SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Router/Bridge/Hub)  >   Edge Media Router Vendors:   SkyStream Networks
SkyStream Networks Edge Media Router (EMR-5000) Lets Remote Users Crash the Device
SecurityTracker Alert ID:  1005432
SecurityTracker URL:  http://securitytracker.com/id/1005432
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 16 2002
Impact:   Denial of service via network

Version(s): 1.16, 1.17, 1.18; EMR-5000
Description:   A denial of service vulnerability was reported in the SkyStream Networks Edge Media Router-5000 (EMR-5000) router. A remote user can cause the device to crash.

Global InterSec issued an advisory warning that a remote user can induce a kernel panic by sending certain packets (e.g., TCP SYN packets) to the device's network interface. The flaw reportedly happens when the device is unable to process data received from the Ethernet interface and a null pointer exception occurs in the interrupt handler, resulting in a kernel panic.

The crash may or may not require a manual restart to return to normal operations, depending on the boot version used.

The vendor has reportedly been notified.

Impact:   A remote user can cause the device to crash.
Solution:   No solution was available at the time of this entry. According to the report, the vendor has "denied responsibility for this problem."

The author of the report suggests as a workaround that you firewall all inbound traffic to the EMR5000, other than IGMP(2). The author notes that this workaround is not a bullet proof workaround, as the flaw may also be exploited through the use of the IGMP protocol.

Vendor URL:  www.skystream.com/products/emr5000.stm (Links to External Site)
Cause:   Boundary error, Resource error, State error
Underlying OS:  

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Fix is Available) Re: SkyStream Networks Edge Media Router (EMR-5000) Lets Remote Users Crash the Device
The vendor has released a fix.



 Source Message Contents

Date:  Wed, 16 Oct 2002 19:31:44 +0100
Subject:  [GIS 2002021001] SkyStream EMR5000 DVB router DoS.


Global InterSec LLC
http://www.globalintersec.com

GIS Advisory ID:  	2002021001
Changed:		10/16/2002
Author:		research@globalintersec.com
Reference:	http://www.globalintersec.com/adv/skystream-2002021001.txt

Summary:

   SkyStream's Edge Media Router-5000 (EMR5000) a DVB to
   multicast router suffers from a vulnerability in its modified Linux
   kernel.

Impact:

   A remote user may cause a denial of service attack against
   the device, causing it to crash (kernel panic).

Versions Tested:

   1.16
   1.17
   1.18

Description:

   The Linux based kernel, which the EMR5000 uses, has been modified
   to work with SkyStream's customized PCB. Modifications include
   proprietary DVB card drivers.

   A problem exists within the kernel code  which could cause a
   kernel panic, when the device is no longer able to process data
   being pushed into the ethernet ring buffers.

   Rather than dropping packets, or even temporarily disabling the
   interrupt address for the ethernet device, a null pointer exception
   will occur in the interrupt handler, leading to a kernel panic.

   Although the EMR5000 uses Intel's 82559ER ethernet controller, which
   is supported by the eepro100 driver (included in the 2.4.x tree),
   this condition could not be replicated on other systems, also with
   the 82559ER onboard and using the eepro100 drivers. This is almost
   certainly down to how SkyStream have implemented DMA, in order to
   work with their PCB configuration and is therefore a problem which
   is inherent to the EMR5000 and not necessarily other systems using
   the eepro100 kernel modules.


Scope for attack:

   Because this bug is directly connected to the EMR5000's network
   interface, the above bug may be exploited remotely. It may also
   be triggered fairly anonymously, with the use of spoofed SYN
   packets for example.

   In our early tests, the EMR5000 did not reboot on a kernel panic
   and required a manual (cold) reboot. The most recent boot version
   did handle the condition and reboot cleanly.


Work around:

   Firewall all inbound traffic to the EMR5000, other than IGMP(2).
   This is not a bullet proof work-around as the bug may also be
   exploited through the use of IGMP.

Credit:

   The vulnerabilities disclosed in this advisory were discovered
   during routine penetration tests. They were further researched
   at Global InterSec's facility.

   The research division can be reached at research@globalintersec.com

Vendor Status:

   Ellie Abdollahi ("Director of Software") of SkyStream INC was
   notified of this problem on July 26, 2002. SkyStream has denied
   responsibility for this problem, given their use of the Intel
   ethernet controller and the eepro100 kernel module.

   Subsequently, no fix has been provided. SkyStream was given GIS's
   statutory 60 day advanced warning of this problem, along with a
   copy of this advisory before its publication.


Proof of concept/Exploit:

   The following was the result of high volumes of IGMPv2 requests being
   sent to the ethernet interface.

   SkyStream Networks
   Edge Media Router
   Please login as 'emradmin' for Command-Line Interface
   emr5000 login: Oops: Exception in kernel mode, sig: 4
   NIP: C00FB4F4 XER: 00000000 LR: C00FB4F4 SP: C01D79A0 REGS: c01d78f0 
TRAP: 0700
   MSR: 00009230 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 
11
   TASK = c01d6030[0] 'swapper' Last syscall: 120
   last math 00000000 last altivec 00000000
   GPR00: C00FB4F4 C01D79A0 C01D6030 0000001C 00001230 00000001 C0220000 
00000000
   GPR08: C0220000 C01E0000 00001236 C01D78E0 24004024 10068BC4 000C0A04 
00000000
   GPR16: 00000000 FFFE2198 00000000 00002FB6 00001230 001D7A80 00000000 
C01D82C8
   GPR24: 000001C0 C0220000 C01ECF00 00000007 C01D82C8 C01E0000 00000000 
C45976E0
   Call 
backtrace:
   C00FB4F4 C00FEBE0 C00C4318 C0003BA0 C0003CCC C0002A38 C00FB40C
   C00FB65C C00FEBE0 C00C3FE4 C0003BA0 C0003CCC C0002A38 20000000
   C0003CCC C0002A38 C010C214 C00FF13C C001885C C0002A84 C002354C
   C0004294 C00042BC C01ED8A0 C00023C4
   Kernel panic: Aiee, killing interrupt handler!
   In interrupt handler - not syncing
   Rebooting in 180 seconds..


Legal:

   This advisory is the intellectual property of Global InterSec LLC
   but may be freely distributed with the conditions that:

	a) No fee is charged.
	b) Appropriate credit is given.
	c) Distribution of the advisory does not break NDA' s issued by GIS.

(c) Global InterSec LLC 2002

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC