Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

slaacd is a stateless address auto configuration (SLAAC) daemon. In the IPv6 protocol stack, the Neighbor Discovery (ND) protocol is used for gathering information about network communications, gateways and many other things. One particular type is a Router Advertisement (RA) packet. This particular bug is an OpenBSD.

One of the many options in RA is a DNS Search List Option. This contains one to many domain names of DNS suffixes. Domain names included in this format are encoded with a sequence of labels, which each have a corresponding length byte.

While processing this data, the length byte is improperly used as a signed value instead of an unsigned value. By crafting a length that has the most significant bit set to 1, it believes that it is a negative number instead of a large positive number.

This vulnerability breaks the sanity checks within the code. In particular, it tries to ensure that the length of a single entry does not exceed 63 bytes. But, since our length is negative, this sanity check is not triggered, which eventually leads us to a memcpy.

When the size goes to the memcpy, the signed integer is transparently turned into an unsigned integer. This leads to a huge write occurring within this memory space, ending up as a heap overflow. Since this is a bad size wildcopy, it is unlikely to be exploitable.

Regardless of the exploitation viability, the author wrote a script in Python using Scapy for networking.S capy is a Python program that enables the user to send, sniff and dissect and forge network packets. By having access to data at this low of a level in the stack, the author was able to trigger the bug for a crash.