From lists@globalintersec.com Thu Oct 17 01:42:39 2002 From: Global InterSec Research X-Sender: (Unverified) To: research@globalintersec.com Date: Wed, 16 Oct 2002 19:31:44 +0100 Subject: [GIS 2002021001] SkyStream EMR5000 DVB router DoS. Global InterSec LLC http://www.globalintersec.com GIS Advisory ID: 2002021001 Changed: 10/16/2002 Author: research@globalintersec.com Reference: http://www.globalintersec.com/adv/skystream-2002021001.txt Summary: SkyStream's Edge Media Router-5000 (EMR5000) a DVB to multicast router suffers from a vulnerability in its modified Linux kernel. Impact: A remote user may cause a denial of service attack against the device, causing it to crash (kernel panic). Versions Tested: 1.16 1.17 1.18 Description: The Linux based kernel, which the EMR5000 uses, has been modified to work with SkyStream's customized PCB. Modifications include proprietary DVB card drivers. A problem exists within the kernel code which could cause a kernel panic, when the device is no longer able to process data being pushed into the ethernet ring buffers. Rather than dropping packets, or even temporarily disabling the interrupt address for the ethernet device, a null pointer exception will occur in the interrupt handler, leading to a kernel panic. Although the EMR5000 uses Intel's 82559ER ethernet controller, which is supported by the eepro100 driver (included in the 2.4.x tree), this condition could not be replicated on other systems, also with the 82559ER onboard and using the eepro100 drivers. This is almost certainly down to how SkyStream have implemented DMA, in order to work with their PCB configuration and is therefore a problem which is inherent to the EMR5000 and not necessarily other systems using the eepro100 kernel modules. Scope for attack: Because this bug is directly connected to the EMR5000's network interface, the above bug may be exploited remotely. It may also be triggered fairly anonymously, with the use of spoofed SYN packets for example. In our early tests, the EMR5000 did not reboot on a kernel panic and required a manual (cold) reboot. The most recent boot version did handle the condition and reboot cleanly. Work around: Firewall all inbound traffic to the EMR5000, other than IGMP(2). This is not a bullet proof work-around as the bug may also be exploited through the use of IGMP. Credit: The vulnerabilities disclosed in this advisory were discovered during routine penetration tests. They were further researched at Global InterSec's facility. The research division can be reached at research@globalintersec.com Vendor Status: Ellie Abdollahi ("Director of Software") of SkyStream INC was notified of this problem on July 26, 2002. SkyStream has denied responsibility for this problem, given their use of the Intel ethernet controller and the eepro100 kernel module. Subsequently, no fix has been provided. SkyStream was given GIS's statutory 60 day advanced warning of this problem, along with a copy of this advisory before its publication. Proof of concept/Exploit: The following was the result of high volumes of IGMPv2 requests being sent to the ethernet interface. SkyStream Networks Edge Media Router Please login as 'emradmin' for Command-Line Interface emr5000 login: Oops: Exception in kernel mode, sig: 4 NIP: C00FB4F4 XER: 00000000 LR: C00FB4F4 SP: C01D79A0 REGS: c01d78f0 TRAP: 0700 MSR: 00009230 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11 TASK = c01d6030[0] 'swapper' Last syscall: 120 last math 00000000 last altivec 00000000 GPR00: C00FB4F4 C01D79A0 C01D6030 0000001C 00001230 00000001 C0220000 00000000 GPR08: C0220000 C01E0000 00001236 C01D78E0 24004024 10068BC4 000C0A04 00000000 GPR16: 00000000 FFFE2198 00000000 00002FB6 00001230 001D7A80 00000000 C01D82C8 GPR24: 000001C0 C0220000 C01ECF00 00000007 C01D82C8 C01E0000 00000000 C45976E0 Call backtrace: C00FB4F4 C00FEBE0 C00C4318 C0003BA0 C0003CCC C0002A38 C00FB40C C00FB65C C00FEBE0 C00C3FE4 C0003BA0 C0003CCC C0002A38 20000000 C0003CCC C0002A38 C010C214 C00FF13C C001885C C0002A84 C002354C C0004294 C00042BC C01ED8A0 C00023C4 Kernel panic: Aiee, killing interrupt handler! In interrupt handler - not syncing Rebooting in 180 seconds.. Legal: This advisory is the intellectual property of Global InterSec LLC but may be freely distributed with the conditions that: a) No fee is charged. b) Appropriate credit is given. c) Distribution of the advisory does not break NDA' s issued by GIS. (c) Global InterSec LLC 2002