Dailydave mailing list archives
[enumeration vulnerability] Mobile IP, dynamics mip implementation, and you
From: Aaron <apconole () yahoo com>
Date: Thu, 7 Dec 2006 13:31:22 -0800 (PST)
This is my first real security related mailing, so I hope it's acceptable. A search on the web revealed that no one has yet pointed out this flaw, so I figure I will. In the MIP rfc 2002 and 3220 specs, neither talk about authentication failures, or when it is acceptable NOT to include the authentication extension. In fact, these specs go as far as to include error cases when we have failed authentications, and mandate that an authentication extension be returned. Since the signaling messages are sent in "clear text," meaning that any schmuck with ethereal or some other sniffing tool can read the packets, and the information within, it's not unforseeable that a potential evil user can send messages to the MIP foreign, or home agent and listen for the registration reply with whatever error code. Based on that, he can use a brute force tool, or even some rainbow crack lookups and potentially extract the users secret key. In the even that such a thing happened, the evil user can hijack legitimate users packet data sessions. I'll be writing a case study using the Dynamics Mobile IP implementation, as well as releasing a patch to dynamics so that it will simply drop any messages that could potentially be used for enumeration against Mobile IP agents. Just figured I'd release this information out there. -Aaron ____________________________________________________________________________________ Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- [enumeration vulnerability] Mobile IP, dynamics mip implementation, and you Aaron (Dec 07)