Re: [enumeration vulnerability] Mobile IP, dynamics mip implementation, and you

[Aaron <apconole () yahoo com>]

> It's cool. Thanks for sharing. :)
>
> However, part of the community is also peer review. A friend just noted:
>
> "As for the specific issues raised below -- it's far too long since I've
> read those RFCs, so I can't comment in detail; I will note that both
> are listed as Obsolete in the RFC index.  RFC 3344 is the current MIP
> document, and any criticisms should be probably be based on it."

RFC 3344 also has the same issue. It specifies that the reg-reply should contain an authentication extension, and 
specifies a reply code for authentication failures by mobile node, and home agent.

The issue isn't just the RFC though, as I noted in my original post. It's also with specific implementations of the 
mobile IP standard. The implementation in question is the Dynamics implementation, however, I know of at least one 
other Mobile IP-like protocol (A11 interface in 1xEV-DO networks) which have this enumeration problem.

-Aaron


Gadi Evron <ge () linuxbox org> wrote: On Thu, 7 Dec 2006, Aaron wrote:
> This is my first real security related mailing, so I
> hope it's acceptable. A search on the web revealed
> that no one has yet pointed out this flaw, so I figure
> I will.

It's cool. Thanks for sharing. :)

However, part of the community is also peer review. A friend just noted:

"As for the specific issues raised below -- it's far too long since I've
read those RFCs, so I can't comment in detail; I will note that both
are listed as Obsolete in the RFC index.  RFC 3344 is the current MIP
document, and any criticisms should be probably be based on it."


> In the MIP rfc 2002 and 3220 specs, neither talk about
> authentication failures, or when it is acceptable NOT
> to include the authentication extension. In fact,
> these specs go as far as to include error cases when
> we have failed authentications, and mandate that an
> authentication extension be returned.
>
> Since the signaling messages are sent in "clear text,"
> meaning that any schmuck with ethereal or some other
> sniffing tool can read the packets, and the
> information within, it's not unforseeable that a
> potential evil user can send messages to the MIP
> foreign, or home agent and listen for the registration
> reply with whatever error code. Based on that, he can
> use a brute force tool, or even some rainbow crack
> lookups and potentially extract the users secret key.
> In the even that such a thing happened, the evil user
> can hijack legitimate users packet data sessions.
>
> I'll be writing a case study using the Dynamics Mobile
> IP implementation, as well as releasing a patch to
> dynamics so that it will simply drop any messages that
> could potentially be used for enumeration against
> Mobile IP agents.
>
> Just figured I'd release this information out there.
> -Aaron
>
>
>  
> ____________________________________________________________________________________
> Have a burning question?  
> Go to www.Answers.yahoo.com and get answers from real people who know.
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave



 
---------------------------------
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave