Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[GIS 2002021001] SkyStream EMR5000 DVB router DoS.

From: Global InterSec Research <lists () globalintersec com>
Date: Wed, 16 Oct 2002 19:31:44 +0100
Global InterSec LLC
http://www.globalintersec.com

GIS Advisory ID:        2002021001
Changed:                10/16/2002
Author:         research () globalintersec com
Reference:      http://www.globalintersec.com/adv/skystream-2002021001.txt

Summary:

  SkyStream's Edge Media Router-5000 (EMR5000) a DVB to
  multicast router suffers from a vulnerability in its modified Linux
  kernel.

Impact:

  A remote user may cause a denial of service attack against
  the device, causing it to crash (kernel panic).

Versions Tested:

  1.16
  1.17
  1.18

Description:

  The Linux based kernel, which the EMR5000 uses, has been modified
  to work with SkyStream's customized PCB. Modifications include
  proprietary DVB card drivers.

  A problem exists within the kernel code  which could cause a
  kernel panic, when the device is no longer able to process data
  being pushed into the ethernet ring buffers.

  Rather than dropping packets, or even temporarily disabling the
  interrupt address for the ethernet device, a null pointer exception
  will occur in the interrupt handler, leading to a kernel panic.

  Although the EMR5000 uses Intel's 82559ER ethernet controller, which
  is supported by the eepro100 driver (included in the 2.4.x tree),
  this condition could not be replicated on other systems, also with
  the 82559ER onboard and using the eepro100 drivers. This is almost
  certainly down to how SkyStream have implemented DMA, in order to
  work with their PCB configuration and is therefore a problem which
  is inherent to the EMR5000 and not necessarily other systems using
  the eepro100 kernel modules.


Scope for attack:

  Because this bug is directly connected to the EMR5000's network
  interface, the above bug may be exploited remotely. It may also
  be triggered fairly anonymously, with the use of spoofed SYN
  packets for example.

  In our early tests, the EMR5000 did not reboot on a kernel panic
  and required a manual (cold) reboot. The most recent boot version
  did handle the condition and reboot cleanly.


Work around:

  Firewall all inbound traffic to the EMR5000, other than IGMP(2).
  This is not a bullet proof work-around as the bug may also be
  exploited through the use of IGMP.

Credit:

  The vulnerabilities disclosed in this advisory were discovered
  during routine penetration tests. They were further researched
  at Global InterSec's facility.

  The research division can be reached at research () globalintersec com

Vendor Status:

  Ellie Abdollahi ("Director of Software") of SkyStream INC was
  notified of this problem on July 26, 2002. SkyStream has denied
  responsibility for this problem, given their use of the Intel
  ethernet controller and the eepro100 kernel module.

  Subsequently, no fix has been provided. SkyStream was given GIS's
  statutory 60 day advanced warning of this problem, along with a
  copy of this advisory before its publication.


Proof of concept/Exploit:

  The following was the result of high volumes of IGMPv2 requests being
  sent to the ethernet interface.

  SkyStream Networks
  Edge Media Router
  Please login as 'emradmin' for Command-Line Interface
  emr5000 login: Oops: Exception in kernel mode, sig: 4
NIP: C00FB4F4 XER: 00000000 LR: C00FB4F4 SP: C01D79A0 REGS: c01d78f0 TRAP: 0700 MSR: 00009230 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11 
  TASK = c01d6030[0] 'swapper' Last syscall: 120
  last math 00000000 last altivec 00000000
GPR00: C00FB4F4 C01D79A0 C01D6030 0000001C 00001230 00000001 C0220000 00000000 GPR08: C0220000 C01E0000 00001236 C01D78E0 24004024 10068BC4 000C0A04 00000000 GPR16: 00000000 FFFE2198 00000000 00002FB6 00001230 001D7A80 00000000 C01D82C8 GPR24: 000001C0 C0220000 C01ECF00 00000007 C01D82C8 C01E0000 00000000 C45976E0 Call backtrace: 
  C00FB4F4 C00FEBE0 C00C4318 C0003BA0 C0003CCC C0002A38 C00FB40C
  C00FB65C C00FEBE0 C00C3FE4 C0003BA0 C0003CCC C0002A38 20000000
  C0003CCC C0002A38 C010C214 C00FF13C C001885C C0002A84 C002354C
  C0004294 C00042BC C01ED8A0 C00023C4
  Kernel panic: Aiee, killing interrupt handler!
  In interrupt handler - not syncing
  Rebooting in 180 seconds..


Legal:

  This advisory is the intellectual property of Global InterSec LLC
  but may be freely distributed with the conditions that:

        a) No fee is charged.
        b) Appropriate credit is given.
        c) Distribution of the advisory does not break NDA' s issued by GIS.

(c) Global InterSec LLC 2002
Previous By Date Next
Previous By Thread Next

Current thread: