From f7202afaf1604df65ad209058618914c3b164662 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 18 Oct 2025 18:33:08 +0000 Subject: [PATCH] Add content from: YIKES: WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE... --- .../ipsec-ike-vpn-pentesting.md | 59 ++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) diff --git a/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md b/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md index 27fcd872633..250ea145dc9 100644 --- a/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md +++ b/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md @@ -14,6 +14,8 @@ The establishment of a **security association (SA)** between two points is manag **Default port:** 500/udp +Also commonly exposed: 4500/udp (NAT Traversal) + ## **Discover** the service using nmap ``` @@ -117,6 +119,34 @@ Ending ike-scan 1.9: 1 hosts scanned in 84.080 seconds (0.01 hosts/sec). 1 retur This can be also achieve with nmap script _**ike-version**_ +### IKEv2-specific: WatchGuard Vendor ID version fingerprinting + +Some IKEv2 daemons include non-standard Vendor ID payloads in the IKE_SA_INIT response. WatchGuard Fireware OS encodes the appliance version/build directly inside the VID, allowing single-packet, pre-auth fingerprinting. + +- Transport: UDP/500 (and UDP/4500 for NAT-T) +- Packet: IKE_SA_INIT response contains one or more Vendor ID payloads +- WatchGuard format: 32-byte hash followed by base64 that decodes to e.g. `VN=12.11.3 BN=719894` + +Example raw bytes from a WatchGuard VID payload (last 12 bytes are base64): + +``` +00000000: bfc2 2e98 56ba 9936 11c1 1e48 a6d2 0807 ....V..6...H.... +00000010: a95b edb3 9302 6a49 e60f ac32 7bb9 601b .[....jI...2{.`. +00000020: 566b 3439 4d54 4975 4d54 4575 4d79 4243 Vk49MTIuMTEuMyBC +00000030: 546a 3033 4d54 6b34 4f54 513d Tj03MTk4OTQ= +``` + +Quick extraction on a shell when you have the base64 tail: + +```bash +echo 'Vk49MTIuMTEuMyBCTj03MTk4OTQ=' | base64 -d +# VN=12.11.3 BN=719894 +``` + +Notes +- This is not part of any IKEv2 RFC. Treat it as a vendor quirk for rapid scoping of exposed/vulnerable Fireware OS versions. +- You only need to elicit an IKE_SA_INIT reply; no authentication is required. + ## Finding the correct ID (group name) For being allowed to capture the hash you need a valid transformation supporting Aggressive mode and the correct ID (group name). You probably won't know the valid group name, so you will have to brute-force it.\ @@ -259,6 +289,27 @@ In this setup: Ensure that actual, secure values are used to replace the placeholders when configuring the VPN. +## IKEv2 exploitation notes: pre-auth IDi/CERT processing bugs + +Modern VPN appliances often expose IKEv2 on UDP/500 (and UDP/4500 for NAT-T). A common pre-authentication attack surface is the parsing of Identification (IDi) and Certificate payloads during IKE_SA_AUTH. + +High-level exploitation flow when a vulnerable IKEv2 parser exists: +- Send a valid IKE_SA_INIT to negotiate transforms and complete Diffie–Hellman. +- Follow with IKE_SA_AUTH carrying an IDi that triggers the bug (e.g., an oversized Identification copied into a fixed-size stack buffer before certificate validation). +- Resulting memory corruption can yield saved-register and return-address control. +- With NX enabled but other mitigations missing (no PIE/canaries), build a ROP chain to call mprotect on a stack page and then pivot execution to injected shellcode or to a resident interpreter (e.g., /usr/bin/python3) if no /bin/sh is available. + +Example default transforms observed on some IKEv2 appliances (WatchGuard Fireware OS 12.11.3): +- SHA2-256–AES(256-bit) with DH Group 14 +- SHA1–AES(256-bit) with DH Group 5 +- SHA1–AES(256-bit) with DH Group 2 +- SHA1–3DES with DH Group 2 + +Practical tips +- Target both UDP/500 and UDP/4500; NAT-T servers may reply only on 4500. +- Increase receive buffer and timeouts for UDP-based scanners to avoid packet loss. +- If the service exposes custom Vendor IDs (see section above), use them to quickly fingerprint vulnerable versions before attempting any exploit traffic. + ## Reference Material - [PSK cracking paper](http://www.ernw.de/download/pskattack.pdf) @@ -269,5 +320,11 @@ Ensure that actual, secure values are used to replace the placeholders when conf ## Shodan - `port:500 IKE` +- `port:4500 "UDP"` +- `udp port:500,4500 "WatchGuard"` -{{#include ../banners/hacktricks-training.md}} +## References + +- [YIKES: WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-2025-9242)](https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/) + +{{#include ../banners/hacktricks-training.md}} \ No newline at end of file