| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Apr 2011 08:10:31 +0200 From: Marc Heuse <mh@...sec.de> To: full-disclosure@...ts.grok.org.uk Subject: Another Microsoft (and other) IPv6 security issue: sniffer detection Hi folks, another neat security issue with IPv6 which can be also exploited on IPv4-only LANs. It is possible to identify hosts on the local LAN which are sniffing. But before spoiling the details, a short rant. Skip it if you don't care. I am mad at Microsoft how they ignore severe but local LAN security issues. (see http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt) I usually only make an advisory if the the vendor does not fix the bug in a timely fashion (> 6 months) or it was a deliberate backdoor. So when I found the IPv6 Router Advertisement flooding DOS, I was surprised that Cisco fixes the bug fast - and Microsoft doesnt. It is their stand (as can be read in an interview they gave here yesterday: http://www.securityvibes.com/community/en/blog/2011/04/14/ipv6-tackling-the-rogue-ras) that local LAN attacks are nothing to worry about, as this is only possible if someone is already in the trusted environment. That "trusted environment" can mean a conference or university network, or a public WLAN, doesnt seem to be a problem for Microsoft. But picture my surprise when I reported Microsoft that it is possible to detect a Windows system sniffing on the local LAN - they will fix this security issue. Yes, read again. Sniffing detection is a serious security issue for Microsoft to fix, but DOSing all Windows systems on the same network is nothing to move a finger for. Enough ranting, lets get the details. All you need to do is sending an ICMPv6 Echo Request packet to the potentially sniffing host with a multicast MAC address. Multicast MAC addresses are special MAC addresses that a system can choose to look for; they start with 03:03:..... The multicast MAC address you choose may of course not one the host is listening to, 03:03:99:00:00:99 should be a safe choice. This can be tested with the thcping tool from the thc-ipv6 package (www.thc.org/thc-ipv6): ./thcping eth0 YOUR-LINK-LOCAL-ADDRESS TARGET-LINK-LOCAL-ADDRESS YOUR-MAC 03:03:99:00:00:99 foo Run a sniffer (e.g. in non-promisc mode ;-) and see if you get an echo reply. If so, the target host is sniffing. The target host's link local address can be created from it's MAC address, e.g. if it is 00:30:48:53:aa:aa, then the link local address is fe80::230:48ff:fe53:aaaa (note the bit flip on the first MAC address octet). There is also a way to send this to all local systems at once via ff02::1, however this involves crafting a special error generating destination extension header. (this might even work with IPv4 pings and multicast MACs and not even need ICMPv6 at all, haven't tried, didn't care.) Affected OS: Windows 2008, 7, Vista in default config; 2003, 2000, XP when IPv6 is activated. Linux in default config FreeBSD when IPv6 is activated CVEs: CVE-2010-4562, CVE-2010-4563 Vendors informed on the 29th December 2010 This does not count as a security advisory :-) Greets, Marc P.S. For the historians, funnily I found a similar issue for IPv4 in 1998 which could detect sniffing Linux machines. History repeating. Especially with IPv6. -- Marc Heuse http://www.mh-sec.de PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists