The linux netfilter connection tracking new_state() function has a vulnerability exploitable remotelly.
sctp_new();
newconntrack = new_state(IP_CT_DIR_ORIGINAL, SCTP_CONNTRACK_NONE, sch->type);
if (newconntrack == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
return 0;
}
Max is not allowed, conntrack_none shouldn't be allowed too.
conntrack->proto.sctp.state = newconntrack;
State will be zero.
sctp_packet() for returning the veredict of the packet, take the state 0:
oldsctpstate = conntrack->proto.sctp.state;
newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type);
And then give a null ptr:
nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]);
becouse sctp_timeouts[SCTP_CONNTRACK_NONE ] is null, it has not a callback:
static unsigned int * sctp_timeouts[]
= { NULL, /* SCTP_CONNTRACK_NONE */
&nf_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */
&nf_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */
&nf_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */
&nf_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */
&nf_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */
&nf_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */
&nf_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */
}
To exploit this you have to create:
socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)
and set the sockopt SCTP_STATUS to zero.
Becouse of this option is read only, you will need to construct the raw sctp packet :)
The victym must have a SCTP service, and the oops probably doensnt crash the system.
sctp_new();
newconntrack = new_state(IP_CT_DIR_ORIGINAL, SCTP_CONNTRACK_NONE, sch->type);
if (newconntrack == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
return 0;
}
Max is not allowed, conntrack_none shouldn't be allowed too.
conntrack->proto.sctp.state = newconntrack;
State will be zero.
sctp_packet() for returning the veredict of the packet, take the state 0:
oldsctpstate = conntrack->proto.sctp.state;
newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type);
And then give a null ptr:
nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]);
becouse sctp_timeouts[SCTP_CONNTRACK_NONE ] is null, it has not a callback:
static unsigned int * sctp_timeouts[]
= { NULL, /* SCTP_CONNTRACK_NONE */
&nf_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */
&nf_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */
&nf_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */
&nf_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */
&nf_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */
&nf_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */
&nf_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */
}
To exploit this you have to create:
socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)
and set the sockopt SCTP_STATUS to zero.
Becouse of this option is read only, you will need to construct the raw sctp packet :)
The victym must have a SCTP service, and the oops probably doensnt crash the system.
Comentarios