Vigil@nce - strongSwan: buffer overflow of atodn
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When Opportunistic Encryption is enabled ("oe=yes"), an attacker
can generate a buffer overflow in strongSwan, in order to trigger
a denial of service, and possibly to execute code.
– Impacted products: Unix (platform)
– Severity: 2/4
– Creation date: 15/05/2013
DESCRIPTION OF THE VULNERABILITY
When Opportunistic Encryption is enabled ("oe=yes"), the IKE pluto
daemon queries DNS TXT records, in order to obtain public keys.
These records contain the name of the IPsec gateway. This name is
transmitted to the atoid() function, then to atodn(). However, the
atodn() function stores the name in a array of three bytes. An
overflow thus occurs.
In order to exploit this vulnerability, the attacker has to ask to
connect to an IP address for which he can spoof a reverse DNS TXT
reply.
An attacker can therefore generate a buffer overflow in
strongSwan, in order to trigger a denial of service, and possibly
to execute code.
This vulnerability has the same origin as VIGILANCE-VUL-12827
(https://vigilance.fr/tree/1/12827) and VIGILANCE-VUL-12828
(https://vigilance.fr/tree/1/12828).
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/strongSwan-buffer-overflow-of-atodn-12829