Re: one shot remote root for linux?

[Christopher Morrow <morrowc.lists () gmail com>]

On Tue, Apr 28, 2009 at 6:31 PM, andrew.wallace
<andrew.wallace () rocketmail com> wrote:
> Why are you alining yourself with a computer hacker? I thought you
> were trying to stop these guys releasing exploits in your line of
> work?

it didn't look like he did (to me)

> On Tue, Apr 28, 2009 at 3:10 PM, Gadi Evron <ge () linuxbox org> wrote:
> > This is one of them mysterious and rare cases where a non router OS
> > vulnerability may affect network operations.

hrm, in reality a bunch of non-router vulnerabilities affect (to some
extent anyway) network operations.

> > Sometimes news finds us in mysterious yet obvious ways.
> >
> > HD Moore (respected security researcher) set a status which I noticed on my
> > twitter:
> >
> > @hdmoore reading through sctp_houdini.c - one-shot remote linux kernel
> > root - http://kernelbof.blogspot.com/
> >
> > I asked him about it on IM, wondering if it is real:
> > "looks like that
> > but requires a sctp app to be running"

one good thing, practically no sctp deployment... and, hopefully for
networking equipment there's already local firewall/acl capability
deployed.

That said there are a few 'network devices' which are linux based (not
just Vyatta! :) )

o Cisco Guards
o Arbor Peakflow (at least the X version)
o some-route-optmization systems
o dns/mail/ntp/blah widgets

It's nice to get some notice of this, it's also nice it got fixed in
later kernels (who knows what kernel Peakflow-X has deployed or what
custom mods happen to it?)

Quickly searching <favorite search engine> shows quite a few
SCTP/Linux problems reported over at least the last 2.5 years. The one
mentioned here seems to be: CVE-2009-0065 reported Jan 5th  2009, only
redhat reports back a fix so far (according to mitre).

Putting on my Paul Quinn/Roland Dobbins/Darrel Lewis hat - another
good argument for infrastructure acls!! :)
-chris