[talk] IPSec vulnerability?
Christos Zoulas
christos at zoulas.com
Tue May 19 11:13:12 EDT 2015
On May 19, 3:01pm, ike at blackskyresearch.net ("Isaac (.ike) Levy") wrote:
-- Subject: Re: [talk] IPSec vulnerability?
|
| On May 19, 2015 10:16:53 am EDT, "Christos Zoulas"=20
| <christos at zoulas.com> wrote:
|
| > On May 19, 9:52am, twunde at gmail.com (Thomas Wunderlich) wrote:
| > -- Subject: [talk] IPSec vulnerability?
| >
| > | Hey would someone with more familiarity with IPSec comment on
| > | https://www.altsci.com/ipsec/
| > | | I've been thinking about setting up IPSec recently, but this=20
| > casts serious
| > | doubts on that project.
| >
| > Hi,
| >
| > I just tried all the exploit scripts against one of my servers (NetBSD)
| > and all of them caused error messages but no core dumps. christos
|
| Your initiative here rocks, Christos.
And it doesn't :-( I kept trying and I was able to reproduce the
coredump using the provided server configuration file. I.e. some
configurations are vulnerable and others are not. I was not able
to make the server coredump using the other scripts. Here's the
patch I am planning to commit...
christos
Index: gssapi.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/gssapi.c,v
retrieving revision 1.4
diff -u -u -r1.4 gssapi.c
--- gssapi.c 9 Sep 2006 16:22:09 -0000 1.4
+++ gssapi.c 19 May 2015 15:11:21 -0000
@@ -202,6 +202,10 @@
gssapi_set_state(iph1, gps);
+ if (iph1->rmconf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
+ return -1;
+ }
if (iph1->rmconf->proposal->gssid != NULL) {
id_token.length = iph1->rmconf->proposal->gssid->l;
id_token.value = iph1->rmconf->proposal->gssid->v;
More information about the talk
mailing list