Skip to content

YIKES WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-... #1507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 25, 2025
+58 −1
Merged

YIKES WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-... #1507

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 58 additions & 1 deletion src/network-services-pentesting/ipsec-ike-vpn-pentesting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ The establishment of a **security association (SA)** between two points is manag

**Default port:** 500/udp

Also commonly exposed: 4500/udp (NAT Traversal)

## **Discover** the service using nmap

```
Expand Down Expand Up @@ -117,6 +119,34 @@ Ending ike-scan 1.9: 1 hosts scanned in 84.080 seconds (0.01 hosts/sec). 1 retur

This can be also achieve with nmap script _**ike-version**_

### IKEv2-specific: WatchGuard Vendor ID version fingerprinting

Some IKEv2 daemons include non-standard Vendor ID payloads in the IKE_SA_INIT response. WatchGuard Fireware OS encodes the appliance version/build directly inside the VID, allowing single-packet, pre-auth fingerprinting.

- Transport: UDP/500 (and UDP/4500 for NAT-T)
- Packet: IKE_SA_INIT response contains one or more Vendor ID payloads
- WatchGuard format: 32-byte hash followed by base64 that decodes to e.g. `VN=12.11.3 BN=719894`

Example raw bytes from a WatchGuard VID payload (last 12 bytes are base64):

```
00000000: bfc2 2e98 56ba 9936 11c1 1e48 a6d2 0807 ....V..6...H....
00000010: a95b edb3 9302 6a49 e60f ac32 7bb9 601b .[....jI...2{.`.
00000020: 566b 3439 4d54 4975 4d54 4575 4d79 4243 Vk49MTIuMTEuMyBC
00000030: 546a 3033 4d54 6b34 4f54 513d Tj03MTk4OTQ=
```

Quick extraction on a shell when you have the base64 tail:

```bash
echo 'Vk49MTIuMTEuMyBCTj03MTk4OTQ=' | base64 -d
# VN=12.11.3 BN=719894
```

Notes
- This is not part of any IKEv2 RFC. Treat it as a vendor quirk for rapid scoping of exposed/vulnerable Fireware OS versions.
- You only need to elicit an IKE_SA_INIT reply; no authentication is required.

## Finding the correct ID (group name)

For being allowed to capture the hash you need a valid transformation supporting Aggressive mode and the correct ID (group name). You probably won't know the valid group name, so you will have to brute-force it.\
Expand Down Expand Up @@ -259,6 +289,27 @@ In this setup:

Ensure that actual, secure values are used to replace the placeholders when configuring the VPN.

## IKEv2 exploitation notes: pre-auth IDi/CERT processing bugs

Modern VPN appliances often expose IKEv2 on UDP/500 (and UDP/4500 for NAT-T). A common pre-authentication attack surface is the parsing of Identification (IDi) and Certificate payloads during IKE_SA_AUTH.

High-level exploitation flow when a vulnerable IKEv2 parser exists:
- Send a valid IKE_SA_INIT to negotiate transforms and complete Diffie–Hellman.
- Follow with IKE_SA_AUTH carrying an IDi that triggers the bug (e.g., an oversized Identification copied into a fixed-size stack buffer before certificate validation).
- Resulting memory corruption can yield saved-register and return-address control.
- With NX enabled but other mitigations missing (no PIE/canaries), build a ROP chain to call mprotect on a stack page and then pivot execution to injected shellcode or to a resident interpreter (e.g., /usr/bin/python3) if no /bin/sh is available.

Example default transforms observed on some IKEv2 appliances (WatchGuard Fireware OS 12.11.3):
- SHA2-256–AES(256-bit) with DH Group 14
- SHA1–AES(256-bit) with DH Group 5
- SHA1–AES(256-bit) with DH Group 2
- SHA1–3DES with DH Group 2

Practical tips
- Target both UDP/500 and UDP/4500; NAT-T servers may reply only on 4500.
- Increase receive buffer and timeouts for UDP-based scanners to avoid packet loss.
- If the service exposes custom Vendor IDs (see section above), use them to quickly fingerprint vulnerable versions before attempting any exploit traffic.

## Reference Material

- [PSK cracking paper](http://www.ernw.de/download/pskattack.pdf)
Expand All @@ -269,5 +320,11 @@ Ensure that actual, secure values are used to replace the placeholders when conf
## Shodan

- `port:500 IKE`
- `port:4500 "UDP"`
- `udp port:500,4500 "WatchGuard"`

{{#include ../banners/hacktricks-training.md}}
## References

- [YIKES: WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-2025-9242)](https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/)

{{#include ../banners/hacktricks-training.md}}