Microsoft IKE DoS... source port 500?
From: Abe L. Getchell (abegetchell@home.com)Date: 12/30/01
- Previous message: Gabriel A. Maggiotti: "malformed sql queries"
- Next in thread: Nelson Brito: "Re: Microsoft IKE DoS... source port 500?"
- Reply: Nelson Brito: "Re: Microsoft IKE DoS... source port 500?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Abe L. Getchell" <abegetchell@home.com> To: <vuln-dev@securityfocus.com> Date: Sat, 29 Dec 2001 18:26:14 -0500
Greetings all!
Over the holidays I wrote some code, for testing purposes, to exploit
the DoS recently found in Microsoft's IKE implementation. Because of a
simple coding error, the packets I was generating had a source port of
1024, _not_ a source port of 500 which is always associated with IKE
traffic. The code, however, was still effective in causing a DoS
condition on the target machine. I fixed the error, but this got me
thinking. Everything I've read in documentation and experienced on
production networks IKE packets always have a source port of 500. So
why was Microsoft's IKE implementation happily accepting packets that
didn't? Shouldn't this be one of the first things on the list to be
checked before a packet is processed?
All of the packet captures, books, research papers, reference
information, newsgroup and mailinglist postings I went through
referenced IKE packets having a source port of 500. Thinking back, all
of the products I've worked with that specifically dealt with IKE
traffic categorized this type of traffic by stating it would have a
destination _and_ source port of 500. This further deepened my
curiosity as to why Microsoft's implementation would process these
packets.
Deciding to go right to the source, I referred to the ISAKMP RFC:
(from http://www.ietf.org/rfc/rfc2408.txt)
2.5.1 Transport Protocol
ISAKMP can be implemented over any transport protocol or over IP
itself. Implementations MUST include send and receive capability for
ISAKMP using the User Datagram Protocol (UDP) on port 500. UDP Port
500 has been assigned to ISAKMP by the Internet Assigned Numbers
Authority (IANA). Implementations MAY additionally support ISAKMP
over other transport protocols or over IP itself.
Notice that this doesn't specify that IKE packets _must_ have a source
port of 500, it simply says 'port 500'. Can someone point me to any
piece of documentation which specifies that IKE packets _must_ have a
source port of 500? Is this one of those 'unofficial standards' and
hence the reason for Microsoft's implementation processing these packets
as normal?
Thanks,
Abe
-- Abe L. Getchell Security Engineer abegetchell@home.com
- Previous message: Gabriel A. Maggiotti: "malformed sql queries"
- Next in thread: Nelson Brito: "Re: Microsoft IKE DoS... source port 500?"
- Reply: Nelson Brito: "Re: Microsoft IKE DoS... source port 500?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
