[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    CAN-2004-0155:  The KAME IKE Daemon Racoon does not verify RSA
From:       Ralf Spenneberg <ralf () spenneberg ! net>
Date:       2004-04-07 16:54:30
Message-ID: 1081356867.1743.15.camel () kermit
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Security Advisory: The KAME IKE Daemon Racoon does not verify RSA
Signatures during Phase 1, allows man-in-the-middle attacks and
unauthorized connections
                                                                                
Author: Ralf Spenneberg <ralf@spenneberg.net>
                                                                                
Revision: 1
                                                                                
Last Updated: April 07, 2004 18:00
                                                                                
CAN-2004-0155
                                                                                
Summary:
The KAME IKE Daemon racoon authenticates the peer in Phase 1 using
either preshared keys, RSA signatures or GSS-API. When RSA signatures
are used, racoon validates the X.509 certificate send by the peer but
not the RSA signature.
If the peer sends a valid and trusted X.509 certificate during Phase 1
any private key can be used to generate the RSA signature. The
authentication will still
succeed.
                                                                                
Impact:
Very High: Since racoon is the an often used IKE daemon on the *BSD
platform and on the native Linux kernel 2.6 IPsec stack.
If the attacker has access to a valid and trusted X.509 certificate he
can establish an IPsec connection to racoon or can start a
man-in-the-middle attack.
                                                                                
Exploit:
No exploit code is needed. Racoon itself can be used to exploit this
security bug. The important configuration line:
   certificate_type x509 certificate badprivatekey;
If the certificate is valid and trusted by the attacked racoon the
attacker can
connect using any 'badprivatekey'
                                                                                
Vulnerable:
Tested:
Linux: ipsec-tools <=0.2.4; <=0.3rc4
FreeBSD 4.9 using racoon-20030711
Not-tested but probable looking at the code:
All KAME/racoon version published before April 06 2004
I do not have access to the Apple/racoon version, but it is highly
probable that this version is vulnerable, too.
                                                                                        
Technical description:
In function eay_rsa_verify() in file crypto_openssl.c:
       [...]
       evp = d2i_PUBKEY(NULL, &bp, pubkey->l);
       if (evp == NULL)
             return 0;
       [...]
In this context the function d2i_PUBKEY always returns NULL. The
function therefore exits with the returncode 0 (success). The actual
verification of the signature does not take place.
                                                                                
Solution:
Upgrade is needed. No workaround is known!
The attached patch fixed the problem on Linux using the ipsec-tools
package.
Updated packages are already available for some distributions:

ipsec-tools: http://ipsec-tools.sf.net
KAME: Updates are available in their CVS
Gentoo: Has already published their Security Advisory
                                                                        
Credits:
Michal Ludvig
Hans Hacker

-- 
Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34                             48565 Steinfurt         Germany
Fon: +49(0)2552 638 755                 Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40
 
Markt+Technik Buch:                     Intrusion Detection fr Linux Server
Addison-Wesley Buch: 			VPN mit Linux
IPsec-Howto:                                http://www.ipsec-howto.org
IPsec/PPTP Kernels for Red Hat Linux:   http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org

["x509sig.diff.gz" (x509sig.diff.gz)]

mq@x509sig.diffTo@;^U \
!hEU5D]Up@,.M/U%V%~=3c̊-z5AUA@<YUfufڬ崝ZiVt2MUuXpz>h[vQlٖ@hW//5-	z
 `1[Y8,Y.
UPɭ%ʓ2eE/t9y뎪+72_`$/uW#q- \
ʯ)R,*1H_Ya f]r x.X0}PtRPy \
0|6P"loz(A"0yrJs8 \
S	4J`޷#6|~g,("ZIХ#]:OA~^e\1ju]5ƶeP4K"\ѱ7a8
 dTƲbʻT'-H@ؐ_jR'0^'ډlBC@OqgCnn[3v)Б,z?
 Kъ^LRcW@THһȌxg=oi:Ly<
g*äE~*/qA3G͡V?(J
#J\Z6iʿM|T[lLVvڵGxmV1[MvTs4sFv`7Lҗ \
                k@FFM.4MtAnv?T>H]/vq AMqzÊ@*
-Ћ@C


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic