COMMAND

	SkyStream EMR5000 DVB router DoS

SYSTEMS AFFECTED

	SkyStream EMR5000 Versions 1.16,1.17,1.18

PROBLEM

	The vulnerabilities disclosed in this advisory  were  discovered  during
	routine penetration  tests.  They  were  further  researched  at  Global
	InterSec's facility [GIS Advisory ID :2002021001].
	

	The research division can be reached at [research@globalintersec.com]
	

	--snip--
	

	The Linux based kernel, which the EMR5000 uses,  has  been  modified  to
	work with SkyStream's customized PCB. Modifications include  proprietary
	DVB card drivers.
	

	A problem exists within the kernel  code  which  could  cause  a  kernel
	panic, when the device is no longer able to process  data  being  pushed
	into the ethernet ring buffers.
	

	Rather  than  dropping  packets,  or  even  temporarily  disabling   the
	interrupt address for the ethernet  device,  a  null  pointer  exception
	will occur in the interrupt handler, leading to a kernel panic.
	

	Although the EMR5000 uses Intel's 82559ER ethernet controller, which  is
	supported by the eepro100 driver (included  in  the  2.4.x  tree),  this
	condition could not be  replicated  on  other  systems,  also  with  the
	82559ER  onboard  and  using  the  eepro100  drivers.  This  is   almost
	certainly down to how SkyStream have implemented DMA, in order  to  work
	with their PCB  configuration  and  is  therefore  a  problem  which  is
	inherent to the EMR5000 and not  necessarily  other  systems  using  the
	eepro100 kernel modules.
	

	Because  this  bug  is  directly  connected  to  the  EMR5000's  network
	interface, the above bug may be  exploited  remotely.  It  may  also  be
	triggered fairly anonymously, with the use of spoofed  SYN  packets  for
	example.
	

	In our early tests, the EMR5000 did not reboot on  a  kernel  panic  and
	required a manual (cold)  reboot.  The  most  recent  boot  version  did
	handle the condition and reboot cleanly.
	

	 Proof of concept/Exploit

	 ========================

	

	The following was the result of high volumes of  IGMPv2  requests  being
	sent to the ethernet interface.
	

	   SkyStream Networks

	   Edge Media Router

	   Please login as 'emradmin' for Command-Line Interface

	   emr5000 login: Oops: Exception in kernel mode, sig: 4

	   NIP: C00FB4F4 XER: 00000000 LR: C00FB4F4 SP: C01D79A0 REGS: c01d78f0 TRAP: 0700

	   MSR: 00009230 EE: 1 PR: 0 FP: 0 ME: 1 IR/DR: 11

	   TASK = c01d6030[0] 'swapper' Last syscall: 120

	   last math 00000000 last altivec 00000000

	   GPR00: C00FB4F4 C01D79A0 C01D6030 0000001C 00001230 00000001 C0220000 00000000

	   GPR08: C0220000 C01E0000 00001236 C01D78E0 24004024 10068BC4 000C0A04 00000000

	   GPR16: 00000000 FFFE2198 00000000 00002FB6 00001230 001D7A80 00000000 C01D82C8

	   GPR24: 000001C0 C0220000 C01ECF00 00000007 C01D82C8 C01E0000 00000000 C45976E0

	   Call backtrace:

	   C00FB4F4 C00FEBE0 C00C4318 C0003BA0 C0003CCC C0002A38 C00FB40C

	   C00FB65C C00FEBE0 C00C3FE4 C0003BA0 C0003CCC C0002A38 20000000

	   C0003CCC C0002A38 C010C214 C00FF13C C001885C C0002A84 C002354C

	   C0004294 C00042BC C01ED8A0 C00023C4

	   Kernel panic: Aiee, killing interrupt handler!

	   In interrupt handler - not syncing

	   Rebooting in 180 seconds..

	

	

	--snip--

SOLUTION

	 Workaround

	 ==========

	

	Firewall all inbound traffic to the EMR5000, other  than  IGMP(2).  This
	is not a bullet proof work-around as  the  bug  may  also  be  exploited
	through the use of IGMP