Attached is POC for a remote DoS in IPSecDrv.sys shipped with
SafeNET High Assurance Remote and SoftRemote. The version
tested is 10.4.0.12.
The bug itself is due to SafeNET making a complete hash of IPv6
support for IPSec. The result of the code is a complete DoS of
the machine in Kernel mode whilst the driver proceeds to enter
an infinite loop (apparently looking for a suitable IPSec extension
header, which it will never find). The dodgy code can be found
at offset 0x1000BEB0 of IPSecDrv.sys (10.4.0.12).
The attached code will only work over local subnets, however
this is trivially remote with IPv6.
PoC: http://www.digit-labs.org/files/exploits/safenet-dos.c
hmmm, I wonder how SafeNET think they can charge for such a
half-baked, crufty, god-awful implementation....
--
mu-b
(mu-b at digit-labs.org)
"Only a few people will follow the proof. Whoever does will
spend the rest of his life convincing people it is correct."
- Anonymous, "P ?= NP"