[Dailydave] Remote kernel bug in SCTP?
dave
dave at immunityinc.com
Fri Mar 13 13:53:32 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Did everyone else already know about this bug? So you connect to an SCTP
endpoint, then send a packet to overwrite arbitrary kernel data? That'd
be cool.
This is where Phillipe tells us about his scanner from 2002. :>
- -dave
https://bugzilla.redhat.com/show_bug.cgi?id=478800
"""
linux-2.6:include/net/sctp/structs.h:
514 /* Skip over this ssn and all below. */
515 static inline void sctp_ssn_skip(struct sctp_stream *stream, __u16 id,
516 __u16 ssn)
517 {
518 stream->ssn[id] = ssn+1; <---ouch?
Comment #10 From Eugene Teo 2009-01-07 22:22:58 EDT -------
(In reply to comment #9)
> Is it possible to exploit this vulnerability by sending a malformed
SCTP packet
> to a machine that's not actively using SCTP?
No. It is only possible if there is an association between SCTP endpoints.
Thanks, Eugene
"""
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkm6nZwACgkQtehAhL0gheq5pwCdEgXiml/fysrkyZ2GOLRdbd3m
WBkAnjIMJjyFEmb8+wSkXSAR7IXbcZLk
=7pOB
-----END PGP SIGNATURE-----
More information about the Dailydave
mailing list