Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | SkyStream EMR5000 DVB Router DoS |
|---|
Categorie: Vulnerability
Posted: 2002-10-14 by ReCall
Views: 358
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
SkyStream's Edge Media Router-5000 (EMR5000) a DVB to multicast router suffers from a vulnerability in its modified Linux kernel. This allows a remote user to cause a denial of service attack against the device, causing it to crash (kernel panic).
Vulnerable systems:
* SkyStream's Edge Media Router-5000 version 1.16
* SkyStream's Edge Media Router-5000 version 1.17
* SkyStream's Edge Media Router-5000 version 1.18
The Linux based kernel, which the EMR5000 uses, has been modified to work with SkyStream's customized PCB. Modifications include proprietary DVB card drivers.
A problem exists within the kernel code that could cause a kernel panic, when the device is no longer able to process data being pushed into the Ethernet ring buffers.
Rather than dropping packets, or even temporarily disabling the interrupt address for the Ethernet device, a null pointer exception will occur in the interrupt handler, leading to a kernel panic.
Although the EMR5000 uses Intel's 82559ER Ethernet controller, which is supported by the eepro100 driver (included in the 2.4.x tree), this condition could not be replicated on other systems, also with the 82559ER onboard and using the eepro100 drivers. This is almost certainly down to how SkyStream have implemented DMA, in order to work with their PCB configuration and is therefore a problem that is inherent to the EMR5000 and not necessarily other systems using the eepro100 kernel modules.
Scope for attack:
Because this bug is directly connected to the EMR5000's network interface, the above bug may be exploited remotely. It may also be triggered fairly anonymously, with the use of spoofed SYN packets for example.
In our early tests, the EMR5000 did not reboot on a kernel panic and required a manual (cold) reboot. The most recent boot version did handle the condition and reboot cleanly.
Workaround:
Firewall all inbound traffic to the EMR5000, other than IGMP(2). This is not a bullet proof work-around as the bug may also be exploited through the use of IGMP.
Vendor Status:
Ellie Abdollahi ("Director of Software") of SkyStream INC was notified of this problem on July 26, 2002.
Subsequently, no fix has been provided. SkyStream was given GIS's statutory 60 day advanced warning of this problem, along with a copy of this advisory before its publication.
Proof of concept/Exploit:
The following was the result of high volumes of IGMPv2 requests being sent to the Ethernet interface.
| | Links |
|---|
The original advisory can be downloaded from here.
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=66
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
