漏洞标题
ping(8)溢出
漏洞描述信息
`ping` 从网络中读取原始 IP 数据包,然后在 `pr_pack()` 函数中处理响应。在处理响应时,`ping` 必须重建 IP 头、ICMP 头,如果存在的话,还包括一个“引用的包”(quoted packet)。引用的包表示产生了 ICMP 错误的那个数据包。引用的包同样包含有 IP 头和 ICMP 头。
`pr_pack()` 函数会将接收到的 IP 和 ICMP 头复制到栈缓冲区中,以便进一步处理。然而,在这样做时,它并没有考虑到在响应或引用的包中的 IP 头之后可能存在 IP 选项头部的可能性。当存在 IP 选项时,`pr_pack()` 函数会溢出目标缓冲区,最多可溢出 40 字节。
上述描述的记忆安全漏洞可能由远程主机触发,导致 `ping` 程序崩溃。
在所有受影响的 FreeBSD 版本中,`ping` 进程都以能力模式沙箱运行,因此它在漏洞可能发生时与系统其他部分交互的方式受到了极大的限制。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
漏洞类别
输入验证不恰当
漏洞标题
Stack overflow in ping(8)
漏洞描述信息
ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.
The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.
The memory safety bugs described above can be triggered by a remote host, causing the ping program to crash.
The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
FreeBSD 安全漏洞
漏洞描述信息
FreeBSD是freeBSD基金会的一套类Unix操作系统。 FreeBSD存在安全漏洞。攻击者利用该漏洞通过ping触发FreeBSD缓冲区溢出,从而触发拒绝服务,并可能运行代码。
CVSS信息
N/A
漏洞类别
其他