lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: ralf at (Ralf Spenneberg)
Subject: CAN-2004-0155:  The KAME IKE Daemon Racoon does not verify RSA
 Signatures during Phase 1, allows man-in-the-middle attacks and
 unauthorized connections

Security Advisory: The KAME IKE Daemon Racoon does not verify RSA
Signatures during Phase 1, allows man-in-the-middle attacks and
unauthorized connections
Author: Ralf Spenneberg <>
Revision: 1
Last Updated: April 07, 2004 18:00
The KAME IKE Daemon racoon authenticates the peer in Phase 1 using
either preshared keys, RSA signatures or GSS-API. When RSA signatures
are used, racoon validates the X.509 certificate send by the peer but
not the RSA signature.
If the peer sends a valid and trusted X.509 certificate during Phase 1
any private key can be used to generate the RSA signature. The
authentication will still
Very High: Since racoon is the an often used IKE daemon on the *BSD
platform and on the native Linux kernel 2.6 IPsec stack.
If the attacker has access to a valid and trusted X.509 certificate he
can establish an IPsec connection to racoon or can start a
man-in-the-middle attack.
No exploit code is needed. Racoon itself can be used to exploit this
security bug. The important configuration line:
   certificate_type x509 certificate badprivatekey;
If the certificate is valid and trusted by the attacked racoon the
attacker can
connect using any 'badprivatekey'
Linux: ipsec-tools <=0.2.4; <=0.3rc4
FreeBSD 4.9 using racoon-20030711
Not-tested but probable looking at the code:
All KAME/racoon version published before April 06 2004
I do not have access to the Apple/racoon version, but it is highly
probable that this version is vulnerable, too.
Technical description:
In function eay_rsa_verify() in file crypto_openssl.c:
       evp = d2i_PUBKEY(NULL, &bp, pubkey->l);
       if (evp == NULL)
             return 0;
In this context the function d2i_PUBKEY always returns NULL. The
function therefore exits with the returncode 0 (success). The actual
verification of the signature does not take place.
Upgrade is needed. No workaround is known!
The attached patch fixed the problem on Linux using the ipsec-tools
Updated packages are already available for some distributions:

KAME: Updates are available in their CVS
Gentoo: Has already published their Security Advisory
Michal Ludvig
Hans Hacker

Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34                             48565 Steinfurt         Germany
Fon: +49(0)2552 638 755                 Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40
Markt+Technik Buch:                     Intrusion Detection f?r Linux Server
Addison-Wesley Buch: 			VPN mit Linux
IPsec/PPTP Kernels for Red Hat Linux:
Honeynet Project Mirror:      
Snort Mirror:                 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: x509sig.diff.gz
Type: application/x-gzip
Size: 783 bytes
Desc: not available
Url :
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url :

Powered by blists - more mailing lists