NetBSD Problem Report #49860

From www@NetBSD.org  Sun Apr 26 16:18:32 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 06AACA654F
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 26 Apr 2015 16:18:32 +0000 (UTC)
Message-Id: <20150426161831.02965A6552@mollari.NetBSD.org>
Date: Sun, 26 Apr 2015 16:18:31 +0000 (UTC)
From: 6bone@6bone.informatik.uni-leipzig.de
Reply-To: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Subject: DoS against snmpd on netbsd routers
X-Send-Pr-Version: www-1.0

>Number:         49860
>Category:       pkg
>Synopsis:       DoS against snmpd on netbsd routers
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          analyzed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 26 16:20:00 +0000 2015
>Closed-Date:    
>Last-Modified:  Sun Jun 28 15:05:53 +0000 2015
>Originator:     Uwe Toenjes
>Release:        pkgsrc-2015Q1
>Organization:
University of Leipzig
>Environment:
NetBSD 7.99.9 (MYCONF7.gdb) #0: Wed Apr  8 12:26:30 CEST 2015  root@:/usr/obj/sys/arch/amd64/compile/MYCONF7.gdb amd64
>Description:
IPv6 routers allow remote attackers to make the snmpd (net-snmp-5.7.3) stop work permanently. The snmpd then uses 100% CPU and does not respond to requests.

The attacker isn't sending the packets to the service itself. It sends only packets through the router!
>How-To-Repeat:
Choose a netbsd ipv6 router with a running snmpd. Use the program thcsyn6 to scan the network located behind the router. The scan can be stopped after a few seconds. The snmpd is now running at 100% CPU and does not respond to requests.

The problem only occurs when you scan an entire subnet with the -D option. I guess the problem might be a result of the high number of concurrent ndp requests.

>Fix:

>Release-Note:

>Audit-Trail:
From: Joerg Sonnenberger <joerg@britannica.bec.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Sun, 26 Apr 2015 20:19:42 +0200

 On Sun, Apr 26, 2015 at 04:20:00PM +0000, 6bone@6bone.informatik.uni-leipzig.de wrote:
 > IPv6 routers allow remote attackers to make the snmpd (net-snmp-5.7.3)
 > stop work permanently. The snmpd then uses 100% CPU and does not
 > respond to requests.

 Can you ktrace it to see what it is doing? Does sockstat work fine? The
 problem with net-snmp is that it is extremely messy code and quite a few
 things are using kmem when they don't have to, so it is easy to hit race
 conditions and the like.

 Joerg

From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Mon, 27 Apr 2015 15:16:11 +0200 (CEST)

 On Sun, 26 Apr 2015, Joerg Sonnenberger wrote:

 > Can you ktrace it to see what it is doing? Does sockstat work fine? The
 > problem with net-snmp is that it is extremely messy code and quite a few
 > things are using kmem when they don't have to, so it is easy to hit race
 > conditions and the like.

 I've never worked with ktrace. I have tested ktruss -p <pid snmpd>

 The output at 100% CPU was as follows:

 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 ....
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
 = 0x7f7feeb00000
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 ...
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
 = 0x7f7fee300000
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 ...
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
 = 0x7f7fee200000
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 ...
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
 = 0x7f7fedf00000
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 ...

 Does that help?

 Regards
 Uwe

From: christos@zoulas.com (Christos Zoulas)
To: 6bone@6bone.informatik.uni-leipzig.de, gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Mon, 27 Apr 2015 10:45:59 -0400

 On Apr 27,  3:16pm, 6bone@6bone.informatik.uni-leipzig.de (6bone@6bone.informatik.uni-leipzig.de) wrote:
 -- Subject: Re: pkg/49860: DoS against snmpd on netbsd routers

 | On Sun, 26 Apr 2015, Joerg Sonnenberger wrote:
 | 
 | > Can you ktrace it to see what it is doing? Does sockstat work fine? The
 | > problem with net-snmp is that it is extremely messy code and quite a few
 | > things are using kmem when they don't have to, so it is easy to hit race
 | > conditions and the like.
 | 
 | I've never worked with ktrace. I have tested ktruss -p <pid snmpd>
 | 
 | The output at 100% CPU was as follows:
 | 
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | ....
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
 | = 0x7f7feeb00000
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | ...
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
 | = 0x7f7fee300000
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | ...
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
 | = 0x7f7fee200000
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | ...
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
 | = 0x7f7fedf00000
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
 | ...
 | 
 | Does that help?

 Not very much, it seems to keep allocating memory... So perhaps gdb the
 process, break in malloc, and print a backtrace?

 $ gdb /path/to/snmpd pid-of-snmp-d
 (gdb) break malloc
 (gdb) continue
 (gdb) where
 (gdb) quit
 [hopefully it [snmpd] did not die, but it could...]

 christos

From: 6bone@6bone.informatik.uni-leipzig.de
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org, pkg-manager@netbsd.org, gnats-admin@netbsd.org, 
    pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Tue, 28 Apr 2015 08:24:00 +0200 (CEST)

 On Mon, 27 Apr 2015, Christos Zoulas wrote:

 > Not very much, it seems to keep allocating memory... So perhaps gdb the
 > process, break in malloc, and print a backtrace?
 >
 > $ gdb /path/to/snmpd pid-of-snmp-d
 > (gdb) break malloc
 > (gdb) continue
 > (gdb) where
 > (gdb) quit
 > [hopefully it [snmpd] did not die, but it could...]

 It looks as if the breakpoint is never reached.

 I have repeatedly interrupted the program and generates an output of 
 where.


 #0  0x00007f7ff5c3b695 in snmp_oid_compare ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #1  0x00007f7ff5c790aa in netsnmp_compare_netsnmp_index ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #2  0x00007f7ff5c79d3e in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #3  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #4  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #5  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #6  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #7  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #8  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #9  0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
 #10 0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
 #11 0x00007f7ff788eaba in _arp_hook_update ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #12 0x00007f7ff78b5277 in netsnmp_access_arp_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #13 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #14 0x00007f7ff7415d47 in _cache_load ()
     from /usr/pkg/lib/libnetsnmpagent.so.30
 #15 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
 #16 0x00000000004047da in main ()


 Program received signal SIGINT, Interrupt.
 0x00007f7ff5c3b6a0 in snmp_oid_compare () from 
 /usr/pkg/lib/libnetsnmp.so.30
 (gdb) where
 #0  0x00007f7ff5c3b6a0 in snmp_oid_compare ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #1  0x00007f7ff5c790aa in netsnmp_compare_netsnmp_index ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #2  0x00007f7ff5c79d3e in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #3  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #4  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #5  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #6  0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
 #7  0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
 #8  0x00007f7ff788eaba in _arp_hook_update ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #9  0x00007f7ff78b5277 in netsnmp_access_arp_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #10 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #11 0x00007f7ff7415d47 in _cache_load ()
     from /usr/pkg/lib/libnetsnmpagent.so.30
 #12 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
 #13 0x00000000004047da in main ()

 #0  0x00007f7ff5c3b6bb in snmp_oid_compare ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #1  0x00007f7ff5c790aa in netsnmp_compare_netsnmp_index ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #2  0x00007f7ff5c79dc4 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #3  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #4  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #5  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #6  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #7  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #8  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #9  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #10 0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
 #11 0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
 #12 0x00007f7ff788eaba in _arp_hook_update ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #13 0x00007f7ff78b5277 in netsnmp_access_arp_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #14 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #15 0x00007f7ff7415d47 in _cache_load ()
     from /usr/pkg/lib/libnetsnmpagent.so.30
 #16 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
 #17 0x00000000004047da in main ()


 Program received signal SIGINT, Interrupt.
 0x00007f7ff5c7909e in netsnmp_compare_netsnmp_index ()
     from /usr/pkg/lib/libnetsnmp.so.30
 (gdb) where
 #0  0x00007f7ff5c7909e in netsnmp_compare_netsnmp_index ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #1  0x00007f7ff5c79dc4 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #2  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #3  0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
 #4  0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
 #5  0x00007f7ff788eaba in _arp_hook_update ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #6  0x00007f7ff78b5277 in netsnmp_access_arp_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #7  0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #8  0x00007f7ff7415d47 in _cache_load ()
     from /usr/pkg/lib/libnetsnmpagent.so.30
 #9  0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
 #10 0x00000000004047da in main ()


 (gdb) where
 #0  0x00007f7ff5c3b6aa in snmp_oid_compare ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #1  0x00007f7ff5c790aa in netsnmp_compare_netsnmp_index ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #2  0x00007f7ff5c79d3e in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #3  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #4  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #5  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #6  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #7  0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
 #8  0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
 #9  0x00007f7ff788eaba in _arp_hook_update ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #10 0x00007f7ff78b5277 in netsnmp_access_arp_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #11 0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #12 0x00007f7ff7415d47 in _cache_load ()
     from /usr/pkg/lib/libnetsnmpagent.so.30
 #13 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
 #14 0x00000000004047da in main ()


 Program received signal SIGINT, Interrupt.
 0x00007f7ff5c7909a in netsnmp_compare_netsnmp_index ()
     from /usr/pkg/lib/libnetsnmp.so.30
 (gdb) where
 #0  0x00007f7ff5c7909a in netsnmp_compare_netsnmp_index ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #1  0x00007f7ff5c79d3e in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #2  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #3  0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
 #4  0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
 #5  0x00007f7ff788eaba in _arp_hook_update ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #6  0x00007f7ff78b5277 in netsnmp_access_arp_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #7  0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #8  0x00007f7ff7415d47 in _cache_load ()
     from /usr/pkg/lib/libnetsnmpagent.so.30
 #9  0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
 #10 0x00000000004047da in main ()

 Program received signal SIGINT, Interrupt.
 0x00007f7ff5c3b695 in snmp_oid_compare () from 
 /usr/pkg/lib/libnetsnmp.so.30
 (gdb) where
 #0  0x00007f7ff5c3b695 in snmp_oid_compare ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #1  0x00007f7ff5c790aa in netsnmp_compare_netsnmp_index ()
     from /usr/pkg/lib/libnetsnmp.so.30
 #2  0x00007f7ff5c79dc4 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #3  0x00007f7ff5c79da1 in array_qsort () from 
 /usr/pkg/lib/libnetsnmp.so.30
 #4  0x00007f7ff5c79e43 in Sort_Array () from /usr/pkg/lib/libnetsnmp.so.30
 #5  0x00007f7ff5c7a3c1 in _ba_find () from /usr/pkg/lib/libnetsnmp.so.30
 #6  0x00007f7ff788eaba in _arp_hook_update ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #7  0x00007f7ff78b5277 in netsnmp_access_arp_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #8  0x00007f7ff788ee26 in inetNetToMediaTable_container_load ()
     from /usr/pkg/lib/libnetsnmpmibs.so.30
 #9  0x00007f7ff7415d47 in _cache_load ()
     from /usr/pkg/lib/libnetsnmpagent.so.30
 #10 0x00007f7ff5c5e5b3 in run_alarms () from /usr/pkg/lib/libnetsnmp.so.30
 #11 0x00000000004047da in main ()


 I tested two more break points. netsnmp_access_arp_load and 
 _arp_hook_update.

 The breakpoint netsnmp_access_arp_load seems to be never reached. The 
 breakpoint _arp_hook_update is reached. A loop within 
 netsnmp_access_arp_load?


 Regards
 Uwe

From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, pkg-manager@netbsd.org, gnats-admin@netbsd.org, 
	pkgsrc-bugs@netbsd.org, 6bone@6bone.informatik.uni-leipzig.de
Cc: 
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Tue, 28 Apr 2015 08:07:21 -0400

 On Apr 28,  6:25am, 6bone@6bone.informatik.uni-leipzig.de (6bone@6bone.informatik.uni-leipzig.de) wrote:
 -- Subject: Re: pkg/49860: DoS against snmpd on netbsd routers

 |  It looks as if the breakpoint is never reached.
 |  
 |  I have repeatedly interrupted the program and generates an output of 
 |  where.

 Looks like that qsort is deadly... I wonder why it thinks it needs to
 sort something all the time. The arp stuff looks suspect as expected.
 (if it is related to ndp). I am not sure if I have time to optimize the
 code, but using a hashmap instead of sorting seems to be a good thing
 to do.

 christos

From: 6bone@6bone.informatik.uni-leipzig.de
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org, pkg-manager@netbsd.org, gnats-admin@netbsd.org, 
    pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Sat, 2 May 2015 23:01:42 +0200 (CEST)

 On Tue, 28 Apr 2015, Christos Zoulas wrote:

 > Looks like that qsort is deadly... I wonder why it thinks it needs to
 > sort something all the time. The arp stuff looks suspect as expected.
 > (if it is related to ndp). I am not sure if I have time to optimize the
 > code, but using a hashmap instead of sorting seems to be a good thing
 > to do.
 >

 Yet another information. In normal operation 'ndp -an | wc -l' reports 
 nearly 1500 entries.

 During the attack ndp reports:

 ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
 ndp: failed to get neighbor information
 ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
 ndp: failed to get neighbor information
 ...

 Could that be a problem for the snmpd?

 Regards
 Uwe

From: christos@zoulas.com (Christos Zoulas)
To: 6bone@6bone.informatik.uni-leipzig.de
Cc: gnats-bugs@NetBSD.org, pkg-manager@netbsd.org, gnats-admin@netbsd.org, 
	pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Sat, 2 May 2015 17:06:58 -0400

 On May 2, 11:01pm, 6bone@6bone.informatik.uni-leipzig.de (6bone@6bone.informatik.uni-leipzig.de) wrote:
 -- Subject: Re: pkg/49860: DoS against snmpd on netbsd routers

 | On Tue, 28 Apr 2015, Christos Zoulas wrote:
 | 
 | > Looks like that qsort is deadly... I wonder why it thinks it needs to
 | > sort something all the time. The arp stuff looks suspect as expected.
 | > (if it is related to ndp). I am not sure if I have time to optimize the
 | > code, but using a hashmap instead of sorting seems to be a good thing
 | > to do.
 | >
 | 
 | Yet another information. In normal operation 'ndp -an | wc -l' reports 
 | nearly 1500 entries.
 | 
 | During the attack ndp reports:
 | 
 | ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
 | ndp: failed to get neighbor information
 | ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
 | ndp: failed to get neighbor information
 | ...
 | 
 | Could that be a problem for the snmpd?

 I suspect that the error handling and processing on snmpd is flawed.
 Really, I should fix it... But I find the code ugly, so I don't like
 working on it.

 This comes from here: 
                 if ((error = in6_setscope(&nb_addr, ifp, NULL)) != 0)
                         return error;

                 s = splsoftnet();
                 if ((rt = nd6_lookup(&nb_addr, 0, ifp)) == NULL ||
                     (ln = (struct llinfo_nd6 *)rt->rt_llinfo) == NULL) {
                         error = EINVAL;
                         splx(s);
                         break;
                 }

 Perhaps you can add some debugging code there and print some things?

 christos

From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Mon, 4 May 2015 07:45:08 +0200 (CEST)

 On Sat, 2 May 2015, Christos Zoulas wrote:

 I got the following tip: it looks like the inetNetToMediaTable is the 
 problem, so you could disable it as a workaround. add "-I 
 -inetNetToMediaTable" to your snmpd command line.

 The workaround helps.



 Regards
 Uwe

From: Robert Story <rstory@tislabs.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Mon, 4 May 2015 11:44:23 -0400

 --Sig_/dHs7T9lifRhKiOS6liV+W4a
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: quoted-printable

 RS>  On Sat, 2 May 2015, Christos Zoulas wrote:
 RS>=20
 RS>  I got the following tip: it looks like the inetNetToMediaTable is the=
 =20
 RS>  problem, so you could disable it as a workaround. add "-I=20
 RS>  -inetNetToMediaTable" to your snmpd command line.
 RS>=20
 RS>  The workaround helps.

 Glad that helped. I have a couple of ideas on a real fix. Anyone got a way
 to reproduce the issue that doesn't involve running a scan/attack on my
 local network?

 Robert

 --=20
 Senior Software Engineer @ Parsons

 --Sig_/dHs7T9lifRhKiOS6liV+W4a
 Content-Type: application/pgp-signature
 Content-Description: OpenPGP digital signature

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2

 iQIcBAEBAgAGBQJVR5PbAAoJEMHFVuy5l8Y4bj0QAI3YKk3oGui6Wgt3EvOwToBw
 Jf4W79NTQ0eHi4mKViDKmlWO9pIan43aZ/LAgNk1qJX8BjTREjIkwBigWvanQX01
 0pfhq6kSCm0e9c8Ke+X1HD5agNq0dCBVlieezGoJOu+vRO3koQ3uAqyrVqohuQfb
 rsx9ID557j8sIk78NwuvS6QifwXjmCavrDTN4hilgSK9VopX3j7AepGGvaCnur/6
 sKtyzyFzSHZ41gluddpzaPi5Qbbqfs3LprbxqKro+NoZ6cimi3u0wDGfUZ6F6GeI
 ddsE+xR89cY0Wp7GktxFNVgo5e+x4pTFXHmuGFD0YVvkYH6dL601hMFqgftsyu4V
 vwBbCm4vf+Vpz2BDK7oTPqkWxeUGovwMjJPhOhlWDIHtDVg/EVQwckbSdapJIZ6t
 zC7ZKsUUWViXzUNiyk3bgmdJioa+/ZkY3uWglzPnDlh+JGJBdEKJg5879yj7USh8
 QEXE2lc87h9ywGsTMDLnd+pxGHS4Ke+7nTKYbLjZWcdGVx3zFozfrNiOuEv0MwDh
 vlRZh4m6RTyfk6VbdrO18uZctgZaf/jR1wDYR79/UmEHR2lMBRmu+cQd/6BAgIPE
 fV+5Y3U1ao6P/VkI0IQwQnLHbRt7rvQ47q2+1hzoS23tTrzjxHyJUFGz/iBdbxhW
 fytNI2AshZR9HhMAZgUQ
 =JO7p
 -----END PGP SIGNATURE-----

 --Sig_/dHs7T9lifRhKiOS6liV+W4a--

From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
Date: Tue, 5 May 2015 12:49:05 +0200 (CEST)

 On Mon, 4 May 2015, Robert Story wrote:

 > Glad that helped. I have a couple of ideas on a real fix. Anyone got a way
 > to reproduce the issue that doesn't involve running a scan/attack on my
 > local network?
 >
 > Robert

 Unfortunately, I don't know any other way.


 Uwe

State-Changed-From-To: open->analyzed
State-Changed-By: bsiegert@NetBSD.org
State-Changed-When: Sun, 28 Jun 2015 15:05:53 +0000
State-Changed-Why:
Does anyone want to fix this?


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.