Home page logo

fulldisclosure logo Full Disclosure mailing list archives

SafeNET High Assurance Remote/SoftRemote (IPSecDrv.sys) remote DoS
From: mu-b <mu-b () digit-labs org>
Date: Fri, 08 Jun 2007 14:02:08 +0100

Attached is POC for a remote DoS in IPSecDrv.sys shipped with
SafeNET High Assurance Remote and SoftRemote. The version
tested is

The bug itself is due to SafeNET making a complete hash of IPv6
support for IPSec. The result of the code is a complete DoS of
the machine in Kernel mode whilst the driver proceeds to enter
an infinite loop (apparently looking for a suitable IPSec extension
header, which it will never find). The dodgy code can be found
at offset 0x1000BEB0 of IPSecDrv.sys (

The attached code will only work over local subnets, however
this is trivially remote with IPv6.

PoC: http://www.digit-labs.org/files/exploits/safenet-dos.c

hmmm, I wonder how SafeNET think they can charge for such a
half-baked, crufty, god-awful implementation....
(mu-b () digit-labs org)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • SafeNET High Assurance Remote/SoftRemote (IPSecDrv.sys) remote DoS mu-b (Jun 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]