Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Cisco VPN Concentrator 3000 ISAKMP DoS details

From: FX <fx () phenoelit de>
Date: Thu, 19 Sep 2002 16:32:13 +0200
Hi list,

the subject says it all. I would like to share the details of the Cisco 
VPN Concentrator 3000 ISAKMP packet parsing vulnerability mentioned at 
http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml 

The bug affects all software versions including 3.6.0 and I hope everyone
got his Concentrator up to 3.6.1 by now. 

Details: The issue is in the parsing of the Identification field in the
initial ISAKMP packet. While all other TLV fields are parsed OK, the
Identification field will be accepted with the minimum length of 4 bytes (type
and length field). Since the port information and the actual identification
string is after that, but the Concentrator obviously copies only Length-4
bytes (==0), it will work on uninitialized/not allocated memory. There may be
also some overflow involved in it.

If anyone want's to test it, an example DoS implementation can be found at
http://www.phenoelit.de/stuff/Phenoelit_ISAKMP.c

FX

PS: Special thanks for permission to publish the details.

-- 
         FX           <fx () phenoelit de>
      Phenoelit   (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
Previous By Date Next
Previous By Thread Next

Current thread: