SafeNET High Assurance Remote/SoftRemote (IPSecDrv.sys) remote DoS

2007.06.17
Credit: mu-b
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Attached is POC for a remote DoS in IPSecDrv.sys shipped with SafeNET High Assurance Remote and SoftRemote. The version tested is 10.4.0.12. The bug itself is due to SafeNET making a complete hash of IPv6 support for IPSec. The result of the code is a complete DoS of the machine in Kernel mode whilst the driver proceeds to enter an infinite loop (apparently looking for a suitable IPSec extension header, which it will never find). The dodgy code can be found at offset 0x1000BEB0 of IPSecDrv.sys (10.4.0.12). The attached code will only work over local subnets, however this is trivially remote with IPv6. PoC: http://www.digit-labs.org/files/exploits/safenet-dos.c hmmm, I wonder how SafeNET think they can charge for such a half-baked, crufty, god-awful implementation.... -- mu-b (mu-b at digit-labs.org) "Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct." - Anonymous, "P ?= NP"


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top