

IPv6 Attack Kills Mac OS X and makes Windows Server 2012 restart in Seconds - treepunch
http://samsclass.info/ipv6/proj/RA_flood2.htm#1

======
ghshephard
Disclosure to Apple - Apple notified 12-11-12.

I often wonder why disclosures of these types of exploits is now, "same day"
instead of "Let vendor know you will be reporting this to public in a week."

I wonder if it is out of concern they will be pressured to keep quiet?

There is a good practical reason for not providing advance disclosure at major
conference, particularly if you're subject to some kind of NDA, because, more
often then not, the security researcher faces the risk of legal action and
being shut down.

That pattern, though, "We are going to announce a security hole in major
vendor product" followed by, "Shut down by legal action" - happens so
frequently that I often wonder whether that's actually part of some larger
pattern of entrepreneurial behavior that's opaque to me, it happens so
frequently. Maybe it enhances your reputation? Gets you in the news?

I'm all for full disclosure, but, it might be nice to give the vendor a week
to have a patch that can roll out at the same time as you let the world know
what you found.

~~~
splicer
When I discovered a vulnerability in Mac OS X that would allow a unprivileged
user to keylog every user on the system (CVE-2007-0724), I let Apple know,
then kept quiet until they fixed the issue. It took them 11 and a half months
to fix. They thanked me in the security update note, and I now how a CVE on my
resume. Was silence the most morally correct action? To this day, I am still
unsure.

~~~
rwg
I've never thought to put CVE-IDs I'm credited for reporting on my resume. Is
that...a thing? Do tech employers (outside of security consultancies) even
know what a CVE-ID is?

~~~
ghshephard
What else should a person put on their resume (beyond job experience) when
applying for security roles? Patents? Education? Open Source Projects? I would
think that CVE-IDs would certainly lend color, and probably credibility to the
resume of someone applying for a security position, particularly if the CVE-ID
(which has some amount of peer review) was associated with something
interesting or relevant to the position being applied for.

------
sigjuice
In case someone is curious about the code, visit
[http://opensource.apple.com/source/xnu/xnu-2050.18.24/bsd/ne...](http://opensource.apple.com/source/xnu/xnu-2050.18.24/bsd/netinet6/nd6_rtr.c)
and look for nd6_ra_input()

~~~
X-Istence
Reading that code I finally realise why Mac OS X doesn't correctly handle
option 24 (alternate routes).

------
pixl97
Reminds me of the '90s when WinNuke and Smurf attacks ran wild. Remember one
attack that caused our Linux boxes to panic, but I can't remember what it was
called. It's not surprising that we're seeing stuff like this in v6. IPv4 has
had the bugs hammered out from years of attacks, v6 not so much.

~~~
metalruler
Land? A single spoofed TCP SYN packet with identical src/dst addresses was
enough to crash or at least impact many OSs.

[http://www.physnet.uni-
hamburg.de/physnet/security/vulnerabi...](http://www.physnet.uni-
hamburg.de/physnet/security/vulnerability/land.html)

------
p1mrx
Since this attack is based on Router Advertisements, you need to be on the
same LAN to exploit it. It also does not apply if the LAN implements RA Guard
(RFC6105).

~~~
psionski
[http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-
evasion-0...](http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-
evasion-00.txt) , but maybe you're right about the LAN part.

------
btgeekboy
In the video, he tested OS X, Windows XP, and Server 2012. OS X beachballed,
XP went to 100% CPU, and Server 2012 panicked and rebooted. All three failed;
this isn't just an Apple issue. Was Microsoft notified as well?

~~~
newhouseb
In my experience (and as this article suggests), Microsoft operating systems
have always been really vulnerable to flooding, even over IPv4. Malformed UDP
packets to port 53 (DNS) at about 20-30k packets/sec instantly would lock up a
windows box and prevent it from successfully rebooting. This was one of the
preferred methods for the wargames that were played for bandwidth over the
shared housing network for Microsoft Research interns in China a few years
back.

------
joejohnson
I don't really understand this stuff, but I think this is an already-known
vulnerability. It was discovered at least as early as May 2011:
<http://samsclass.info/ipv6/proj/flood-router6a.htm>

------
JBiserkov
The title is incorrect.

"... this one crashes the Mac, and it makes [Windows] Server 2012 restart."

~~~
treepunch
Fixed.

------
perlgeek
I cannot help but think: ping6 of death!

~~~
crazypyro
New technology, same style.

------
lifeguard
Ha ha! v6 of the teardrop attack (not really).

[http://en.wikipedia.org/wiki/Denial-of-
service_attack#Teardr...](http://en.wikipedia.org/wiki/Denial-of-
service_attack#Teardrop_attacks)

------
sigjuice
It would be interesting to know if iOS is affected as well.

~~~
myko
According to the page it works on iPads:

<http://samsclass.info/ipv6/proj/RA_flood2.htm#10>

