lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 27 Aug 2006 12:32:19 +0200
From: hadmut@...isch.de (Hadmut Danisch)
To: full-disclosure@...ts.grok.org.uk
Subject: Microsoft Vista's IPv6: Dangerous Information
	Leak?

Hi,

I haven't been using a Microsoft Windows Vista so far, just read some
announcements and white papers. However, it appears to me at a first
glance, as if it had a significat information leak.

Microsoft introduced a new IPv6 over IPv4 tunneling mechanism called
Teredo. (See e.g. RFC 4380). It is somehow similar to 6to4, but the
differences are:



- IPv6 packages are wrapped in UDP

- Thus, they run more easily through Firewalls and NAT devices

- You can do it with RFC1918 addresses

- In contrast to 6to4 it is intended to be used host-to-host.
 
  While 6to4 is something you would run on your outermost router 
  (the one with an official IPv4 address) and provide plain IPv6 to
  your internal network (then you know what your're doing, you
  actively have to configure it), Teredo is designed to run
  automatically on the local host. So every desktop machine becomes a
  tunneling client.




As announced by Microsoft, Teredo is activated by default. Windows
Vista will allways prefer IPv6 to IPv4 where possible. So most
Vista users, especially common users with network experience, would
not even realize that they are using IPv6. 

Most network and security devices, and network admins will not realize
this either, since they see only plain IPv4 UDP packets. I haven't
seen any firewall so far able to unpack Teredo packets. 


So the implications can be severe. As far as I can see at the moment:

- You are using IPv6 without realizing or enabling it.

- You are running it from your desktop machine.

- You are thus opening a tunnel through your NAT/Firewall device
  passing _all_ kind of traffice unfiltered through, no logging.

- Many connections (i.e. Teredo-Teredo and Teredo-IPv6) will be routed 
  over a central Teredo server or relay, which is "helping" in the 
  configuration of the Teredo client and routing Teredo packets to
  other Teredo clients or plain IPv6.

  So these servers (and thus network devices and IP providers close to
  the servers) can easily wiretap your traffic. 

- I guess that every Vista client will try to register at a Teredo
  server, so the server will/can generate an almost complete list of
  all clients.



Can anyone experienced with Windows Vista comment on? Am I correct or
did I overlook anything? (Did not have a running Vista yet...)


regards
Hadmut


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ