Stack overflow in ping(8)

Vulnerability

A stack-buffer overflow exists in the pr_pack() function of ping(8) on all supported versions of FreeBSD [1]. When processing ICMP responses, pr_pack() copies the received IP and ICMP headers into fixed-size stack buffers. It fails to account for the possible presence of IP option headers following the IP header in either the response or a quoted packet contained within an ICMP error message. An attacker can send a specially crafted ICMP packet containing IP options, causing the destination buffer to be overflowed by up to 40 bytes.

Exploitation

An attacker needs only the ability to send a crafted ICMP packet to the target host running ping(8). No authentication or prior access is required. The attacker sends an ICMP response (or an ICMP error containing a quoted packet) that includes IP option headers. When pr_pack() processes the packet, it copies the IP header (with options) and then the ICMP header into its stack buffers, overflowing the buffer due to the extra length of the options.

Impact

Successful exploitation causes the ping program to crash. The ping process runs in a capability mode sandbox on all affected versions of FreeBSD, severely constraining its interaction with the rest of the system. As a result, the attacker cannot escalate privileges or execute arbitrary code; the impact is limited to a denial of service against the ping process [1].

Mitigation

FreeBSD released updates on 2022-11-29 for stable/13 (13.1-STABLE), releng/13.1 (13.1-RELEASE-p5), stable/12 (12.4-STABLE), releng/12.4 (12.4-RC2-p2), and releng/12.3 (12.3-RELEASE-p10) [1]. Users must update their systems to these or later patched versions. No workarounds are listed; the advisory recommends updating as soon as possible.