Dailydave mailing list archives

Remote kernel bug in SCTP?

From: dave <dave () immunityinc com>
Date: Fri, 13 Mar 2009 13:53:32 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did everyone else already know about this bug? So you connect to an SCTP
endpoint, then send a packet to overwrite arbitrary kernel data? That'd
be cool.

This is where Phillipe tells us about his scanner from 2002. :>

- -dave

https://bugzilla.redhat.com/show_bug.cgi?id=478800
"""
linux-2.6:include/net/sctp/structs.h:
 514 /* Skip over this ssn and all below. */
 515 static inline void sctp_ssn_skip(struct sctp_stream *stream, __u16 id,
 516                                  __u16 ssn)
 517 {
 518         stream->ssn[id] = ssn+1;  <---ouch?

Comment #10 From  Eugene Teo  2009-01-07 22:22:58 EDT  -------

(In reply to comment #9)

Is it possible to exploit this vulnerability by sending a malformed

SCTP packet

to a machine that's not actively using SCTP?


No. It is only possible if there is an association between SCTP endpoints.

Thanks, Eugene
"""
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm6nZwACgkQtehAhL0gheq5pwCdEgXiml/fysrkyZ2GOLRdbd3m
WBkAnjIMJjyFEmb8+wSkXSAR7IXbcZLk
=7pOB
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Remote kernel bug in SCTP? dave (Mar 13)
- Re: Remote kernel bug in SCTP? Nicolas RUFF (Mar 14)
  - Re: Remote kernel bug in SCTP? Dragos Ruiu (Mar 14)
  - Re: Remote kernel bug in SCTP? Fionnbharr (Mar 15)
    - Re: Remote kernel bug in SCTP? Gabriel Campana (Mar 16)
    - Re: Remote kernel bug in SCTP? Nicolas RUFF (Mar 16)