[Openswan dev] [1.0.9][PATCH] IKE info leakage

Vinay K Nallamothu vinay.nallamothu at gsecone.com
Thu Jul 14 13:48:24 CEST 2005


Hi,

Pluto responds to malformed payloads without verifying whether the
initiator matches any of the security policies. This may be used for
probing the IKE/IPsec implementation. The patch below fixes this.

Arun Kumar at GSEC1 has discovered the problem.

The patch also rate limits PAYLOAD_MALFORMED notifications (adopted from
openswan-2.X). 

 ipsec_doi.c |   31 ++++++++++++++++++++++++++++++-
 1 files changed, 30 insertions(+), 1 deletion(-)

=======================================================================
--- openswan-1.0.9/pluto/ipsec_doi.c	2005-07-12 19:18:29.000000000 +0530
+++ openswan-1.0.9-m/pluto/ipsec_doi.c	2005-07-13 16:44:39.000000000 +0530
@@ -366,8 +366,33 @@
     u_char buffer[1024];
     pb_stream pbs, r_hdr_pbs;
     u_char *r_hashval, *r_hash_start;
+    static time_t last_malformed;
+    time_t n = time((time_t)NULL);
 
     passert((sndst) && (sndst->st_connection));
+    switch(type) {
+    case PAYLOAD_MALFORMED:
+        /* only send one per second. */
+        if(n == last_malformed) {
+            return;
+        }
+
+        last_malformed = n;
+        /*
+         * do not encrypt notification, since #1 reason for malformed
+         * payload is that the keys are all messed up.
+         */
+        encst = NULL;
+        break;
+
+    case INVALID_FLAGS:
+        /*
+         * invalid flags usually includes encryption flags, so do not
+         * send encrypted.
+         */
+        encst = NULL;
+        break;
+    }
 
     plog("sending %snotification %s to %s:%u",
 	encst ? "encrypted " : "",
@@ -528,12 +553,16 @@
      */
     struct state st;
     struct connection cnx;
+    struct connection *c;
 
     passert(md);
+    if (!(c = find_host_connection(&md->iface->addr, pluto_port, &md->sender, md->sender_port, LEMPTY))
+    	&& !(c = find_host_connection(&md->iface->addr, pluto_port, NULL, md->sender_port, LEMPTY)))
+	return;
 
     memset(&st, 0, sizeof(st));
     memset(&cnx, 0, sizeof(cnx));
-    st.st_connection = &cnx;
+    st.st_connection = c;
     cnx.that.host_addr = md->sender;
     cnx.that.host_port = md->sender_port;
     cnx.interface = md->iface;

=======================================================================

-- 
Views expressed in this mail are those of the individual sender and 
do not bind Gsec1 Limited. or its subsidiary, unless the sender has done
so expressly with due authority of Gsec1.
_________________________________________________________________________

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20050714/9dfd23f6/attachment.bin


More information about the Dev mailing list