Test Suite Discovers Numerous ISAKMP/IKE Flaws
Several vendors release patches after vulnerabilities are found by Protos.
Multiple Vendors ISAKMP/IKE Implementation Vulnerabilities:
Using a test
suite known as Protos
, numerous ISAKMP/IKE implementations have been
found to be vulnerable to attacks which result, so far, in the application crashing.
There is no stated commonality in the methods used to crash the various implementations,
except that they are products which implement the same protocols. Patch announcements
have been released from Cisco, Juniper, Sun, Secgo, Stonesoft and Xelerance.
The Protos test suite is intended to send garbage at interfaces in applications
and/or services. It's used to gauge the applications' robustness to unexpected
malformed input in an attempt to determine if implementation flaws exist that
might be exploited by a would-be attacker. More information about Protos can
be found here.
While Protos certainly could be used with criminal intent on exploiting something,
its exhaustive nature is more tuned toward researchers looking to determine
the viability of implementations of a given protocol. When an application is
found to be vulnerable, no specific attempt is made to determine the scope of
the vulnerability. Instead, the specific test that causes the application to
fail is noted and the vendor informed. The vender can then determine the extent
of the problem and patch appropriately. Not all failures via Protos are security
vulnerabilities, nor are they all buffer overflows that could result in remote
It's certainly possible that, as a result of the Protos testing, security vulnerabilities
in firewalls or VPN products that employ ISAKMP or IKE may soon be disclosed.
The most likely scenario would be for a vendor to release a patch, someone reverse
engineers the patch to determine the flaws corrected, and publishes exploit
information about the flaw that leads to exploit code. It's unlikely that this
would happen quickly, but as with the SNMP and ASN.1 flaws discovered via Protos,
exploits eventually were released. However, it's important to note that the
current flaws in ISAKMP/IKE are not cross-platform or cross-vendor, so there
should be no current concern about a worm evolving from the flaws.
In theory, the reason encrypted passwords have security value is because it
takes time -- sometimes a very long time -- to reverse the encryption to determine
the original password. One way to shorten that time is to pre-compute the encrypted
version of a known password. By repeating this for every possible combination
of characters that can be used to create a password, and storing the results
in a table, it becomes possible to simply look up the encrypted text in the
table and reveal its original password. Known as Hash Lookup Tables,
they've been available in various forms of completeness for several years. Now,
a group has decided to make a business out of using these tables to provide
you with the original password for, eventually, any encrypted hash. Known as
RainbowCrack Online, the fee-based subscription service accepts a hash
and looks it up in their tables, eventually returning to you the original password.
The tables themselves, a substantial investment in both disk space and computing
time, are also being sold to selected businesses.
The site claims to have a server farm of 200 computers performing the look-ups
and additional table entries, and presumably it’s this concept of a hash
cracking farm that has led the media to suggest they're trying to do for hash
cracking what Google has done for search.
Legitimate uses might be to determine the Administrator password on a computer
where the user is no longer available. Other tools are available (such as L0phtcrack)
which will do a similar job, though they may take longer, but they may also
not be able to work on the forms of encryption that RainbowCrack Online is offering
today (which the site says will expand as time goes on).The subscription model
is based on monthly use, so it would seem that their business model is to sell
this service to computer repair shops, forensic analysts, or law enforcement
that may frequently have to crack the password on some system.
Illegal use requires that the criminal have access to the hash. Normally, this
would only be available on the network wire within the premises where the computer
resides, or via a stored cache of the hash such as in the registry on a Windows
You may have heard of AOL's recent approach to promoting two of its new services:
It automatically added two new buddies to every AOL Instant Messenger (AIM)
subscriber upon logon. Known as AIMBots,
the buddies lead customers to services for movie information and shopping hints.
The buddies were accompanied by an IM from “AOL System Msg” which
included a URL providing “more information.”
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Not only was this an intrusion on the consumer’s setup of the AIM application,
but by providing a link to “more information” directly from AOL
themselves, the possibility of a new AIM worm gains credence. Past malware have
abused the buddy list and URLs to propagate messages from someone you know/trust
which include a link and the suggestion that you click on it, resulting in a
visit to a malicious Web server.
And with AOL now taking the step to send you unsolicited notices that include
URLs, a future malware author may do the same, and consumers will be more likely
to fall prey to it.
What's ridiculous is that AOL is no stranger to such problems. For years, one
of the most common forms of “attack” was a request, alleging to
be from AOL, that you provide them with your password and screen name. The criminals
would then be able to log in as you and send out spam in your name. AOL frequently
sent messages to its subscribers reminding them that they would never request
your password by e-mail. Due to the AIM URL worm, advice to AIM customers has
been to be extremely leery about any URL they receive in AIM. Now AOL will not
be able to say that they will never send out a URL that way.
It's highly likely that this will be abused in the near future, either as a
phishing scam, spam or malware installation. In deciding to use this method
to generate interest in these new services, AOL has forever stopped themselves
from being able to claim the security high ground by promising not to send URLs
in messages. They will regret this in the not-so-distant future.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.