[gull-annonces] Résumé SecurityFocus Newsletter #230

Marc SCHAEFER schaefer at alphanet.ch
Tue Jan 6 10:11:01 CET 2004 

GNU Indent Local Heap Overflow Vulnerability
BugTraq ID: 9297
Remote: No
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9297
Summary:
GNU Indent is an application used to improve the syntax of C, making it
easier to read source code.

An overflow condition has been identified in the software that may allow
an attacker to execute arbitrary code on a vulnerable system.

The issue has been reported to exist in the handle_token_colon() function
of the software.  The problem is reported to present itself when the
application attempts to a parse a C source file (*.c).  It has been
reported that indent copies data from the file to a 1000 byte long buffer
without sufficient boundary checking.  A heap overflow condition may be
triggered, potentially causing heap memory management structures to be
corrupted.  This can result in critical memory being overwritten and,
ultimately, code execution with the privileges of the user running indent.

GNU Indent version 2.2.9 has been reported to be prone this issue,
however, other versions may be affected as well.

ISAKMPD "Invalid SPI" SA Deletion Vulnerability
BugTraq ID: 9333
Remote: Yes
Date Published: Jan 01 2004
Relevant URL: http://www.securityfocus.com/bid/9333
Summary:
isakmpd is the IKE key management dameon provided with OpenBSD. isakmpd is
used when negotiating security associations in authenticated or encrypted
network traffic and is normally used to facilitate VPN.  It has been
reported that it is possible for attackers to remotely delete SAs
(security associations) in hosts running isakmpd.

When isakmpd receives an INVALID-SPI notification, it will delete the SA
associated with the specified SPI.  All associated SAs will be deleted as
well.  This occurs only when the notification originates from the correct
IP address.  To exploit this vulnerability, the attacker must sniff valid
SPIs and then spoof an INVALID-SPI notification set with the target SPI.
The source address must be set to the IP address of the peer gateway.

When this vulnerability is exploited, the entries similar to the following
may appear in logs:

      075542.992984 Exch 10 ipsec_responder: got NOTIFY of type
INVALID_SPI
      075543.000662 SA   30 ipsec_delete_spi_list: INVALID_SPI made us
delete SA 0x1b1600 (3 references) for proto 0


Exploitation of this vulnerability may result in a disruption of service.
There may be more serious ramifications, as the IPSec policies are also
reportedly deleted in most cases.

ISAKMPD "Initial Contact" Notification SA Deletion Vulnerabi...
BugTraq ID: 9334
Remote: Yes
Date Published: Jan 01 2004
Relevant URL: http://www.securityfocus.com/bid/9334
Summary:
isakmpd is the IKE key management dameon provided with OpenBSD. isakmpd is
used when negotiating security associations in authenticated or encrypted
network traffic and is normally used to facilitate VPN. It has been
reported that it is possible for attackers to remotely delete SAs
(security associations) in hosts running isakmpd.

When isakmpd receives an "INITIAL CONTACT" notification that is chained to
a payload considered "reasonable", it will delete the SA associated with
the IP address from which the message originated.  All associated SAs will
be deleted as well.  Notifications of "INITIAL CONTACT" will be ignored if
the messages to which they are chained are part of an informational
exchange. To exploit this vulnerability, the attacker must send to the
victim gateway a spoofed packet containing the "INITIAL CONTACT"
notification chained to a payload such as the initiation of a Main Mode
exchange with the source address set to the peer associated with the
target SA.  This vulnerability is reportedly much easier to exploit than
the issue described as Bugtraq ID 9333.

When this vulnerability is exploited, the entries similar to the following
may appear in logs:

      081412.393202 SA   30 ipsec_handle_leftover_payload: INITIAL-CONTACT
made us delete SA 0x1b1600
      081412.399786 SA   30 ipsec_handle_leftover_payload: INITIAL-CONTACT
made us delete SA 0x1b1200

Exploitation of this vulnerability may result in a disruption of service.
There may be more serious ramifications, as the IPSec policies are also
reportedly deleted in most cases.

More information about the gull-annonces mailing list