Subject: Re: main_fracas
To: T@W <lsp93@xs4all.nl>
From: Stephen Brown <scbrown@netscape.com>
List: port-mac68k
Date: 05/11/2000 14:17:24
The notice sent to "current-users" says this doesn't affect Mac68k:
* Other platforms, including the i386, m68k, pc532 and vax do not
have alignment checking requirements and so are unaffected by this
issue.
Look at the email archives from Sunday, May 7th for the full text...
Steve
"T@W" wrote:
> For convenience forwarded by me from:
>
> http://www.newhackcity.net
>
> ******************************************************************************
> * advisory_id:20000504a.0 release_date:2000-05-04 *
> * *
> *IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
> * main_fracas: *
> * It is possible to cause a kernel panic on systems running NetBSD *
> * by sending a packet remotely with an unaligned IP Timestamp option. *
> * *
> * affected_configurations: *
> * NetBSD 1.4.x on SPARC and Alpha platforms were tested and found to be *
> * vulnerable. Any platform where a page fault is caused by an unaligned *
> * memory access should also be vulnerable. *
> * *
> * unaffected_configurations: *
> * NetBSD 1.4.x on arm32 and x86 platforms were tested and found to not *
> * panic. However, this is only because these (and a few other untested) *
> * platforms do not page fault on unaligned memory accesses. *
> * *
> * notification: *
> * This was originally reported to the NetBSD Security Alerts mailing list on *
> * March 1, 2000, which was before the release of NetBSD 1.4.2. *
> *IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*
> * --<<instructions 4 reproduction>>-- *
> * *
> * 1. Download, compile, and install libnet. It can be obtained from *
> * http://www.packetfactory.net *
> * *
> * 2. Download and compile the ISIC suite of utilities. They are at *
> * http://expert.cc.purdue.edu/~frantzen *
> * *
> * 3. After compiling the isic utilities, run the following from your shell *
> * of choice: *
> * 'icmpsic -s source -d dest -r 31337 -k 218504 -p 218505' *
> * *
> * where source is the source IP address (spoofed addresses work just fine), *
> * and dest is the IP address of the NetBSD machine. *
> * *
> * NOTE: For whatever reason, Linux mangles this packet before sending it. We *
> * have found that it does work correctly when sent from FreeBSD x86, NetBSD *
> * x86, and NetBSD arm32. *
> * *
> * *
> * Result: *
> * On the vulnerable platforms tested (listed above), a kernel panic results *
> * from an unaligned memory access. Because of the ability to spoof the *
> * packet, and the relative small packet size, an attacker could easily *
> * crash many NetBSD machines on a given subnet with minimal effort. *
> *IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII*