Dailydave mailing list archives
Re: [enumeration vulnerability] Mobile IP, dynamics mip implementation, and you
From: Aaron <apconole () yahoo com>
Date: Thu, 7 Dec 2006 17:44:23 -0800 (PST)
Actually, after a further review of 3344, it seems as though section 3.2.7.1 does address this issue now. "If no Mobile-Foreign Authentication Extension is found, or if more than one Mobile-Foreign Authentication Extension is found, or if the Authenticator is invalid, the foreign agent MUST silently discard the Request and SHOULD log the event as a security exception" Thank you for pointing this out. Gadi Evron <ge () linuxbox org> wrote: On Thu, 7 Dec 2006, Aaron wrote:
This is my first real security related mailing, so I hope it's acceptable. A search on the web revealed that no one has yet pointed out this flaw, so I figure I will.
It's cool. Thanks for sharing. :) However, part of the community is also peer review. A friend just noted: "As for the specific issues raised below -- it's far too long since I've read those RFCs, so I can't comment in detail; I will note that both are listed as Obsolete in the RFC index. RFC 3344 is the current MIP document, and any criticisms should be probably be based on it."
In the MIP rfc 2002 and 3220 specs, neither talk about authentication failures, or when it is acceptable NOT to include the authentication extension. In fact, these specs go as far as to include error cases when we have failed authentications, and mandate that an authentication extension be returned. Since the signaling messages are sent in "clear text," meaning that any schmuck with ethereal or some other sniffing tool can read the packets, and the information within, it's not unforseeable that a potential evil user can send messages to the MIP foreign, or home agent and listen for the registration reply with whatever error code. Based on that, he can use a brute force tool, or even some rainbow crack lookups and potentially extract the users secret key. In the even that such a thing happened, the evil user can hijack legitimate users packet data sessions. I'll be writing a case study using the Dynamics Mobile IP implementation, as well as releasing a patch to dynamics so that it will simply drop any messages that could potentially be used for enumeration against Mobile IP agents. Just figured I'd release this information out there. -Aaron ____________________________________________________________________________________ Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
--------------------------------- Want to start your own business? Learn how on Yahoo! Small Business.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- [enumeration vulnerability] Mobile IP, dynamics mip implementation, and you Aaron (Dec 07)
- Re: [enumeration vulnerability] Mobile IP, dynamics mip implementation, and you Gadi Evron (Dec 07)
- Re: [enumeration vulnerability] Mobile IP, dynamics mip implementation, and you Aaron (Dec 08)
- Re: [enumeration vulnerability] Mobile IP, dynamics mip implementation, and you Aaron (Dec 08)
- Re: [enumeration vulnerability] Mobile IP, dynamics mip implementation, and you Gadi Evron (Dec 07)