← Signals
- nmap
- ipv6
- parser
- exploitarium
news
Nmap IPv6 Extension Header Length Wrap
Hop-by-Hop ext len=1 on 48-byte capture advances payload offset past buffer — wrapped payload_len 4294967288 in harness.
Summary
Hop-by-Hop ext len=1 on 48-byte capture advances payload offset past buffer — wrapped payload_len 4294967288 in harness. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | Nmap libnetutil/netutil.cc (ongoing research) |
| Primitive | Unsigned wrap in payload length after over-advancing pointer |
| Impact | Malformed packet represented as huge UDP payload — downstream scan logic corruption risk. |
Attack Chain
Craft IPv6 HBH ext → parser offset 56 on 48-byte cap → wrapped len → validator adjusts to 64
Mitigation
Treat as research-grade; validate Nmap updates; filter malformed IPv6 in IDS where possible.