[27468] in bugtraq
[GIS 2002021001] SkyStream EMR5000 DVB router DoS.
daemon@ATHENA.MIT.EDU (Global InterSec Research)
Wed Oct 16 21:10:41 2002
Message-Id: <4.2.0.58.20021016191745.02b4cf00@193.133.49.25>
Date: Wed, 16 Oct 2002 19:31:44 +0100
To: research@globalintersec.com
From: Global InterSec Research <lists@globalintersec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Global InterSec LLC
http://www.globalintersec.com
GIS Advisory ID: 2002021001
Changed: 10/16/2002
Author: research@globalintersec.com
Reference: http://www.globalintersec.com/adv/skystream-2002021001.txt
Summary:
SkyStream's Edge Media Router-5000 (EMR5000) a DVB to
multicast router suffers from a vulnerability in its modified Linux
kernel.
Impact:
A remote user may cause a denial of service attack against
the device, causing it to crash (kernel panic).
Versions Tested:
1.16
1.17
1.18
Description:
The Linux based kernel, which the EMR5000 uses, has been modified
to work with SkyStream's customized PCB. Modifications include
proprietary DVB card drivers.
A problem exists within the kernel code which could cause a
kernel panic, when the device is no longer able to process data
being pushed into the ethernet ring buffers.
Rather than dropping packets, or even temporarily disabling the
interrupt address for the ethernet device, a null pointer exception
will occur in the interrupt handler, leading to a kernel panic.
Although the EMR5000 uses Intel's 82559ER ethernet controller, which
is supported by the eepro100 driver (included in the 2.4.x tree),
this condition could not be replicated on other systems, also with
the 82559ER onboard and using the eepro100 drivers. This is almost
certainly down to how SkyStream have implemented DMA, in order to
work with their PCB configuration and is therefore a problem which
is inherent to the EMR5000 and not necessarily other systems using
the eepro100 kernel modules.
Scope for attack:
Because this bug is directly connected to the EMR5000's network
interface, the above bug may be exploited remotely. It may also
be triggered fairly anonymously, with the use of spoofed SYN
packets for example.
In our early tests, the EMR5000 did not reboot on a kernel panic
and required a manual (cold) reboot. The most recent boot version
did handle the condition and reboot cleanly.
Work around:
Firewall all inbound traffic to the EMR5000, other than IGMP(2).
This is not a bullet proof work-around as the bug may also be
exploited through the use of IGMP.
Credit:
The vulnerabilities disclosed in this advisory were discovered
during routine penetration tests. They were further researched
at Global InterSec's facility.
The research division can be reached at research@globalintersec.com
Vendor Status:
Ellie Abdollahi ("Director of Software") of SkyStream INC was
notified of this problem on July 26, 2002. SkyStream has denied
responsibility for this problem, given their use of the Intel
ethernet controller and the eepro100 kernel module.
Subsequently, no fix has been provided. SkyStream was given GIS's
statutory 60 day advanced warning of this problem, along with a
copy of this advisory before its publication.
Proof of concept/Exploit:
The following was the result of high volumes of IGMPv2 requests being
sent to the ethernet interface.
SkyStream Networks
Edge Media Router
Please login as 'emradmin' for Command-Line Interface
emr5000 login: Oops: Exception in kernel mode, sig: 4
NIP: C00FB4F4 XER: 00000000 LR: C00FB4F4 SP: C01D79A0 REGS: c01d78f0
TRAP: 0700
MSR: 00009230 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR:
11
TASK = c01d6030[0] 'swapper' Last syscall: 120
last math 00000000 last altivec 00000000
GPR00: C00FB4F4 C01D79A0 C01D6030 0000001C 00001230 00000001 C0220000
00000000
GPR08: C0220000 C01E0000 00001236 C01D78E0 24004024 10068BC4 000C0A04
00000000
GPR16: 00000000 FFFE2198 00000000 00002FB6 00001230 001D7A80 00000000
C01D82C8
GPR24: 000001C0 C0220000 C01ECF00 00000007 C01D82C8 C01E0000 00000000
C45976E0
Call
backtrace:
C00FB4F4 C00FEBE0 C00C4318 C0003BA0 C0003CCC C0002A38 C00FB40C
C00FB65C C00FEBE0 C00C3FE4 C0003BA0 C0003CCC C0002A38 20000000
C0003CCC C0002A38 C010C214 C00FF13C C001885C C0002A84 C002354C
C0004294 C00042BC C01ED8A0 C00023C4
Kernel panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing
Rebooting in 180 seconds..
Legal:
This advisory is the intellectual property of Global InterSec LLC
but may be freely distributed with the conditions that:
a) No fee is charged.
b) Appropriate credit is given.
c) Distribution of the advisory does not break NDA' s issued by GIS.
(c) Global InterSec LLC 2002
