[Dailydave] [enumeration vulnerability] Mobile IP, dynamics mip implementation, and you

Aaron apconole at yahoo.com
Thu Dec 7 20:44:23 EST 2006 

Actually, after a further review of 3344, it seems as though section 3.2.7.1 does address this issue now.

"If no Mobile-Foreign Authentication Extension is found, or if more than one Mobile-Foreign
Authentication Extension is found, or if the Authenticator is
invalid, the foreign agent MUST silently discard the Request and
SHOULD log the event as a security exception"

Thank you for pointing this out.

Gadi Evron <ge at linuxbox.org> wrote: On Thu, 7 Dec 2006, Aaron wrote:
> This is my first real security related mailing, so I
> hope it's acceptable. A search on the web revealed
> that no one has yet pointed out this flaw, so I figure
> I will.

It's cool. Thanks for sharing. :)

However, part of the community is also peer review. A friend just noted:

"As for the specific issues raised below -- it's far too long since I've
read those RFCs, so I can't comment in detail; I will note that both
are listed as Obsolete in the RFC index.  RFC 3344 is the current MIP
document, and any criticisms should be probably be based on it."


> 
> In the MIP rfc 2002 and 3220 specs, neither talk about
> authentication failures, or when it is acceptable NOT
> to include the authentication extension. In fact,
> these specs go as far as to include error cases when
> we have failed authentications, and mandate that an
> authentication extension be returned.
> 
> Since the signaling messages are sent in "clear text,"
> meaning that any schmuck with ethereal or some other
> sniffing tool can read the packets, and the
> information within, it's not unforseeable that a
> potential evil user can send messages to the MIP
> foreign, or home agent and listen for the registration
> reply with whatever error code. Based on that, he can
> use a brute force tool, or even some rainbow crack
> lookups and potentially extract the users secret key.
> In the even that such a thing happened, the evil user
> can hijack legitimate users packet data sessions.
> 
> I'll be writing a case study using the Dynamics Mobile
> IP implementation, as well as releasing a patch to
> dynamics so that it will simply drop any messages that
> could potentially be used for enumeration against
> Mobile IP agents.
> 
> Just figured I'd release this information out there.
> -Aaron
> 
> 
>  
> ____________________________________________________________________________________
> Have a burning question?  
> Go to www.Answers.yahoo.com and get answers from real people who know.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 



 
---------------------------------
Want to start your own business? Learn how on Yahoo! Small Business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061207/624fddcf/attachment-0001.htm

More information about the Dailydave mailing list