Full Disclosure mailing list archives
Re: 0-day Denial of Service in IPsec-Tools
From: christos () zoulas com (Christos Zoulas)
Date: Tue, 19 May 2015 17:29:47 -0400
On May 19, 1:32pm, jvoss () altsci com (Javantea) wrote: -- Subject: [FD] 0-day Denial of Service in IPsec-Tools | Denial of Service in IPsec-Tools | Vulnerability Report | May 19, 2015 | | Product: IPsec-Tools | Version: 0.8.2 | Website: http://ipsec-tools.sourceforge.net/ | CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) | | IPsec-Tools is vulnerable to a 0-day exploit that I made available yesterday. It is a null dereference crash in racoon in gssapi.c. It requires HAVE_GSSAPI to be set, which is a configuration option. The impact is a denial of service against the IKE daemon. Because IPsec is critical infrastructure and this attack requires two UDP packets, it deserves a medium rating. This denial of service violates the premise that IPsec's security is built upon. More information about the impact can be found on my website linked below. | | If you're running IPsec-Tools, replace it sensibly as soon as possible. The reason this exploit is being released without patch on full disclosure is because the authors have apparently abandoned the software. | | The vulnerability: | | racoon/gssapi.c:205:static int gssapi_init(struct ph1handle *iph1) | | if (iph1->rmconf->proposal->gssid != NULL) { | | The exploit is available on my website: | https://www.altsci.com/ipsec/ipsec-tools-sa.html The fix is trivial and does not seem to affect the preshared key authentication method. Looks to me like a simple DoS attack that does not have any additional impact. christos --- gssapi.c 9 Sep 2006 16:22:09 -0000 1.4 +++ gssapi.c 19 May 2015 15:16:00 -0000 1.6 @@ -192,6 +192,11 @@ gss_name_t princ, canon_princ; OM_uint32 maj_stat, min_stat; + if (iph1->rmconf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); + return -1; + } + gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); if (gps == NULL) { plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- 0-day Denial of Service in IPsec-Tools Javantea (May 19)
- Re: 0-day Denial of Service in IPsec-Tools Christos Zoulas (May 19)