NetBSD Problem Report #49860
From www@NetBSD.org Sun Apr 26 16:18:32 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 06AACA654F
for <gnats-bugs@gnats.NetBSD.org>; Sun, 26 Apr 2015 16:18:32 +0000 (UTC)
Message-Id: <20150426161831.02965A6552@mollari.NetBSD.org>
Date: Sun, 26 Apr 2015 16:18:31 +0000 (UTC)
From: 6bone@6bone.informatik.uni-leipzig.de
Reply-To: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Subject: DoS against snmpd on netbsd routers
X-Send-Pr-Version: www-1.0
>Number: 49860
>Category: pkg
>Synopsis: DoS against snmpd on netbsd routers
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: analyzed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Apr 26 16:20:00 +0000 2015
>Closed-Date:
>Last-Modified: Sun Jun 28 15:05:53 +0000 2015
>Originator: Uwe Toenjes
>Release: pkgsrc-2015Q1
>Organization:
University of Leipzig
>Environment:
NetBSD 7.99.9 (MYCONF7.gdb) #0: Wed Apr 8 12:26:30 CEST 2015 root@:/usr/obj/sys/arch/amd64/compile/MYCONF7.gdb amd64
>Description:
IPv6 routers allow remote attackers to make the snmpd (net-snmp-5.7.3) stop work permanently. The snmpd then uses 100% CPU and does not respond to requests.
The attacker isn't sending the packets to the service itself. It sends only packets through the router!
>How-To-Repeat:
Choose a netbsd ipv6 router with a running snmpd. Use the program thcsyn6 to scan the network located behind the router. The scan can be stopped after a few seconds. The snmpd is now running at 100% CPU and does not respond to requests.
The problem only occurs when you scan an entire subnet with the -D option. I guess the problem might be a result of the high number of concurrent ndp requests.
>Fix:
>Release-Note:
>Audit-Trail:
From: Joerg Sonnenberger <joerg@britannica.bec.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Sun, 26 Apr 2015 20:19:42 +0200
On Sun, Apr 26, 2015 at 04:20:00PM +0000, 6bone@6bone.informatik.uni-leipzig.de wrote:
> IPv6 routers allow remote attackers to make the snmpd (net-snmp-5.7.3)
> stop work permanently. The snmpd then uses 100% CPU and does not
> respond to requests.
Can you ktrace it to see what it is doing? Does sockstat work fine? The
problem with net-snmp is that it is extremely messy code and quite a few
things are using kmem when they don't have to, so it is easy to hit race
conditions and the like.
Joerg
From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Mon, 27 Apr 2015 15:16:11 +0200 (CEST)
On Sun, 26 Apr 2015, Joerg Sonnenberger wrote:
> Can you ktrace it to see what it is doing? Does sockstat work fine? The
> problem with net-snmp is that it is extremely messy code and quite a few
> things are using kmem when they don't have to, so it is easy to hit race
> conditions and the like.
I've never worked with ktrace. I have tested ktruss -p <pid snmpd>
The output at 100% CPU was as follows:
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
....
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0)
= 0x7f7feeb00000
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
...
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0)
= 0x7f7fee300000
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
...
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0)
= 0x7f7fee200000
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
...
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0)
= 0x7f7fedf00000
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
...
Does that help?
Regards
Uwe
From: christos@zoulas.com (Christos Zoulas)
To: 6bone@6bone.informatik.uni-leipzig.de, gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Mon, 27 Apr 2015 10:45:59 -0400
On Apr 27, 3:16pm, 6bone@6bone.informatik.uni-leipzig.de (6bone@6bone.informatik.uni-leipzig.de) wrote:
-- Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
| On Sun, 26 Apr 2015, Joerg Sonnenberger wrote:
|
| > Can you ktrace it to see what it is doing? Does sockstat work fine? The
| > problem with net-snmp is that it is extremely messy code and quite a few
| > things are using kmem when they don't have to, so it is easy to hit race
| > conditions and the like.
|
| I've never worked with ktrace. I have tested ktruss -p <pid snmpd>
|
| The output at 100% CPU was as follows:
|
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| ....
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0)
| = 0x7f7feeb00000
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| ...
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0)
| = 0x7f7fee300000
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| ...
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0)
| = 0x7f7fee200000
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| ...
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0)
| = 0x7f7fedf00000
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754 1 snmpd __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| ...
|
| Does that help?
Not very much, it seems to keep allocating memory... So perhaps gdb the
process, break in malloc, and print a backtrace?
$ gdb /path/to/snmpd pid-of-snmp-d
(gdb) break malloc
(gdb) continue
(gdb) where
(gdb) quit
[hopefully it [snmpd] did not die, but it could...]
christos
From: 6bone@6bone.informatik.uni-leipzig.de
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org, pkg-manager@netbsd.org, gnats-admin@netbsd.org,
pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Tue, 28 Apr 2015 08:24:00 +0200 (CEST)
On Mon, 27 Apr 2015, Christos Zoulas wrote:
> Not very much, it seems to keep allocating memory... So perhaps gdb the
> process, break in malloc, and print a backtrace?
>
> $ gdb /path/to/snmpd pid-of-snmp-d
> (gdb) break malloc
> (gdb) continue
> (gdb) where
> (gdb) quit
> [hopefully it [snmpd] did not die, but it could...]
It looks as if the breakpoint is never reached.
I have repeatedly interrupted the program and generates an output of
where.
#0 0x00007f7ff5c3b695 in snmp_oid_compare ()
from /usr/pkg/lib/libnetsnmp.so.30
#1 0x00007f7ff5c790aa in netsnmp_compare_netsnmp_index ()
from /usr/pkg/lib/libnetsnmp.so.30
#2 0x00007f7ff5c79d3e in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#3 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#4 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#5 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#6 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#7 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#8 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#9 0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
#10 0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
#11 0x00007f7ff788eaba in _arp_hook_update ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#12 0x00007f7ff78b5277 in netsnmp_access_arp_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#13 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#14 0x00007f7ff7415d47 in _cache_load ()
from /usr/pkg/lib/libnetsnmpagent.so.30
#15 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
#16 0x00000000004047da in main ()
Program received signal SIGINT, Interrupt.
0x00007f7ff5c3b6a0 in snmp_oid_compare () from
/usr/pkg/lib/libnetsnmp.so.30
(gdb) where
#0 0x00007f7ff5c3b6a0 in snmp_oid_compare ()
from /usr/pkg/lib/libnetsnmp.so.30
#1 0x00007f7ff5c790aa in netsnmp_compare_netsnmp_index ()
from /usr/pkg/lib/libnetsnmp.so.30
#2 0x00007f7ff5c79d3e in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#3 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#4 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#5 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#6 0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
#7 0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
#8 0x00007f7ff788eaba in _arp_hook_update ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#9 0x00007f7ff78b5277 in netsnmp_access_arp_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#10 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#11 0x00007f7ff7415d47 in _cache_load ()
from /usr/pkg/lib/libnetsnmpagent.so.30
#12 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
#13 0x00000000004047da in main ()
#0 0x00007f7ff5c3b6bb in snmp_oid_compare ()
from /usr/pkg/lib/libnetsnmp.so.30
#1 0x00007f7ff5c790aa in netsnmp_compare_netsnmp_index ()
from /usr/pkg/lib/libnetsnmp.so.30
#2 0x00007f7ff5c79dc4 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#3 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#4 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#5 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#6 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#7 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#8 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#9 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#10 0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
#11 0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
#12 0x00007f7ff788eaba in _arp_hook_update ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#13 0x00007f7ff78b5277 in netsnmp_access_arp_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#14 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#15 0x00007f7ff7415d47 in _cache_load ()
from /usr/pkg/lib/libnetsnmpagent.so.30
#16 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
#17 0x00000000004047da in main ()
Program received signal SIGINT, Interrupt.
0x00007f7ff5c7909e in netsnmp_compare_netsnmp_index ()
from /usr/pkg/lib/libnetsnmp.so.30
(gdb) where
#0 0x00007f7ff5c7909e in netsnmp_compare_netsnmp_index ()
from /usr/pkg/lib/libnetsnmp.so.30
#1 0x00007f7ff5c79dc4 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#2 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#3 0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
#4 0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
#5 0x00007f7ff788eaba in _arp_hook_update ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#6 0x00007f7ff78b5277 in netsnmp_access_arp_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#7 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#8 0x00007f7ff7415d47 in _cache_load ()
from /usr/pkg/lib/libnetsnmpagent.so.30
#9 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
#10 0x00000000004047da in main ()
(gdb) where
#0 0x00007f7ff5c3b6aa in snmp_oid_compare ()
from /usr/pkg/lib/libnetsnmp.so.30
#1 0x00007f7ff5c790aa in netsnmp_compare_netsnmp_index ()
from /usr/pkg/lib/libnetsnmp.so.30
#2 0x00007f7ff5c79d3e in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#3 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#4 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#5 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#6 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#7 0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
#8 0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
#9 0x00007f7ff788eaba in _arp_hook_update ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#10 0x00007f7ff78b5277 in netsnmp_access_arp_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#11 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#12 0x00007f7ff7415d47 in _cache_load ()
from /usr/pkg/lib/libnetsnmpagent.so.30
#13 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
#14 0x00000000004047da in main ()
Program received signal SIGINT, Interrupt.
0x00007f7ff5c7909a in netsnmp_compare_netsnmp_index ()
from /usr/pkg/lib/libnetsnmp.so.30
(gdb) where
#0 0x00007f7ff5c7909a in netsnmp_compare_netsnmp_index ()
from /usr/pkg/lib/libnetsnmp.so.30
#1 0x00007f7ff5c79d3e in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#2 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#3 0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
#4 0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
#5 0x00007f7ff788eaba in _arp_hook_update ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#6 0x00007f7ff78b5277 in netsnmp_access_arp_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#7 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#8 0x00007f7ff7415d47 in _cache_load ()
from /usr/pkg/lib/libnetsnmpagent.so.30
#9 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
#10 0x00000000004047da in main ()
Program received signal SIGINT, Interrupt.
0x00007f7ff5c3b695 in snmp_oid_compare () from
/usr/pkg/lib/libnetsnmp.so.30
(gdb) where
#0 0x00007f7ff5c3b695 in snmp_oid_compare ()
from /usr/pkg/lib/libnetsnmp.so.30
#1 0x00007f7ff5c790aa in netsnmp_compare_netsnmp_index ()
from /usr/pkg/lib/libnetsnmp.so.30
#2 0x00007f7ff5c79dc4 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#3 0x00007f7ff5c79da1 in array_qsort () from
/usr/pkg/lib/libnetsnmp.so.30
#4 0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
#5 0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
#6 0x00007f7ff788eaba in _arp_hook_update ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#7 0x00007f7ff78b5277 in netsnmp_access_arp_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#8 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
from /usr/pkg/lib/libnetsnmpmibs.so.30
#9 0x00007f7ff7415d47 in _cache_load ()
from /usr/pkg/lib/libnetsnmpagent.so.30
#10 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
#11 0x00000000004047da in main ()
I tested two more break points. netsnmp_access_arp_load and
_arp_hook_update.
The breakpoint netsnmp_access_arp_load seems to be never reached. The
breakpoint _arp_hook_update is reached. A loop within
netsnmp_access_arp_load?
Regards
Uwe
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, pkg-manager@netbsd.org, gnats-admin@netbsd.org,
pkgsrc-bugs@netbsd.org, 6bone@6bone.informatik.uni-leipzig.de
Cc:
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Tue, 28 Apr 2015 08:07:21 -0400
On Apr 28, 6:25am, 6bone@6bone.informatik.uni-leipzig.de (6bone@6bone.informatik.uni-leipzig.de) wrote:
-- Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
| It looks as if the breakpoint is never reached.
|
| I have repeatedly interrupted the program and generates an output of
| where.
Looks like that qsort is deadly... I wonder why it thinks it needs to
sort something all the time. The arp stuff looks suspect as expected.
(if it is related to ndp). I am not sure if I have time to optimize the
code, but using a hashmap instead of sorting seems to be a good thing
to do.
christos
From: 6bone@6bone.informatik.uni-leipzig.de
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org, pkg-manager@netbsd.org, gnats-admin@netbsd.org,
pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Sat, 2 May 2015 23:01:42 +0200 (CEST)
On Tue, 28 Apr 2015, Christos Zoulas wrote:
> Looks like that qsort is deadly... I wonder why it thinks it needs to
> sort something all the time. The arp stuff looks suspect as expected.
> (if it is related to ndp). I am not sure if I have time to optimize the
> code, but using a hashmap instead of sorting seems to be a good thing
> to do.
>
Yet another information. In normal operation 'ndp -an | wc -l' reports
nearly 1500 entries.
During the attack ndp reports:
ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
ndp: failed to get neighbor information
ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
ndp: failed to get neighbor information
...
Could that be a problem for the snmpd?
Regards
Uwe
From: christos@zoulas.com (Christos Zoulas)
To: 6bone@6bone.informatik.uni-leipzig.de
Cc: gnats-bugs@NetBSD.org, pkg-manager@netbsd.org, gnats-admin@netbsd.org,
pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Sat, 2 May 2015 17:06:58 -0400
On May 2, 11:01pm, 6bone@6bone.informatik.uni-leipzig.de (6bone@6bone.informatik.uni-leipzig.de) wrote:
-- Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
| On Tue, 28 Apr 2015, Christos Zoulas wrote:
|
| > Looks like that qsort is deadly... I wonder why it thinks it needs to
| > sort something all the time. The arp stuff looks suspect as expected.
| > (if it is related to ndp). I am not sure if I have time to optimize the
| > code, but using a hashmap instead of sorting seems to be a good thing
| > to do.
| >
|
| Yet another information. In normal operation 'ndp -an | wc -l' reports
| nearly 1500 entries.
|
| During the attack ndp reports:
|
| ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
| ndp: failed to get neighbor information
| ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
| ndp: failed to get neighbor information
| ...
|
| Could that be a problem for the snmpd?
I suspect that the error handling and processing on snmpd is flawed.
Really, I should fix it... But I find the code ugly, so I don't like
working on it.
This comes from here:
if ((error = in6_setscope(&nb_addr, ifp, NULL)) != 0)
return error;
s = splsoftnet();
if ((rt = nd6_lookup(&nb_addr, 0, ifp)) == NULL ||
(ln = (struct llinfo_nd6 *)rt->rt_llinfo) == NULL) {
error = EINVAL;
splx(s);
break;
}
Perhaps you can add some debugging code there and print some things?
christos
From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Mon, 4 May 2015 07:45:08 +0200 (CEST)
On Sat, 2 May 2015, Christos Zoulas wrote:
I got the following tip: it looks like the inetNetToMediaTable is the
problem, so you could disable it as a workaround. add "-I
-inetNetToMediaTable" to your snmpd command line.
The workaround helps.
Regards
Uwe
From: Robert Story <rstory@tislabs.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Mon, 4 May 2015 11:44:23 -0400
--Sig_/dHs7T9lifRhKiOS6liV+W4a
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
RS> On Sat, 2 May 2015, Christos Zoulas wrote:
RS>=20
RS> I got the following tip: it looks like the inetNetToMediaTable is the=
=20
RS> problem, so you could disable it as a workaround. add "-I=20
RS> -inetNetToMediaTable" to your snmpd command line.
RS>=20
RS> The workaround helps.
Glad that helped. I have a couple of ideas on a real fix. Anyone got a way
to reproduce the issue that doesn't involve running a scan/attack on my
local network?
Robert
--=20
Senior Software Engineer @ Parsons
--Sig_/dHs7T9lifRhKiOS6liV+W4a
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBAgAGBQJVR5PbAAoJEMHFVuy5l8Y4bj0QAI3YKk3oGui6Wgt3EvOwToBw
Jf4W79NTQ0eHi4mKViDKmlWO9pIan43aZ/LAgNk1qJX8BjTREjIkwBigWvanQX01
0pfhq6kSCm0e9c8Ke+X1HD5agNq0dCBVlieezGoJOu+vRO3koQ3uAqyrVqohuQfb
rsx9ID557j8sIk78NwuvS6QifwXjmCavrDTN4hilgSK9VopX3j7AepGGvaCnur/6
sKtyzyFzSHZ41gluddpzaPi5Qbbqfs3LprbxqKro+NoZ6cimi3u0wDGfUZ6F6GeI
ddsE+xR89cY0Wp7GktxFNVgo5e+x4pTFXHmuGFD0YVvkYH6dL601hMFqgftsyu4V
vwBbCm4vf+Vpz2BDK7oTPqkWxeUGovwMjJPhOhlWDIHtDVg/EVQwckbSdapJIZ6t
zC7ZKsUUWViXzUNiyk3bgmdJioa+/ZkY3uWglzPnDlh+JGJBdEKJg5879yj7USh8
QEXE2lc87h9ywGsTMDLnd+pxGHS4Ke+7nTKYbLjZWcdGVx3zFozfrNiOuEv0MwDh
vlRZh4m6RTyfk6VbdrO18uZctgZaf/jR1wDYR79/UmEHR2lMBRmu+cQd/6BAgIPE
fV+5Y3U1ao6P/VkI0IQwQnLHbRt7rvQ47q2+1hzoS23tTrzjxHyJUFGz/iBdbxhW
fytNI2AshZR9HhMAZgUQ
=JO7p
-----END PGP SIGNATURE-----
--Sig_/dHs7T9lifRhKiOS6liV+W4a--
From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Tue, 5 May 2015 12:49:05 +0200 (CEST)
On Mon, 4 May 2015, Robert Story wrote:
> Glad that helped. I have a couple of ideas on a real fix. Anyone got a way
> to reproduce the issue that doesn't involve running a scan/attack on my
> local network?
>
> Robert
Unfortunately, I don't know any other way.
Uwe
State-Changed-From-To: open->analyzed
State-Changed-By: bsiegert@NetBSD.org
State-Changed-When: Sun, 28 Jun 2015 15:05:53 +0000
State-Changed-Why:
Does anyone want to fix this?
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.