lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4DDA1E2D.8080405@mh-sec.de>
Date: Mon, 23 May 2011 10:43:25 +0200
From: Marc Heuse <mh@...sec.de>
To: full-disclosure-request@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: Bypassing Cisco's ICMPv6 Router Advertisement Guard feature

To bypass the Router Advertisement Guarding feature in the (very few)
Cisco switches (and images) that support it:

Attack:
=======
Make the evil Router Advertisement fragmented and put the ICMPv6 into
the second fragment, eg. by putting a very large Destination extension
header before the ICMPv6 part.

So the packets look like:

Fragment 1:
 IPv6 Header
 Fragmentation Header
 Destination Header (~1400 bytes)

Fragment 2:
 IPv6 Header
 Fragmentation Header
 Destination Header (continued with some bytes)
 ICMPv6 with RA


Workaround:
===========
To prevent this attack, put the following IPv6 ACL on all ports:

    deny ip any any undetermined-transport

This will drop all packets where the switch is not able to identify the
IPv6 transport type like in this attack. Note that this might drop some
unusual valid traffic too.


Workaround Bypass:
==================
Craft the packets in a way so that the first fragment has an ICMPv6 echo
request and the second fragment overwrites the first fragment with the
ICMPv6 router advertisement.

Fragment 1:
 IPv6 Header
 Fragmentation Header
 Destination Header (8 bytes)
 ICMPv6 with Echo Request

Fragment 2:
 IPv6 Header
 Fragmentation Header with offset == 1 (equals position of 8th byte ==
start of Echo Request in first fragment)
 ICMPv6 with RA

Note that the handling of overlapping fragments differs between
platforms, some take the first fragment received, others the latest, so
send the packets accordingly to your target.


Hackers win again. Sorry Cisco.
Have fun with IPv6!

Greets,
Marc

P.S. Cisco is informed, they "accept the risk" ...
P.P.S. thc-ipv6 v1.6 was released 10 days ago :-)

--
Marc Heuse
www.mh-sec.de

Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ