Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

SafeNET High Assurance Remote/SoftRemote (IPSecDrv.sys) remote DoS
From: mu-b <mu-b () digit-labs org>
Date: Fri, 08 Jun 2007 14:02:08 +0100

Attached is POC for a remote DoS in IPSecDrv.sys shipped with
SafeNET High Assurance Remote and SoftRemote. The version
tested is 10.4.0.12.

The bug itself is due to SafeNET making a complete hash of IPv6
support for IPSec. The result of the code is a complete DoS of
the machine in Kernel mode whilst the driver proceeds to enter
an infinite loop (apparently looking for a suitable IPSec extension
header, which it will never find). The dodgy code can be found
at offset 0x1000BEB0 of IPSecDrv.sys (10.4.0.12).

The attached code will only work over local subnets, however
this is trivially remote with IPv6.

PoC: http://www.digit-labs.org/files/exploits/safenet-dos.c

hmmm, I wonder how SafeNET think they can charge for such a
half-baked, crufty, god-awful implementation....
--
mu-b
(mu-b () digit-labs org)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • SafeNET High Assurance Remote/SoftRemote (IPSecDrv.sys) remote DoS mu-b (Jun 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]