cbcvebase.
CVE-2007-1365
published 2007-03-10

CVE-2007-1365: Buffer overflow in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0 allows remote attackers to execute arbitrary code via fragmented IPv6 packets due to "incorrect…

PriorityP357critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.79%
96.8th percentile
Buffer overflow in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0 allows remote attackers to execute arbitrary code via fragmented IPv6 packets due to "incorrect mbuf handling for ICMP6 packets." NOTE: this was originally reported as a denial of service.

Affected

2 ranges
VendorProductVersion rangeFixed in
openbsdopenbsd
openbsdopenbsd

Detection & IOCsextracted from sources · hover to see the quote

otherFragment ID: 0x0EADBABE
otherICMPv6 Echo Request type=0x80, ID=0x33f6, sequence=0x0000
ipff02::1
ipfe80::020f:29ff:fe44:686f
otherEthernet type 0x86dd (IPv6) raw socket on eth0
bytes
\xcc\x83\xc4\x20\x5b\x5e\x5f\xc9\xc3\xcc
bytes
\x90\x90\x90\x90\xE9\x3B\xFF\xFF\xFFAAA\x01\x01\x01\x01AAAABBBBAAAABBBB
bytes
\x8c\x23\x20\xd0
  • Detect exploit by matching fragmented IPv6 packets with fragment ID 0x0EADBABE targeting ICMPv6 (next header 0x3a) with a Hop-by-Hop extension header (next header 0x2c) in the first fragment, followed by a second fragment carrying an ICMPv6 echo request payload containing NOP sleds and shellcode.
  • Alert on ICMPv6 echo request packets (type 0x80) with identifier field 0x33f6 sent to the all-nodes multicast address ff02::1, which is the targeting pattern used by this exploit.
  • Detect the exploit's mbuf-filling phase: 100 rapid first-fragment IPv6 packets followed by valid ICMPv6 packets in a tight loop (sleep 0.01s), then 2 overflow (second-fragment) packets — look for this burst pattern from a single link-local source to ff02::1.
  • Look for IPv6 fragmented ICMPv6 packets where the first fragment contains a Hop-by-Hop extension header (0x2c) followed by a fragmentation header (0x3a next-header) and a 150-byte payload of repeated 'O' (0x4f) bytes — a distinctive padding pattern in this PoC.
  • The second (overflow) fragment carries an ICMPv6 payload of 212 bytes of NOP (0x90) sled followed by shellcode and the trampoline bytes 0x8c 0x23 0x20 0xd0 — detect this byte sequence in reassembled or fragmented ICMPv6 payloads.
  • The vulnerability is in kern/uipc_mbuf2.c; monitor for kernel panics or unexpected reboots on OpenBSD 3.9/4.0 hosts receiving fragmented IPv6 traffic, which may indicate exploitation or DoS.
  • ·The exploit uses PF_PACKET/SOCK_RAW and binds directly to eth0 at the Ethernet layer (ethertype 0x86dd), meaning it must be run from a host on the same Layer-2 segment as the target — this is a link-local attack vector only.
  • ·The trampoline address (0x8c2320d0 — 'jmp ESI') is hardcoded for a specific /bsd kernel binary and must be re-located with 'objdump -d /bsd | grep esi | grep jmp' for other builds, limiting portability of the exploit as-is.
  • ·The number of overflow packets (range(2)) may need to be increased for reliability depending on mbuf state; the PoC comment explicitly notes this.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.