[talk] IPSec vulnerability?

Christos Zoulas christos at zoulas.com
Tue May 19 11:13:12 EDT 2015


On May 19,  3:01pm, ike at blackskyresearch.net ("Isaac (.ike) Levy") wrote:
-- Subject: Re: [talk] IPSec vulnerability?

| 
| On May 19, 2015 10:16:53 am EDT, "Christos Zoulas"=20
| <christos at zoulas.com> wrote:
| 
| > On May 19,  9:52am, twunde at gmail.com (Thomas Wunderlich) wrote:
| > -- Subject: [talk] IPSec vulnerability?
| >
| > | Hey would someone with more familiarity with IPSec comment on
| > | https://www.altsci.com/ipsec/
| > | | I've been thinking about setting up IPSec recently, but this=20
| > casts serious
| > | doubts on that project.
| >
| > Hi,
| >
| > I just tried all the exploit scripts against one of my servers (NetBSD)
| > and all of them caused error messages but no core dumps. christos
| 
| Your initiative here rocks, Christos.

And it doesn't :-( I kept trying and I was able to reproduce the
coredump using the provided server configuration file. I.e. some
configurations are vulnerable and others are not. I was not able
to make the server coredump using the other scripts. Here's the
patch I am planning to commit...

christos

Index: gssapi.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/gssapi.c,v
retrieving revision 1.4
diff -u -u -r1.4 gssapi.c
--- gssapi.c	9 Sep 2006 16:22:09 -0000	1.4
+++ gssapi.c	19 May 2015 15:11:21 -0000
@@ -202,6 +202,10 @@
 
 	gssapi_set_state(iph1, gps);
 
+	if (iph1->rmconf == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
+		return -1;
+	}
 	if (iph1->rmconf->proposal->gssid != NULL) {
 		id_token.length = iph1->rmconf->proposal->gssid->l;
 		id_token.value = iph1->rmconf->proposal->gssid->v;


More information about the talk mailing list