lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Apr 2010 10:22:40 +0300
From: Stefan Laudat <Stefan.Laudat@...ianztiriac.ro>
To: <xperience@...eria.pl>, <bugtraq@...urityfocus.com>
Subject: RE: STP mitm attack idea

Hello,

Before the Cisco network-witty guys will start poking around calling it a fudge and welcoming you to the last week, I might outline this for you: http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap7.html#wp1058965
It's a feature, not a bug, and it's as oldschool as email forging with telnet or BGP poisoning by more specific route injection. Of course, there might be STP enabled switches out there with no security features, but the problem resides in the risk management not in the product.
Sounds to me more like the description of a threat, not like a vulnerability. Great for Risk Assessment scenarios, though.

Stefan Laudat
Information Security Manager
CISSP-ITIL Manager-PrInCE2 Practitioner
Allianz-Tiriac Asigurari SA
Tel: +4012082381 / Int 100381
80-84 Caderea Bastiliei str., Bucharest 1, 010616, Romania

Please note: This email and any files transmitted with it is intended only for the named recipients and may contain confidential and/or privileged information. If you are not the intended recipient, please do not read, copy, use or disclose the contents of this communication to others and notify the sender immediately. Then please delete the email and any copies of it. Thank you.

 Please consider the environment before printing this e-mail. 

Allianz is committed to achieve a group-wide CO2 reduction of 20% by 2012:
Print two pages on one side and bothsides
Avoid handouts; send your presentation electronically
Use recycled paper whenever possible
Scan mail documents and send them per email
Use one-sided prints as scratch papers
Select the "Power saver" plan option on your computer


-----Original Message-----
From: xperience@...eria.pl [mailto:xperience@...eria.pl] 
Sent: Tuesday, April 27, 2010 8:55 PM
To: bugtraq@...urityfocus.com
Subject: STP mitm attack idea

As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is almost impossible.
My idea for modification of this attack needs:
- two stations to attack by mitm (A and B)
- two or more switches with STP protocol
- two attacking stations connected to two different switches in way beetween attacked stations (C and D) 

A ---- switch 1 ----- switch 2 ----- B
          |              |
          |              |
          C              D

Take first scenario:
1. A - sends frame to B
2. Switch 1 - accepts frame and forwards it to switch 2 3. Switch 2 - accepts frame via link from switch 1 and forwards it to B

Second scenario:
1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2

A ---- switch 1 --X-- switch 2 ----- B
          |              |
          |              |
          C  --no conn-- D
2. Station A sends frame to B
3. Frame is forwarded to C station
4. Station C stores frame in memory
5. After equal timing station C and station D repair link beetween switch 1 and 2 6. station C resends stored packet to station D (ie in tunnel or encapsulated in ip packet) 7. stations C and D break link beetween switches 1 and 2 8. station D sends transmitted packet to station B

Advantages
- no need for one station with two links to two switches
- needs two stations, either compromised or not (in large multiswitch enviroment with many stations sometimes we can find in example two compromised windows or linux hosts)
- when we have good timing and packet detection method, we can separate one protocol connection from whole traffic

Disadvantages of method.
- stops whole traffic beetween switches, and needs delicate timing
- when link beetween switch 1 and 2 is working we can't see frames that flying across wire

Additional information.
- timing question, ie - retransmition time beetween tcp frames, and time to break and repair link - is it possible to do it before frame is retransmited?

Uh that's all. Please think about it is possible, because my programming skills are to low to make it working.

With regards
Xperience

Powered by blists - more mailing lists