OpenBSD Journal

Errata updates

Contributed by mk/reverse on from the patch-management dept.

Brad let us know that two new errata are out:

Errata text for the first entry:

Bugs in the tcp(4) stack can lead to memory exhaustion or processing of TCP segments with invalid SACK options and cause a system crash.

Errata text for the second entry:

Due to buffer overflows in telnet(1), a malicious server or man-in-the-middle attack could allow execution of arbitrary code with the privileges of the user invoking telnet(1).

(Comments are closed)

Comments

  1. By Anonymous Coward (213.118.35.44) on

    I take it those buffer overflows would have to escape propolice first?

    Comments

    1. By tedu (64.173.147.27) on

      no, the buffer wasn't on the stack.

    2. By Otto Moerbeek (213.84.84.111) otto@drijf.net on http://www.drijf.net

      It's a heap based overflow. Propolice and other stack protection mechanisms do not protect against these type of overflows.

      W^X does offer protection against exploitation of various types of heap overflows, but not all. Direct code insertion into the heap will not work, since the heap is not excutable, but manipulation of function pointers in the heap, which point to (existing) code in the program or its libraries is still possible.

      Comments

      1. By Anthony Roberts (68.145.103.21) on

        Are there any standard, portable ways to protect against this sort of thing apart from being careful to check the size whenever you deal with the buffer?

        Comments

        1. By tedu (64.173.147.27) on

          randomization or privilege separation may help, but there's no shortcut to just writing correct code. you should always be careful to check buffer sizes. "it's on the stack; propolice will save me" is really, really the wrong attitude to take.

          Comments

          1. By Anthony Roberts (68.145.103.21) on

            Well I always do my best to write correct code, but if programmers never screwed up there'd be no need for ProPolice and W^X.

          2. By Anthony Roberts (68.145.103.21) on

            Don't interpret my post to mean that I think ProPolice or W^X are excuses to be lax about security.

            In no way do I think W^X or ProPolice mitigate the need to be careful with buffer sizes (or integer overflows, etc). Not only because they're not perfect (as this patch demonstrates) but because they're not necessarily available on other platforms.

          3. By Bert (68.50.4.145) thrashbluegrass@antisocial.com on

            Just my two cents, but Propolice, W^X, etc. are things that programmers (other than those working on those elements themselves) should be seen as being provided for sysadmins to mitigate software problems, not as something that should be assumed by developers to mitigate their need to code correctly in the first place.

      2. By Anonymous Coward (217.96.167.176) on

        Ok, so W^X still allows manipulation of function pointers in the heap. What else is not protected in OpenBSD?

        Comments

        1. By Bert (216.175.250.42) thrashbluegrass@antisocial.com on

          What else is not protected? All sorts of stuff.

          Like someone pulling the plug, or setting the box on fire.

          You do realize that, in your trolling, you reveal your ignorance, right? Manipulating function pointers is something that is _supposed_ to happen inside of programs. What would you have OS developers do? Restrict all programs to printing const strings to stdout?

        2. By tedu (69.227.45.201) on

          read the man page for malloc

      3. By Anonymous Coward (213.118.35.44) on

        Thanks a lot for clarifying that.

  2. By Chas (147.154.235.53) on

    My underpowered x86 will crash to ddb when I run bittorrent on the internal NAT. Seems to happen about every 3-10 hours. I wonder how you get ddb info into sendbug?

    Also, my two network interfaces are at ep1 and ep2. I wonder why they don't start at zero?

    Comments

    1. By SH (82.182.103.172) on

      Setup your machine to use serial console (there is a section on this in FAQ), and connect another machine using a serial cable. When you get a panic, you use the serial console on the other machine to copy/paste output of ps, trace as well as the panic message.

      Comments

      1. By Anonymous Coward (80.56.116.229) on

        To keep you from having to actively monitor the console (or rather automate the monitoring), on the box on the other end of the serial link, you might consider running Conserver : http://www.conserver.com/

  3. By Anonymous Coward (216.220.225.229) on

    Does the scrub rule prevent this attack from working?
    I always do scrub in all.

    Comments

    1. By henning (80.86.183.227) on

      scrub does not do any SACK stuff

  4. By kaip (217.30.177.41) on

    Is there a problem with the security-announce@openbsd.org, or am I missing something? The last post to the security-announce is on 14 December 2004 regarding the pfkey vulnerability. There is nothing on this year's security fixes (httpd fix on 12 January 2005, locore fixes on 28 February and 16 March 2005 and the telnet fix on 30 March 2005)...

  5. By Kevin (65.94.92.22) on

    I thought Puffy buried telnet and other crappy protocols a long time ago. Did anybody revive them ?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]