not let
such packets through to userland.
tweak & OK miod
OK bluhm
——
Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20221205/1c71be70/attachment.htm>
More information about the talk
mailing list