|
|
|
|
| |
| SkyStream's Edge Media Router-5000 (EMR5000) a DVB to multicast router suffers from a vulnerability in its modified Linux kernel. This allows a remote user to cause a denial of service attack against the device, causing it to crash (kernel panic). |
| |
Credit:
The original advisory can be downloaded from:
http://www.globalintersec.com/adv/skystream-2002021001.txt
The information has been provided by Global InterSec Research.
|
| |
Vulnerable systems:
* SkyStream's Edge Media Router-5000 version 1.16
* SkyStream's Edge Media Router-5000 version 1.17
* SkyStream's Edge Media Router-5000 version 1.18
The Linux based kernel, which the EMR5000 uses, has been modified to work with SkyStream's customized PCB. Modifications include proprietary DVB card drivers.
A problem exists within the kernel code that could cause a kernel panic, when the device is no longer able to process data being pushed into the Ethernet ring buffers.
Rather than dropping packets, or even temporarily disabling the interrupt address for the Ethernet device, a null pointer exception will occur in the interrupt handler, leading to a kernel panic.
Although the EMR5000 uses Intel's 82559ER Ethernet controller, which is supported by the eepro100 driver (included in the 2.4.x tree), this condition could not be replicated on other systems, also with the 82559ER onboard and using the eepro100 drivers. This is almost certainly down to how SkyStream have implemented DMA, in order to work with their PCB configuration and is therefore a problem that is inherent to the EMR5000 and not necessarily other systems using the eepro100 kernel modules.
Scope for attack:
Because this bug is directly connected to the EMR5000's network interface, the above bug may be exploited remotely. It may also be triggered fairly anonymously, with the use of spoofed SYN packets for example.
In our early tests, the EMR5000 did not reboot on a kernel panic and required a manual (cold) reboot. The most recent boot version did handle the condition and reboot cleanly.
Workaround:
Firewall all inbound traffic to the EMR5000, other than IGMP(2). This is not a bullet proof work-around as the bug may also be exploited through the use of IGMP.
Vendor Status:
Ellie Abdollahi ("Director of Software") of SkyStream INC was notified of this problem on July 26, 2002.
Subsequently, no fix has been provided. SkyStream was given GIS's statutory 60 day advanced warning of this problem, along with a copy of this advisory before its publication.
Proof of concept/Exploit:
The following was the result of high volumes of IGMPv2 requests being sent to the Ethernet interface.
SkyStream Networks
Edge Media Router
Please login as 'emradmin' for Command-Line Interface
emr5000 login: Oops: Exception in kernel mode, sig: 4
NIP: C00FB4F4 XER: 00000000 LR: C00FB4F4 SP: C01D79A0 REGS: c01d78f0 TRAP: 0700
MSR: 00009230 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11
TASK = c01d6030[0] 'swapper' Last syscall: 120
last math 00000000 last altivec 00000000
GPR00: C00FB4F4 C01D79A0 C01D6030 0000001C 00001230 00000001 C0220000 00000000
GPR08: C0220000 C01E0000 00001236 C01D78E0 24004024 10068BC4 000C0A04 00000000
GPR16: 00000000 FFFE2198 00000000 00002FB6 00001230 001D7A80 00000000 C01D82C8
GPR24: 000001C0 C0220000 C01ECF00 00000007 C01D82C8 C01E0000 00000000 C45976E0
Call backtrace:
C00FB4F4 C00FEBE0 C00C4318 C0003BA0 C0003CCC C0002A38 C00FB40C
C00FB65C C00FEBE0 C00C3FE4 C0003BA0 C0003CCC C0002A38 20000000
C0003CCC C0002A38 C010C214 C00FF13C C001885C C0002A84 C002354C
C0004294 C00042BC C01ED8A0 C00023C4
Kernel panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing
Rebooting in 180 seconds..
|
|
|
|
|
|
|
|
|
|
