Remote operated Root-vulnerability in Ping utility supplied to FreeBSD

in FreeBSD identified vulnerability (CVE-2022-23093) In the Ping utility included in the basic supply. The problem can potentially lead to remote execution of the ROOT code when checking by Ping an external host, controlled by the attacker. correction proposed in the updates of FreeBSD 13.1-release-p5, 12.4-RC2-P2 and 12.3 -Release-p10. Whether other BSD systems are subject to the problem revealed is not yet clear (reports on vulnerability in netBSD , dragonflybsd and openbsd has not yet appeared).

Vulnerability is caused by the overwhelming of the buffer in the analysis code of ICMP messages that come in response to the verification request. The ICMP messenger reception code in Ping uses RAW skat and is performed with increased privileges (the utility is supplied with the Setuid Root flag).
The response is processed on the Ping side through the reconstruction of IP and ICMP packages obtained from the RAW second. The allocated IP and ICMP-headings are copied by the PR_PACK () function to the buffers, but not taking into account the fact that additional expanded headlines may be present in the package after the IP header.

Such headings are distinguished from the package and are included in the heading block, but are not taken into account when calculating the size of the buffer. If the host, in response to the ICMP request, will return the package with additional headlines, their contents will be recorded in the area abroad of the buffer in the stack. As a result, the attacker can rewrite up to 40 bytes of data in the stack, which potentially allows you to achieve his code.

/Media reports cited above.