[Snort-users] Re: OpenBSD IPsec DoS signature

Max Vision vision at ...4...
Fri Oct 6 22:24:05 EDT 2000


Hi,

This vulnerability is at the IP layer, just a floating IP header with a
zero-length payload where the protocol type is set to 50 or 51 (esp or ah)
This vulnerability is at the IP layer so there aren't really "ports"
involved.

Here are a couple of the infamous packets as they show up in snort:

10/06-18:40:12.230966 23.23.23.23:0 -> 23.23.23.23:0
IPV6-CRYPT TTL:23 TOS:0x10 ID:23 

10/06-18:40:12.231070 23.23.23.23:0 -> 23.23.23.23:0
IPV6-AUTH TTL:23 TOS:0x10 ID:23 

or according to `tcpdump -n -vv`:

18:41:49.627493 23.23.23.23 > 23.23.23.23: [|ESP] [tos 0x10]  (ttl 23, id 23)
18:41:49.628122 23.23.23.23 > 23.23.23.23: [|AH] ip-proto-0 -65535 [tos 0x10]  (ttl 23, id 23)

These are from my own code which sends similar packets as nmap -sO...

If Snort took numeric arguments as alternates to the "TCP/UDP/ICMP" field,
we could have something like:

alert 50 $EXTERNAL any -> $INTERNAL any (msg: "protocol-50_ESP_empty_payload"; dsize: 0;)
alert 51 $EXTERNAL any -> $INTERNAL any (msg: "protocol-51_AH_empty_payload"; dsize: 0;)

By the way, has anyone released demonstration exploit code for openbsd
photurisd or talkd? (claimed vulnerable at securityfocus)  If so, I would
certainly love to see them. :)

Max

On Fri, 6 Oct 2000, Theo de Raadt wrote:
> >A while back I tested out a OpenBSD IPsec DoS for Matt Franz
> >and he did a bugtraq advisory for it a week back or so. Testing it
> >was kinda unpleasant... soo...
> >
> >It was quickly fixed by Theo (<1 day on a weekend nonetheless) but I 
> 
> I did not write the fix.  angelos at ...590... did.
> 
> >think that it exists in the stock 2.7 systems with IPsec enabled so we should
> >have a sig for it... (I'm purposely avoiding the "silent fix" controversy that
> >was raised by K2 in bugtraq....  But Theo's somewhat irritated "elite" post had me LOL)
> >
> >I wanted to write a sig for it, but testing out which port causes the crash is
> >err... painful.  The culprit is an IP packet with an empty payload, has anyone
> >nailed down the port to narrower (pref single) value/range? My first guess
> >is isakmp/500 but I happen to use OpenBSD for the boxes I like to keep 
> >running and count on and I'm not up to more syscrashes just yet...
> 
> It is very unlikely to be isakmpd's port.
> 
> >Maybe if Theo is still on-line, roaming the streets of Stockholm guerrilla
> >surfing on open wavelan ports he finds, he could enlighten us a little about his
> >fix... :-) Or if someone else knows or can test with nmap -sO the culprit
> >port....
> 
> I am still doing that, but unfortunately I am running out of battery
> since I didn't buy a power adapter yet.  There's very little wavelan
> in this part of downtown, but for some reason I get it loud and clear
> if I place my laptop at just a certain angle on the hotel room
> bed... can't ask for better, I suppose.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list