-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 02.27.03: http://www.idefense.com/advisory/02.27.03.txt TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsing February 27, 2003 I. BACKGROUND TCPDUMP is a widely used network debugging tool that prints out the headers of packets on a network interface that match a boolean expression. More information about the application is available at http://www.tcpdump.org . II. DESCRIPTION A vulnerability exists in the parsing of ISAKMP packets (UDP port 500) that allows an attacker to force TCPDUMP into an infinite loop upon receipt of a specially crafted packet. The following output is from TCPDUMP replaying a previously captured malformed ISAKMP packet: # tcpdump -vvvr tcpdump_isakmp_inf_loop | head 05:14:57.954719 192.168.2.243.isakmp > 192.168.2.243.isakmp: isakmp 8.9 msgid 7d380dee cookie 773b4e8a1618caa8->51efacc0a65e0334: phase 2/others ? #69[C]: (#83) (#237) (#237) (#237) (#237) (#237) (#237) (#237) (#237) ... The string "(#237)" will continue to print indefinitely; at this point TCPDUMP is no longer processing other packets. The vulnerable segment of code has been narrowed down to the following loop from print_isakmp.c:isakmp_sub_print(), the while() loop is never broken as the variable 'np' never equates to zero: while (np) { safememcpy(&e, ext, sizeof(e)); if (ep < (u_char *)ext + ntohs(e.len)) { printf(" [|%s]", NPSTR(np)); cp = ep + 1; break; } depth++; printf("\n"); for (i = 0; i < depth; i++) printf(" "); printf("("); cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto); printf(")"); depth--; np = e.np; ext = (struct isakmp_gen *)cp; } III. ANALYSIS Any remote user can generate a specially crafted packet that will cause TCPDUMP to enter an infinite loop thereby rendering the application useless and preventing the administrator from viewing network traffic. Attackers can anonymously trigger this vulnerability by spoofing the source address of the malicious packet, this is possible because it traverses over the User Datagram Protocol (UDP), a stateless protocol. While the vulnerability exists specifically in the TCPDUMP code base there are some applications that utilize code from TCPDUMP or "wrap" around TCPDUMP, and such applications would also be affected. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in TCPDUMP versions 3.6, 3.6.3, 3.7.1 built against LIBPCAP versions .6 and .7 on both the Linux and FreeBSD platform. Many other Linux distributions contain vulnerable TCPDUMP versions V. RECOVERY An affected application is rendered useless upon entry into the infinite loop. The application must be restarted to regain normal functionality. VI. WORKAROUND An ad hoc work around that can be implemented until an official vendor patch has been made available is to simply filter out parsing of packets destined to TCP or UDP port 500. This will prevent a malformed packet from affected a vulnerable version of TCPDUMP. The addition of the following boolean string can be used to accomplish this task: [and] dst port not 500 Where the [and] is optional depending on whether or not additional boolean expressions are provided. VII. VENDOR FIX/RESPONSE This vulnerability was already closed by Guy Harris during routine development; users of the CVS version downloaded since September 6, 2002 (revision 1.34 of print-isakmp.c) are not vulerable. The new 3.7.2 tcpdump release includes this and a couple of additional security fixes; the 0.7.2 libpcap release includes new functionality but no security fixes. The following packages are available: http://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz Debian 2.2 (potato) contains tcpdump 3.4a6, which does not appear to be vulnerable (version 3.4a6 does not include an isakmp dissector). Debian 3.0 (woody) contains tcpdump 3.6.2, which is vulnerable. Updated packages are available from http://www.debian.org/security/ . VIII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0108 to this issue. XI. DISCLOSURE TIMELINE 12/09/2002 Issue disclosed to iDEFENSE 02/25/2003 TCPDUMP maintainers notified: guy_harrisat_private, itojunat_private, mcrat_private and fennerat_private 02/25/2003 Responses from Guy Harris, Bill Fenner, Michael Richardson 02/25/2003 iDEFENSE clients notified 02/26/2003 OS vendors notified via vendor-secat_private 02/27/2003 Public Disclosure X. CREDIT Andrew Griffiths (andrewgat_private) is credited with discovering this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listservat_private, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPl5kgPrkky7kqW5PEQKOHQCeOpW3nL8O4KLeXbpPtWYxEAvj5RAAn1iJ CzXiu8TzsrftUGUlxCElW4AE =/uV9 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 11:33:07 PST