Dailydave mailing list archives
Remote kernel bug in SCTP?
From: dave <dave () immunityinc com>
Date: Fri, 13 Mar 2009 13:53:32 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Did everyone else already know about this bug? So you connect to an SCTP endpoint, then send a packet to overwrite arbitrary kernel data? That'd be cool. This is where Phillipe tells us about his scanner from 2002. :> - -dave https://bugzilla.redhat.com/show_bug.cgi?id=478800 """ linux-2.6:include/net/sctp/structs.h: 514 /* Skip over this ssn and all below. */ 515 static inline void sctp_ssn_skip(struct sctp_stream *stream, __u16 id, 516 __u16 ssn) 517 { 518 stream->ssn[id] = ssn+1; <---ouch? Comment #10 From Eugene Teo 2009-01-07 22:22:58 EDT ------- (In reply to comment #9)
Is it possible to exploit this vulnerability by sending a malformed
SCTP packet
to a machine that's not actively using SCTP?
No. It is only possible if there is an association between SCTP endpoints. Thanks, Eugene """ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm6nZwACgkQtehAhL0gheq5pwCdEgXiml/fysrkyZ2GOLRdbd3m WBkAnjIMJjyFEmb8+wSkXSAR7IXbcZLk =7pOB -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Remote kernel bug in SCTP? dave (Mar 13)
- Re: Remote kernel bug in SCTP? Nicolas RUFF (Mar 14)
- Re: Remote kernel bug in SCTP? Dragos Ruiu (Mar 14)
- Re: Remote kernel bug in SCTP? Fionnbharr (Mar 15)
- Re: Remote kernel bug in SCTP? Gabriel Campana (Mar 16)
- Re: Remote kernel bug in SCTP? Nicolas RUFF (Mar 16)
- Re: Remote kernel bug in SCTP? Nicolas RUFF (Mar 14)