| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20150519212947.7BFDE17FDA8@rebar.astron.com>
Date: Tue, 19 May 2015 17:29:47 -0400
From: christos@...las.com (Christos Zoulas)
To: Javantea <jvoss@...sci.com>, fulldisclosure@...lists.org
Subject: Re: [FD] 0-day Denial of Service in IPsec-Tools
On May 19, 1:32pm, jvoss@...sci.com (Javantea) wrote:
-- Subject: [FD] 0-day Denial of Service in IPsec-Tools
| Denial of Service in IPsec-Tools
| Vulnerability Report
| May 19, 2015
|
| Product: IPsec-Tools
| Version: 0.8.2
| Website: http://ipsec-tools.sourceforge.net/
| CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
|
| IPsec-Tools is vulnerable to a 0-day exploit that I made available yesterday. It is a null dereference crash in racoon in gssapi.c. It requires HAVE_GSSAPI to be set, which is a configuration option. The impact is a denial of service against the IKE daemon. Because IPsec is critical infrastructure and this attack requires two UDP packets, it deserves a medium rating. This denial of service violates the premise that IPsec's security is built upon. More information about the impact can be found on my website linked below.
|
| If you're running IPsec-Tools, replace it sensibly as soon as possible. The reason this exploit is being released without patch on full disclosure is because the authors have apparently abandoned the software.
|
| The vulnerability:
|
| racoon/gssapi.c:205:static int gssapi_init(struct ph1handle *iph1)
|
| if (iph1->rmconf->proposal->gssid != NULL) {
|
| The exploit is available on my website:
| https://www.altsci.com/ipsec/ipsec-tools-sa.html
The fix is trivial and does not seem to affect the preshared key
authentication method. Looks to me like a simple DoS attack that
does not have any additional impact.
christos
--- gssapi.c 9 Sep 2006 16:22:09 -0000 1.4
+++ gssapi.c 19 May 2015 15:16:00 -0000 1.6
@@ -192,6 +192,11 @@
gss_name_t princ, canon_princ;
OM_uint32 maj_stat, min_stat;
+ if (iph1->rmconf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
+ return -1;
+ }
+
gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
if (gps == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists