Vulnerability Development mailing list archives
Cisco VPN Concentrator 3000 ISAKMP DoS details
From: FX <fx () phenoelit de>
Date: Thu, 19 Sep 2002 16:32:13 +0200
Hi list, the subject says it all. I would like to share the details of the Cisco VPN Concentrator 3000 ISAKMP packet parsing vulnerability mentioned at http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml The bug affects all software versions including 3.6.0 and I hope everyone got his Concentrator up to 3.6.1 by now. Details: The issue is in the parsing of the Identification field in the initial ISAKMP packet. While all other TLV fields are parsed OK, the Identification field will be accepted with the minimum length of 4 bytes (type and length field). Since the port information and the actual identification string is after that, but the Concentrator obviously copies only Length-4 bytes (==0), it will work on uninitialized/not allocated memory. There may be also some overflow involved in it. If anyone want's to test it, an example DoS implementation can be found at http://www.phenoelit.de/stuff/Phenoelit_ISAKMP.c FX PS: Special thanks for permission to publish the details. -- FX <fx () phenoelit de> Phenoelit (http://www.phenoelit.de) 672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
Current thread:
- Cisco VPN Concentrator 3000 ISAKMP DoS details FX (Sep 19)