lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 4 Apr 2011 10:34:51 -0500
From: "Adam Behnke" <adam@...osecinstitute.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: SLAAC Attack - 0day Windows Network Interception
	Configuration Vulnerability

Hi full disclosure dudes, 

 

InfoSec Institute security researcher Alec Waters has just released a new
article on SLAAC Attacks. The basic premise is to use the default network
configuration found on all Windows 7 (as well as Server 2008, Vista)
installations to intercept and hijack all network traffic without any user
knowledge or interaction. 

 

The testing in our lab shows that this attack requires no interaction on the
user's part, and is totally transparent. It is hard to detect even in
enterprise computing environments with significant security gear in place.
It works on wired and wireless networks. Even though we are exploiting the
IPv6 to IPv4 translation process, it does not require an existing IPv6
network to be set up or functional. It only requires the operating system to
have IPv6 enabled by default. Mac OS-X is also likely vulnerable, but we
have not tested it yet. 

 

We detail the vulnerability, the effect, as well as provide scripts and some
tools for setting up the attack here:

 

http://resources.infosecinstitute.com/slaac-attack-
<http://resources.infosecinstitute.com/slaac-attack---0day-windows-network-i
nterception-configuration-vulnerability/>
--0day-windows-network-interception-configuration-vulnerability/

 

We contacted Microsoft over the weekend, but, because this is a default
installation configuration vulnerability, Microsoft is not able to release a
patch and states "While you are correct that this may not be something that
is easily/quickly corrected (at least with regards to just pushing out a
patch to change the default configuration if needed) this would be something
that we want to review and explore our options to mitigate against any
potential attacks. "

 

The fix right now is for Microsoft to default disable IPv6, but this cannot
be done retroactively to production desktops and servers because customers
may be using IPv6 for legitimate reasons. We believe the public needs to
know about the possibility of this attack, because other bad guys could have
figured it out before us and be exploiting unsuspecting companies right now.


 

 

 


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ