CVE-2007-1365
published 2007-03-10CVE-2007-1365: Buffer overflow in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0 allows remote attackers to execute arbitrary code via fragmented IPv6 packets due to "incorrect…
PriorityP357critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.79%
96.8th percentile
Buffer overflow in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0 allows remote attackers to execute arbitrary code via fragmented IPv6 packets due to "incorrect mbuf handling for ICMP6 packets." NOTE: this was originally reported as a denial of service.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xcc\x83\xc4\x20\x5b\x5e\x5f\xc9\xc3\xcc
bytes↗
\x90\x90\x90\x90\xE9\x3B\xFF\xFF\xFFAAA\x01\x01\x01\x01AAAABBBBAAAABBBB
bytes↗
\x8c\x23\x20\xd0
- →Detect exploit by matching fragmented IPv6 packets with fragment ID 0x0EADBABE targeting ICMPv6 (next header 0x3a) with a Hop-by-Hop extension header (next header 0x2c) in the first fragment, followed by a second fragment carrying an ICMPv6 echo request payload containing NOP sleds and shellcode. ↗
- →Alert on ICMPv6 echo request packets (type 0x80) with identifier field 0x33f6 sent to the all-nodes multicast address ff02::1, which is the targeting pattern used by this exploit. ↗
- →Detect the exploit's mbuf-filling phase: 100 rapid first-fragment IPv6 packets followed by valid ICMPv6 packets in a tight loop (sleep 0.01s), then 2 overflow (second-fragment) packets — look for this burst pattern from a single link-local source to ff02::1. ↗
- →Look for IPv6 fragmented ICMPv6 packets where the first fragment contains a Hop-by-Hop extension header (0x2c) followed by a fragmentation header (0x3a next-header) and a 150-byte payload of repeated 'O' (0x4f) bytes — a distinctive padding pattern in this PoC. ↗
- →The second (overflow) fragment carries an ICMPv6 payload of 212 bytes of NOP (0x90) sled followed by shellcode and the trampoline bytes 0x8c 0x23 0x20 0xd0 — detect this byte sequence in reassembled or fragmented ICMPv6 payloads. ↗
- →The vulnerability is in kern/uipc_mbuf2.c; monitor for kernel panics or unexpected reboots on OpenBSD 3.9/4.0 hosts receiving fragmented IPv6 traffic, which may indicate exploitation or DoS. ↗
- ·The exploit uses PF_PACKET/SOCK_RAW and binds directly to eth0 at the Ethernet layer (ethertype 0x86dd), meaning it must be run from a host on the same Layer-2 segment as the target — this is a link-local attack vector only. ↗
- ·The trampoline address (0x8c2320d0 — 'jmp ESI') is hardcoded for a specific /bsd kernel binary and must be re-located with 'objdump -d /bsd | grep esi | grep jmp' for other builds, limiting portability of the exploit as-is. ↗
- ·The number of overflow packets (range(2)) may need to be increased for reliability depending on mbuf state; the PoC comment explicitly notes this. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=openbsd-cvs&m=117252151023868&w=2http://secunia.com/advisories/24490http://securitytracker.com/id?1017735http://www.coresecurity.com/?action=item&id=1703http://www.kb.cert.org/vuls/id/986425http://www.openbsd.org/errata39.html#m_dup1http://www.openbsd.org/errata40.html#m_dup1http://www.osvdb.org/33050http://www.securityfocus.com/bid/22901http://www.securitytracker.com/id?1017744http://marc.info/?l=openbsd-cvs&m=117252151023868&w=2http://secunia.com/advisories/24490http://securitytracker.com/id?1017735http://www.coresecurity.com/?action=item&id=1703http://www.kb.cert.org/vuls/id/986425http://www.openbsd.org/errata39.html#m_dup1http://www.openbsd.org/errata40.html#m_dup1http://www.osvdb.org/33050http://www.securityfocus.com/bid/22901http://www.securitytracker.com/id?1017744
2007-03-10
Published