one shot remote root for linux?

Christopher Morrow morrowc.lists at
Tue Apr 28 20:33:06 CDT 2009

On Tue, Apr 28, 2009 at 6:31 PM, andrew.wallace
<andrew.wallace at> wrote:
> Why are you alining yourself with a computer hacker? I thought you
> were trying to stop these guys releasing exploits in your line of
> work?

it didn't look like he did (to me)

> On Tue, Apr 28, 2009 at 3:10 PM, Gadi Evron <ge at> wrote:
>> This is one of them mysterious and rare cases where a non router OS
>> vulnerability may affect network operations.

hrm, in reality a bunch of non-router vulnerabilities affect (to some
extent anyway) network operations.

>> Sometimes news finds us in mysterious yet obvious ways.
>> HD Moore (respected security researcher) set a status which I noticed on my
>> twitter:
>> @hdmoore reading through sctp_houdini.c - one-shot remote linux kernel
>> root -
>> I asked him about it on IM, wondering if it is real:
>> "looks like that
>> but requires a sctp app to be running"

one good thing, practically no sctp deployment... and, hopefully for
networking equipment there's already local firewall/acl capability

That said there are a few 'network devices' which are linux based (not
just Vyatta! :) )

o Cisco Guards
o Arbor Peakflow (at least the X version)
o some-route-optmization systems
o dns/mail/ntp/blah widgets

It's nice to get some notice of this, it's also nice it got fixed in
later kernels (who knows what kernel Peakflow-X has deployed or what
custom mods happen to it?)

Quickly searching <favorite search engine> shows quite a few
SCTP/Linux problems reported over at least the last 2.5 years. The one
mentioned here seems to be: CVE-2009-0065 reported Jan 5th  2009, only
redhat reports back a fix so far (according to mitre).

Putting on my Paul Quinn/Roland Dobbins/Darrel Lewis hat - another
good argument for infrastructure acls!! :)

More information about the NANOG mailing list