Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > users > 04 > 043471.html (Request Expert lists.freeswan.org Support)

[Users] CAN-2004-0155: The KAME IKE Daemon Racoon does not verify RSA Signatures during Phase 1, allows man-in-the-middle attacks and unauthorized connections (fwd)

From: Paul Wouters <paul(at)xelerance.com>
Date: Wed Apr 07 2004 - 19:01:50 EDT

FYI, Paul

  • Forwarded message ---------- Date: 07 Apr 2004 18:54:30 +0200 From: Ralf Spenneberg <ralf@spenneberg.net> Cc: Michal Ludvig <michal@logix.cz> To: Bugtraq <bugtraq@securityfocus.com>, Full-Disclosure <full-disclosure@lists.netsys.com>, Vendor-Sec <vendor-sec@lst.de> Subject: CAN-2004-0155: The KAME IKE Daemon Racoon does not verify RSA Signatures during Phase 1, allows man-in-the-middle attacks and unauthorized connections

Security Advisory: The KAME IKE Daemon Racoon does not verify RSA Signatures during Phase 1, allows man-in-the-middle attacks and unauthorized connections                                                                                 

Author: Ralf Spenneberg <ralf@spenneberg.net>                                                                                 

Revision: 1                                                                                 

Last Updated: April 07, 2004 18:00                                                                                 

CAN-2004-0155                                                                                  Summary:
The KAME IKE Daemon racoon authenticates the peer in Phase 1 using either preshared keys, RSA signatures or GSS-API. When RSA signatures are used, racoon validates the X.509 certificate send by the peer but not the RSA signature.
If the peer sends a valid and trusted X.509 certificate during Phase 1 any private key can be used to generate the RSA signature. The authentication will still
succeed.                                                                                 

Do you need help?X

Impact:
Very High: Since racoon is the an often used IKE daemon on the *BSD platform and on the native Linux kernel 2.6 IPsec stack. If the attacker has access to a valid and trusted X.509 certificate he can establish an IPsec connection to racoon or can start a man-in-the-middle attack.                                                                                 

Exploit:
No exploit code is needed. Racoon itself can be used to exploit this security bug. The important configuration line:

   certificate_type x509 certificate badprivatekey; If the certificate is valid and trusted by the attacked racoon the attacker can
connect using any 'badprivatekey'                                                                                 

Vulnerable:
Tested:
Linux: ipsec-tools <=0.2.4; <=0.3rc4
FreeBSD 4.9 using racoon-20030711
Not-tested but probable looking at the code: All KAME/racoon version published before April 06 2004 I do not have access to the Apple/racoon version, but it is highly probable that this version is vulnerable, too.                                                                                         

Technical description:
In function eay_rsa_verify() in file crypto_openssl.c: 

       [...]
       evp = d2i_PUBKEY(NULL, &bp, pubkey->l);
       if (evp == NULL)
             return 0;
       [...]

In this context the function d2i_PUBKEY always returns NULL. The function therefore exits with the returncode 0 (success). The actual verification of the signature does not take place.                                                                                 

Solution:
Upgrade is needed. No workaround is known! The attached patch fixed the problem on Linux using the ipsec-tools package.
Updated packages are already available for some distributions:

ipsec-tools: http://ipsec-tools.sf.net
KAME: Updates are available in their CVS Gentoo: Has already published their Security Advisory                                                                         

Credits:
Michal Ludvig
Hans Hacker 

-- 
Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34                             48565 Steinfurt         Germany
Fon: +49(0)2552 638 755                 Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40
 
Markt+Technik Buch:                     Intrusion Detection für Linux Server
Addison-Wesley Buch: 			VPN mit Linux
IPsec-Howto:                                
http://www.ipsec-howto.org
IPsec/PPTP Kernels for Red Hat Linux:   
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                
http://honeynet.spenneberg.org
Snort Mirror:                           
http://snort.spenneberg.org

_______________________________________________ FreeS/WAN Users mailing list users@lists.freeswan.org https://mj2.freeswan.org/cgi-bin/mj_wwwusr --=-PW1GAe5WEUFPLe4DeXHb Content-Type: APPLICATION/X-GZIP; NAME="x509sig.diff.gz" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.44.0404080101123.32366@expansionpack.xtdnet.nl> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="x509sig.diff.gz" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQBAdDJCbQ9NVvVkhHcRAv8dAJ4hZ0T7SrVxzBjsCfLo8I88kIMBrQCfXZD0 nfiwGNK89uVela3B7+Vw8Uw= =axJT -----END PGP SIGNATURE----- --=-PW1GAe5WEUFPLe4DeXHb--

Received on Wed Apr 7 19:02:46 2004
Do you need more help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:32 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library