lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <46695350.5050004@digit-labs.org>
Date: Fri, 08 Jun 2007 14:02:08 +0100
From: mu-b <mu-b@...it-labs.org>
To: full-disclosure@...ts.grok.org.uk
Subject: SafeNET High Assurance Remote/SoftRemote
	(IPSecDrv.sys) remote DoS

Attached is POC for a remote DoS in IPSecDrv.sys shipped with
SafeNET High Assurance Remote and SoftRemote. The version
tested is 10.4.0.12.

The bug itself is due to SafeNET making a complete hash of IPv6
support for IPSec. The result of the code is a complete DoS of
the machine in Kernel mode whilst the driver proceeds to enter
an infinite loop (apparently looking for a suitable IPSec extension
header, which it will never find). The dodgy code can be found
at offset 0x1000BEB0 of IPSecDrv.sys (10.4.0.12).

The attached code will only work over local subnets, however
this is trivially remote with IPv6.

PoC: http://www.digit-labs.org/files/exploits/safenet-dos.c

hmmm, I wonder how SafeNET think they can charge for such a
half-baked, crufty, god-awful implementation....
--
mu-b
(mu-b@...it-labs.org)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ