[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] 0-day Denial of Service in IPsec-Tools

To: Javantea <jvoss@xxxxxxxxxx>, fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] 0-day Denial of Service in IPsec-Tools
From: christos@xxxxxxxxxx (Christos Zoulas)
Date: Tue, 19 May 2015 17:29:47 -0400

On May 19,  1:32pm, jvoss@xxxxxxxxxx (Javantea) wrote:
-- Subject: [FD] 0-day Denial of Service in IPsec-Tools

| Denial of Service in IPsec-Tools
| Vulnerability Report
| May 19, 2015
| 
| Product:  IPsec-Tools
| Version: 0.8.2
| Website:  http://ipsec-tools.sourceforge.net/
| CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
| 
| IPsec-Tools is vulnerable to a 0-day exploit that I made available yesterday. 
It is a null dereference crash in racoon in gssapi.c. It requires HAVE_GSSAPI 
to be set, which is a configuration option. The impact is a denial of service 
against the IKE daemon. Because IPsec is critical infrastructure and this 
attack requires two UDP packets, it deserves a medium rating. This denial of 
service violates the premise that IPsec's security is built upon. More 
information about the impact can be found on my website linked below.
| 
| If you're running IPsec-Tools, replace it sensibly as soon as possible. The 
reason this exploit is being released without patch on full disclosure is 
because the authors have apparently abandoned the software.
| 
| The vulnerability:
| 
| racoon/gssapi.c:205:static int gssapi_init(struct ph1handle *iph1)
| 
|       if (iph1->rmconf->proposal->gssid != NULL) {
| 
| The exploit is available on my website:
| https://www.altsci.com/ipsec/ipsec-tools-sa.html

The fix is trivial and does not seem to affect the preshared key
authentication method. Looks to me like a simple DoS attack that
does not have any additional impact.

christos

--- gssapi.c    9 Sep 2006 16:22:09 -0000       1.4
+++ gssapi.c    19 May 2015 15:16:00 -0000      1.6
@@ -192,6 +192,11 @@
        gss_name_t princ, canon_princ;
        OM_uint32 maj_stat, min_stat;
 
+       if (iph1->rmconf == NULL) {
+               plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
+               return -1;
+       }
+
        gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
        if (gps == NULL) {
                plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] 0-day Denial of Service in IPsec-Tools
  - From: Javantea

Prev by Date: [FD] XML Injection, AoF and BF vulnerabilities in Hikvision DS-7108HWI-SH
Next by Date: Re: [FD] Xamarin for Android <5.1 DLL Hijack Vulnerability
Previous by thread: [FD] 0-day Denial of Service in IPsec-Tools
Next by thread: [FD] XML Injection, AoF and BF vulnerabilities in Hikvision DS-7108HWI-SH
Index(es):
- Date
- Thread