|
Vulnerability Development
mailing list archives
Cisco VPN Concentrator 3000 ISAKMP DoS details
From: FX <fx () phenoelit de>
Date: Thu, 19 Sep 2002 16:32:13 +0200
Hi list,
the subject says it all. I would like to share the details of the Cisco
VPN Concentrator 3000 ISAKMP packet parsing vulnerability mentioned at
http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
The bug affects all software versions including 3.6.0 and I hope everyone
got his Concentrator up to 3.6.1 by now.
Details: The issue is in the parsing of the Identification field in the
initial ISAKMP packet. While all other TLV fields are parsed OK, the
Identification field will be accepted with the minimum length of 4 bytes (type
and length field). Since the port information and the actual identification
string is after that, but the Concentrator obviously copies only Length-4
bytes (==0), it will work on uninitialized/not allocated memory. There may be
also some overflow involved in it.
If anyone want's to test it, an example DoS implementation can be found at
http://www.phenoelit.de/stuff/Phenoelit_ISAKMP.c
FX
PS: Special thanks for permission to publish the details.
--
FX <fx () phenoelit de>
Phenoelit (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
 By Date 
By Thread
Current thread:
- Cisco VPN Concentrator 3000 ISAKMP DoS details FX (Sep 19)
|
Intro
