CVE-2004-0369

Step 1: Payload Delivery: The attacker crafts a malicious ISAKMP packet. This packet is designed to exploit the buffer overflow vulnerability.

Step 2: Packet Reception: The vulnerable firewall product receives the crafted ISAKMP packet.

Step 3: ISAKMP Processing: The Entrust LibKmp library within the firewall attempts to parse and process the ISAKMP payload.

Step 4: Buffer Overflow: The library copies the attacker-controlled payload into a fixed-size buffer without proper bounds checking. Because the payload is larger than the buffer, a buffer overflow occurs.

Step 5: Code Execution: The overflow overwrites adjacent memory, potentially overwriting function pointers or other critical data. This allows the attacker to redirect program execution to malicious code injected within the payload or to existing code within the system, granting the attacker control of the system.

The vulnerability stems from a buffer overflow within the Entrust LibKmp ISAKMP library, specifically during the handling of ISAKMP payloads. The library fails to properly validate the size of incoming data, allowing an attacker to send a crafted ISAKMP packet with a payload larger than the allocated buffer. This overwrites adjacent memory, potentially overwriting critical data structures or code pointers, leading to arbitrary code execution. The root cause is a lack of bounds checking on input data within the ISAKMP parsing routines. Specifically, the library likely uses a fixed-size buffer to store data from the ISAKMP payload, and the code doesn't check if the received data exceeds the buffer's capacity. This leads to the overflow when a malicious packet with an oversized payload is received.