Bug#299716: racoon: [CAN-2005-0398] KAME Racoon ISAKMP Header Parsing Denial of Service

Tue, 15 Mar 2005 16:38:12 -0800 

Package: racoon
Severity: grave
Tags: sid sarge patch
Justification: remote DoS

Original Advisory:
https://bugzilla.redhat.com/bugz...nt.cgi?id=109966&action=view

http://secunia.com/advisories/14584/

Description:
Sebastian Krahmer has reported a vulnerability in KAME Racoon, which can
be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when parsing ISAKMP headers
and can be exploited via a specially crafted ISAKMP packet.

Solution:
The vulnerability has been fixed in SNAP release 2005/03/14.
http://www.kame.net/snap-users/


The attached patch's changelog is,

Tue Mar  8 05:31:52 JST 2005
       * kame/kame/racoon/isakmp.c:
       one of buffer overrun problem was fixed.  from ipsec-tools team.

The diff is between,
  kame-20050307-openbsd36-snap.tgz
  kame-20050314-openbsd36-snap.tgz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-k7
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)

Versions of packages racoon depends on:
ii  debconf                     1.4.46       Debian configuration management sy
ii  ipsec-tools                 1:0.5-4      IPsec tools for Linux
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libreadline5                5.0-10       GNU readline and history libraries
ii  libssl0.9.7                 0.9.7e-3     SSL shared libraries
ii  perl                        5.8.4-8      Larry Wall's Practical Extraction 

diff -ru kame.old/kame/kame/racoon/isakmp.c kame.new/kame/kame/racoon/isakmp.c
--- kame.old/kame/kame/racoon/isakmp.c	2004-03-30 21:14:39.000000000 -0600
+++ kame.new/kame/kame/racoon/isakmp.c	2005-03-07 14:29:58.000000000 -0600
@@ -1,4 +1,4 @@
-/*	$KAME: isakmp.c,v 1.181 2004/03/31 03:14:39 sakane Exp $	*/
+/*	$KAME: isakmp.c,v 1.182 2005/03/07 20:29:58 sakane Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1151,7 +1151,7 @@
 
 		p->type = np;
 		p->len = ntohs(gen->len);
-		if (p->len == 0 || p->len > tlen) {
+		if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
 			plog(LLV_DEBUG, LOCATION, NULL,
 				"invalid length of payload\n");
 			vfree(result);

Reply via email to