<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br><blockquote type="cite">On Dec 5, 2022, at 7:15 PM, jpb <jpb@jimby.name> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>On Mon, 5 Dec 2022 09:25:01 -0500</span><br><span>Raul Cuza <raulcuza@gmail.com> wrote:</span><br><span></span><br><blockquote type="cite"><span>I made up that name for CVE-2022-23093 and release it under CopyHumor</span><br></blockquote><blockquote type="cite"><span>license.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>But seriously am I bonkers to think Hacker news is yellow journalism</span><br></blockquote><blockquote type="cite"><span>when it says ping can be used to take over a FreeBSD box (</span><br></blockquote><blockquote type="cite"><span>https://www.google.com/url?q=https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html&source=gmail-imap&ust=1670894160000000&usg=AOvVaw0kHe7bJxMcXirmm2yPRYPO)?</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>The FreeBSD announcement</span><br></blockquote><blockquote type="cite"><span>https://www.google.com/url?q=https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc&source=gmail-imap&ust=1670894160000000&usg=AOvVaw13mXX0HEID32TR73wc_UzN</span><br></blockquote><blockquote type="cite"><span>clearly says it runs in a sandbox and has limited execution options.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Someone who knows more please enlighten.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Thank you. R</span><br></blockquote><span></span><br><span>Hmmm...</span><br><span></span><br><span>Ping was written in 1983. Ping code was added to FreeBSD as part of</span><br><span>the BSD 4.4 Lite souces import in 1994.</span><br><span></span><br><span>Is this one of those bugs that "has existed for years and nobody</span><br><span>noticed it"? We're talking over 25 years of people digging around in</span><br><span>the ping source code and nobody noticed?</span><br><span>I find that hard to believe.</span><br><span></span><br><span>The "sandbox" commment is a reference to restructuring the code to work</span><br><span>under Robert Watson's Capsicum libraries.</span></div></blockquote><div><br></div><div>Capsicum is much more than “libraries”.</div><div><br></div><a href="https://www.freebsd.org/cgi/man.cgi?capsicum(4)">https://www.freebsd.org/cgi/man.cgi?capsicum(4)</a><div><br><blockquote type="cite"><div dir="ltr"><span> Apparently ping was was</span><br><span>placed under capsicum capability handling in 2014 (by PJD). </span></div></blockquote><div><br></div><a href="https://github.com/freebsd/freebsd-src/commit/49133c6d52243e3666e4eabdc4bf81b26b32ca7c">https://github.com/freebsd/freebsd-src/commit/49133c6d52243e3666e4eabdc4bf81b26b32ca7c</a></div><div><br><blockquote type="cite"><div dir="ltr"><span>IIRC a </span><span>number of utilities were modified for capsicum usage around that time.</span><br></div></blockquote><div><br></div><div><div dir="ltr" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">I’ve seen a bit of commentary where people inside and outside the FreeBSD project have looked at this. </div><div dir="ltr" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br></div><div dir="ltr" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">Here’s Ed Maste’s, which references a couple others. </div><div dir="ltr" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><br></div><div dir="ltr" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><a href="https://twitter.com/ed_maste/status/1598394085324242960?s=20">https://twitter.com/ed_maste/status/1598394085324242960?s=20</a><br></div></div><div><br></div><div>Remember: you have to get someone to use ping to contact a system that is ready to send back a custom payload.</div><div><br></div><div>Unmentioned in the article that started this thread: ping drops its privileges quite early. </div><div><br></div><div>That article is trash, imo.</div><div><br></div><blockquote type="cite"><div dir="ltr"><span>Any OpenBSD ppl want to comment on whether it's fixed in their tree?</span></div></blockquote><div><br></div>This isn’t an official openbsd tree, and I’m not an openbsd person, but <div><br></div><div><a href="https://github.com/openbsd/src/commits/master/sbin/ping/ping.c">https://github.com/openbsd/src/commits/master/sbin/ping/ping.c</a></div><div><br></div><div>Fixed (the second time) 4 days ago. The timestamp of the first attempt at a fix for openbsd is 2022/12/01 07:11:17</div><div><br></div><div>This bug was announced 6 days ago on 29 Nov 2022. </div><div><br></div><div>The comment on the first attempt might be of interest. </div><div><br></div><div><a href="https://github.com/openbsd/src/commit/1c5a93032832712afc56c1f378208c802f7b2558">https://github.com/openbsd/src/commit/1c5a93032832712afc56c1f378208c802f7b2558</a></div><div><br></div><div><p class="p1" style="margin: 0px 0px 4px; font-stretch: normal; font-size: 25px; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><span class="s1" style="font-weight: bold;">—-</span></p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><span class="s2">Make sure the length of an unknown IP option is sensible.</span></p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><span class="s2">For example, an unknown option with length 0 would result in an</span></p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><span class="s2">infinite loop.</span></p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><span class="s2">bluhm points out that the network stack in the kernel would not let</span></p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><span class="s2">such packets through to userland.</span></p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><span class="s2">tweak & OK miod</span></p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><span class="s2">OK bluhm</span></p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><span class="s2">——</span></p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><span class="s2"><br></span></p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;">Jim</p><p class="p2" style="margin: 0px; font-stretch: normal; line-height: normal; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); -webkit-text-size-adjust: auto;"><br></p></div></div></body></html>