[Dailydave] [enumeration vulnerability] Mobile IP, dynamics mip implementation, and you
Aaron
apconole at yahoo.com
Thu Dec 7 20:33:29 EST 2006
>It's cool. Thanks for sharing. :)
>
>However, part of the community is also peer review. A friend just noted:
>
>"As for the specific issues raised below -- it's far too long since I've
>read those RFCs, so I can't comment in detail; I will note that both
>are listed as Obsolete in the RFC index. RFC 3344 is the current MIP
>document, and any criticisms should be probably be based on it."
RFC 3344 also has the same issue. It specifies that the reg-reply should contain an authentication extension, and specifies a reply code for authentication failures by mobile node, and home agent.
The issue isn't just the RFC though, as I noted in my original post. It's also with specific implementations of the mobile IP standard. The implementation in question is the Dynamics implementation, however, I know of at least one other Mobile IP-like protocol (A11 interface in 1xEV-DO networks) which have this enumeration problem.
-Aaron
Gadi Evron <ge at linuxbox.org> wrote: On Thu, 7 Dec 2006, Aaron wrote:
> This is my first real security related mailing, so I
> hope it's acceptable. A search on the web revealed
> that no one has yet pointed out this flaw, so I figure
> I will.
It's cool. Thanks for sharing. :)
However, part of the community is also peer review. A friend just noted:
"As for the specific issues raised below -- it's far too long since I've
read those RFCs, so I can't comment in detail; I will note that both
are listed as Obsolete in the RFC index. RFC 3344 is the current MIP
document, and any criticisms should be probably be based on it."
>
> In the MIP rfc 2002 and 3220 specs, neither talk about
> authentication failures, or when it is acceptable NOT
> to include the authentication extension. In fact,
> these specs go as far as to include error cases when
> we have failed authentications, and mandate that an
> authentication extension be returned.
>
> Since the signaling messages are sent in "clear text,"
> meaning that any schmuck with ethereal or some other
> sniffing tool can read the packets, and the
> information within, it's not unforseeable that a
> potential evil user can send messages to the MIP
> foreign, or home agent and listen for the registration
> reply with whatever error code. Based on that, he can
> use a brute force tool, or even some rainbow crack
> lookups and potentially extract the users secret key.
> In the even that such a thing happened, the evil user
> can hijack legitimate users packet data sessions.
>
> I'll be writing a case study using the Dynamics Mobile
> IP implementation, as well as releasing a patch to
> dynamics so that it will simply drop any messages that
> could potentially be used for enumeration against
> Mobile IP agents.
>
> Just figured I'd release this information out there.
> -Aaron
>
>
>
> ____________________________________________________________________________________
> Have a burning question?
> Go to www.Answers.yahoo.com and get answers from real people who know.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
---------------------------------
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061207/42ee8a99/attachment-0001.htm
More information about the Dailydave
mailing list