| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <000601c6cc82$6c5f7d90$451e78b0$@com>
Date: Wed, 30 Aug 2006 18:19:50 -0400
From: "TJ" <trejrco@...il.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: RE: Microsoft Vista's IPv6: Dangerous Information
Leak?
Assuming you are not default-denying almost all traffic (and perhaps
proxying most other?) . Yes, all you need to do is block the server traffic
(UDP/3544) ... without which Teredo clients won't establish their tunnel,
and the relays never come into play. Hopefully, as more firewalls/IDS's
become more IPv6 savvy they will learn to crack open all of the "transition
mechanism" tunnels - Prot41, UDP-encaps, etc . sooner would be better than
later.
Also, to (hopefully) answer another of Hadmut's original questions - "Am I
correct or did I overlook anything" . the only thing I would add is that
Vista is intended to "just make IPv6 work" for the unmanaged environment,
which it looks to do a decent job of . for better or worse!
To change the topic just a bit - TSP (a la Hexago/Tunnel Broker) can also
traverse NAT via UDP-encapsulation and while it (IIRC) uses UDP/3653 by
default since the TSP client needs to be manually installed anyway someone
could certainly tweak the port# L.
Thanks; and I'd love to hear more on IPv6-related topics/advancements
(offlist if not FD-relevant) . especially any distributed FW/IDS
implementations!
/TJ
PS - The availability of Teredo servers/relays is limited, for now . and the
host needs to be explicitly told the addresses of the server(s), IIRC.
> -----Original Message-----
> From: Jim Hoagland [mailto:jim_hoagland@...antec.com]
> Sent: Wednesday, August 30, 2006 16:30
> To: TJ
> Subject: Re: [Full-disclosure] Microsoft Vista's IPv6: Dangerous
> Information Leak?
>
>
> How do you recommend blocking all Teredo traffic? Can't Teredo clients
> and relays run on arbitrary ports?
>
> Server-bound traffic is easy to block, assuming they are only on port
> 3544.
>
> Thanks,
>
> Jim
>
> --
> Jim Hoagland, Ph.D., CISSP
> Principal Security Researcher
> Advanced Threats Research
> Symantec Security Response
> <http://www.symantec.com> www.symantec.com
>
> On 8/27/06 5:43 PM, "TJ" < <mailto:trejrco@...il.com> trejrco@...il.com>
wrote:
>
> > Yes, Teredo is a concern - both for Vista (V6 enabled by default) and
> > for those who have enabled V6 in WinXP (takes one command) ... or for
> > those who have installed a 'nix Teredo client. All predicated on
> > Teredo servers + eelays being available, of course.
> >
> > And, for the enterprise / managed env. - easily blockable if you try,
> > even assuming you aren't following a default deny policy :).
> >
> > (BTW - blocking IP prot41 tunnels is also recommended, unless you
> mean
> > to let them out!)
> >
> >
> > /TJ (mobile)
> > PS - there is atleast one other UDP-encapsulating 'transition
> > mechanism' as well ... thinking specifically of TSP.
> >
> > -----Original Message-----
> > From: "Hadmut Danisch" <hadmut@...isch.de>
> > To: full-disclosure@...ts.grok.org.uk
> > Sent: 08/27/06 06:32
> > Subject: [Full-disclosure] Microsoft Vista's IPv6: Dangerous
> Information Leak?
> >
> > Hi,
> >
> > I haven't been using a Microsoft Windows Vista so far, just read some
> > announcements and white papers. However, it appears to me at a first
> > glance, as if it had a significat information leak.
> >
> > Microsoft introduced a new IPv6 over IPv4 tunneling mechanism called
> > Teredo. (See e.g. RFC 4380). It is somehow similar to 6to4, but the
> > differences are:
> >
> >
> >
> > - IPv6 packages are wrapped in UDP
> >
> > - Thus, they run more easily through Firewalls and NAT devices
> >
> > - You can do it with RFC1918 addresses
> >
> > - In contrast to 6to4 it is intended to be used host-to-host.
> >
> > While 6to4 is something you would run on your outermost router
> > (the one with an official IPv4 address) and provide plain IPv6 to
> > your internal network (then you know what your're doing, you
> > actively have to configure it), Teredo is designed to run
> > automatically on the local host. So every desktop machine becomes a
> > tunneling client.
> >
> >
> >
> >
> > As announced by Microsoft, Teredo is activated by default. Windows
> > Vista will allways prefer IPv6 to IPv4 where possible. So most Vista
> > users, especially common users with network experience, would not
> even
> > realize that they are using IPv6.
> >
> > Most network and security devices, and network admins will not
> realize
> > this either, since they see only plain IPv4 UDP packets. I haven't
> > seen any firewall so far able to unpack Teredo packets.
> >
> >
> > So the implications can be severe. As far as I can see at the moment:
> >
> > - You are using IPv6 without realizing or enabling it.
> >
> > - You are running it from your desktop machine.
> >
> > - You are thus opening a tunnel through your NAT/Firewall device
> > passing _all_ kind of traffice unfiltered through, no logging.
> >
> > - Many connections (i.e. Teredo-Teredo and Teredo-IPv6) will be
> routed
> > over a central Teredo server or relay, which is "helping" in the
> > configuration of the Teredo client and routing Teredo packets to
> > other Teredo clients or plain IPv6.
> >
> > So these servers (and thus network devices and IP providers close
> to
> > the servers) can easily wiretap your traffic.
> >
> > - I guess that every Vista client will try to register at a Teredo
> > server, so the server will/can generate an almost complete list of
> > all clients.
> >
> >
> >
> > Can anyone experienced with Windows Vista comment on? Am I correct or
> > did I overlook anything? (Did not have a running Vista yet...)
> >
> >
> > regards
> > Hadmut
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists