Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-06-12-0853 Product : ike-scan Version : 1.0 & 1.1 Vendor : http://www.nta-monitor.com/ike-scan/ Class : Local Criticality : Low Operating System(s) : *nix, cygwin High Level Explanation ************************************************************************ High Level Description : Local format string issue in logging functions What to do : Please upgrade ike-scan to version 1.2 Technical Details ************************************************************************ Proof Of Concept Status : Secure Network Operations does have PoC code Low Level Description : In the course of performing security assessments and penetration tests for their customers, http://www.nta-monitor.com has found that VPN systems often provide full access to the internal network which makes them tempting targets to an attacker. In addition, many people assume that their VPN servers are invisible and impenetrable which is a dangerous assumption given that research at NTA shows that IPsec VPN systems can be discovered and the manufacturer identified. When this potential for discovery and identification is combined with the fact that several VPN vulnerabilities have been reported in the past few months, it would seem to be only a matter of time before hackers start to target VPN systems. With this in mind, NTA took the decision to raise awareness of this serious industry problem by producing a white paper on how VPN servers can be detected and identified, combined with the development of a security-auditing program "ike-scan." The concepts behind ike-scan can be located in the following pdf. http://www.nta-monitor.com/ike-scan/whitepaper.pdf In a default configuration ike-scan is not suid root. The suid bit is not set during the install. As an admin you may have been tricked by a user that was perhaps higher on the food chain than you and he really wanted to use ike-scan so you had to chmod +s /usr/local/bin/ike-scan for him. In other words there is potential for this to be exploited. [root@Immunity root]# su - nobody sh-2.05$ /usr/local/bin/ike-scan 127.0.0.1 ERROR: Could not bind UDP socket to local port 500 You need to be root, or ike-scan must be suid root to bind to ports below 1024. Only one process may bind to a given port at any one time. bind: Permission denied Recently I started using (http://www.wirex.com/shop/index.php/cPath/25) Immunix 7+ from the Wirex folks and lets just say my night has been ruined a few times due to their products protection measures. As an example after compiling the new version of ike-scan to show how it was no longer exploitable, I found that I was unable to pop items off the stack as an example. If I were at work rather than home I would show the example however... FormatGuard kinda threw a wrench into that idea. =]. [root@Immunity ike-scan-1.1]# ./ike-scan %x ike-scan[7372]: ImmunixOS format error - mismatch of 0 in syslog() called by err_print Even though I am the one finding the vulnerabilities, I certainly enjoy having Immunix tell me about the exact function being exploited when I run the PoC code that was created for a non protected machine. After ike-scan is updated to version 1.2 you should see the following in your system logs if someone were to attempt to exploit ike-scan. Jun 12 20:32:11 Immunity ike-scan[8827]: Starting: /usr/local/bin/ike-scan %x [root@Immunity ike-scan-1.2]# /usr/local/bin/ike-scan %x gethostbyname: No such file or directory If you were on a regular redhat 7.0 machine exploitation would be as follows. [root@Immunity ike-scan-1.1]# head 0x82-eat_ike-scan.c /* ** ** ike-scan local root exploit ** exploit by "you dong-hun"(Xpl017Elz), . ** [x82@xpl017elz bin]$ ls -al ike-scan ** -rwsr-xr-x 1 root root 100554 Jun 2 06:23 ike-scan ** [x82@xpl017elz bin]$ ./0x82-eat_ike-scan ** [+] make /tmp/x82 code. ** [+] Auto Brute-force mode: gethostbyname: Success ** [+] Ok, exploited successfully. ** [+] It's shell ! ** bash# ** */ Vendor Status : This issue was promptly addressed by the vendor fixes are available at http://www.nta-monitor.com/ike-scan/download.htm Please upgrade to ike-scan 1.2. Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information.