Fw: [Dailydave] Remote kernel bug in SCTP?

[Brandon Enright <bmenrigh () ucsd edu>]

Per our ongoing discussion of SCTP and OS detection/scanning support, I
think this thread will be of some interested to the group.

Brandon


Begin forwarded message:

Date: Fri, 13 Mar 2009 13:53:32 -0400
From: dave <dave () immunityinc com>
To: dailydave () lists immunityinc com
Subject: [Dailydave] Remote kernel bug in SCTP?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did everyone else already know about this bug? So you connect to an SCTP
endpoint, then send a packet to overwrite arbitrary kernel data? That'd
be cool.

This is where Phillipe tells us about his scanner from 2002. :>

- -dave

https://bugzilla.redhat.com/show_bug.cgi?id=478800
"""
linux-2.6:include/net/sctp/structs.h:
 514 /* Skip over this ssn and all below. */
 515 static inline void sctp_ssn_skip(struct sctp_stream *stream, __u16
id, 516                                  __u16 ssn)
 517 {
 518         stream->ssn[id] = ssn+1;  <---ouch?

Comment #10 From  Eugene Teo  2009-01-07 22:22:58 EDT  -------

(In reply to comment #9)
> Is it possible to exploit this vulnerability by sending a malformed
SCTP packet
> to a machine that's not actively using SCTP?

No. It is only possible if there is an association between SCTP
endpoints.

Thanks, Eugene
"""
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm6nZwACgkQtehAhL0gheq5pwCdEgXiml/fysrkyZ2GOLRdbd3m
WBkAnjIMJjyFEmb8+wSkXSAR7IXbcZLk
=7pOB
-----END PGP SIGNATURE-----


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org