Home page logo
/

bugtraq logo Bugtraq mailing list archives

Nmap Protocol Scanning DoS against OpenBSD IPSEC
From: Matthew Franz <mfranz () CISCO COM>
Date: Mon, 25 Sep 2000 21:13:00 +0000

The protocol scanning option (-sO) in 2.54 Beta releases of nmap results
in a remote denial of service against OpenBSD 2.7's IPSEC implementation
due to its inability to handle tiny AH/ESP packets.

Nmap protocol scans repeatedly cycle through IP protocol version numbers,
attempting to elicit ICMP Protocol Unreachable messages in order to
discover which IP protocols (ICMP,TCP,UDP,GRE,AH,ESP, etc.) are active on
the target device.

The empty AH/ESP packets send OpenBSD 2.7 into debug mode with the
following results (more or less):

panic: m_copydata: null mbuf

Stopped at _Debugger+0x4:   leave

 _panic(....
 _m_copydata(...
 _ipsec_common_input(...
 _esp4_input(....
 _ipv4_input(....
 _ipintr(...

Bad frame pointer: 0xe3b55e98

This vulnerability was reported to OpenBSD developers on 17 September and
an advisory (and patch) was released the following day.

See ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/024_ipsec.patch
for details.

OpenBSD 2.7 was the only *NIX IPSEC implementation found to be susceptible
to this type of scan. I tested Linux FreeS/WAN myself, and KAME developers
reported that FreeBSD (and I assume NetBSD) was *not* vulnerable.  AIX and
Solaris 8 IPSEC implementations were not tested.

-mdf

-------------------------------------
Matthew Franz        mfranz () cisco com
Security Technologies Assessment Team


  By Date           By Thread  

Current thread:
  • Nmap Protocol Scanning DoS against OpenBSD IPSEC Matthew Franz (Sep 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault