lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1099826198.3283.13.camel@anduril.intranet.cartel-securite.net>
From: blancher at cartel-securite.fr (Cedric Blancher)
Subject: Linux problem, steal of IP and traffinc
	redirection could bypass a firewall

Le samedi 06 novembre 2004 ? 21:35 +0100, NetExpress a ?crit :
> Because of this, If I have a gateway, with IP IPA, and set a
> desktop/server on the lan with the same ip IPA, when it start it will
> be the new gateway for the all network.

For this to work, you must assume gateway ARP entry (MAC/IP association)
is not in targeted system ARP cache, which is a quite hasardous
assumption as a system is supposed to interact quite often with it.
Moreover, even if it is not present, you will have an ARP answer race on
this very IP (yours and the gateway's one), which has to be solved in
order to correctly achieve redirection.

> If linux would send a gratious arp when it give up an IP  real or virtaul
> this problem will not be possible, because it could not bind a IP that is
> already present on the net.

I really don't see why.
If I want to spoof an IP the way you exposed, the _very_ simple way is
to filter that very gratuitous ARP, using ebtables, so it will get
droped.

Moreover, there's more efficient ways to achieve network MiM attacks,
especially ARP cache poisoning, that do not need to spoof an IP the way
you exposed. See http://www.arp-sk.org/ as a one among all article on
this technic.

In addition to this, simply relying the assumption the _compromised_
host will just say "hello, I'm spoofing your IP" to everyone is blindly
naive. MS Windows does send gratuitous ARP, and it really does not
prevent anyone to spoof IPs from Windows system. What can prevent one
from writing a program (relying on WinPCAP) that listens to ARP requests
and answers them with its own IP, which achieve just the same than
aliasing the IP ? Moreover, the way gratuitous ARP reception is handled
by sending a "Hey man, I'm spoofed" window can be used a clear DoS for
the guy logged who will spend his time closing such alerts... This
raises the problem of "how would you treat a spoofed gratuitous ARP ?",
which is to me an clear open boulevard to network DoS.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ