Full Disclosure mailing list archives
SafeNET High Assurance Remote/SoftRemote (IPSecDrv.sys) remote DoS
From: mu-b <mu-b () digit-labs org>
Date: Fri, 08 Jun 2007 14:02:08 +0100
Attached is POC for a remote DoS in IPSecDrv.sys shipped with SafeNET High Assurance Remote and SoftRemote. The version tested is 10.4.0.12. The bug itself is due to SafeNET making a complete hash of IPv6 support for IPSec. The result of the code is a complete DoS of the machine in Kernel mode whilst the driver proceeds to enter an infinite loop (apparently looking for a suitable IPSec extension header, which it will never find). The dodgy code can be found at offset 0x1000BEB0 of IPSecDrv.sys (10.4.0.12). The attached code will only work over local subnets, however this is trivially remote with IPv6. PoC: http://www.digit-labs.org/files/exploits/safenet-dos.c hmmm, I wonder how SafeNET think they can charge for such a half-baked, crufty, god-awful implementation.... -- mu-b (mu-b () digit-labs org) "Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct." - Anonymous, "P ?= NP" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SafeNET High Assurance Remote/SoftRemote (IPSecDrv.sys) remote DoS mu-b (Jun 08)