| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110523090708.GI24792@ernw.de> Date: Mon, 23 May 2011 11:07:08 +0200 From: Enno Rey <erey@...w.de> To: full-disclosure@...ts.grok.org.uk Subject: Re: Bypassing Cisco's ICMPv6 Router Advertisement Guard feature Hi, some Wireshark excerpts on the attack Marc describes below can be found here: http://www.insinuator.net/2011/05/yet-another-update-on-ipv6-security-some-notes-from-the-ipv6-kongress-in-frankfurt/ thanks Enno On Mon, May 23, 2011 at 10:49:05AM +0200, Marc Heuse wrote: > > To bypass the Router Advertisement Guarding feature in the (very few) > Cisco switches (and images) that support it: > > Attack: > ======= > Make the evil Router Advertisement fragmented and put the ICMPv6 into > the second fragment, eg. by putting a very large Destination extension > header before the ICMPv6 part. > > So the packets look like: > > Fragment 1: > IPv6 Header > Fragmentation Header > Destination Header (~1400 bytes) > > Fragment 2: > IPv6 Header > Fragmentation Header > Destination Header (continued with some bytes) > ICMPv6 with RA > > > Workaround: > =========== > To prevent this attack, put the following IPv6 ACL on all ports: > > deny ip any any undetermined-transport > > This will drop all packets where the switch is not able to identify the > IPv6 transport type like in this attack. Note that this might drop some > unusual valid traffic too. > > > Workaround Bypass: > ================== > Craft the packets in a way so that the first fragment has an ICMPv6 echo > request and the second fragment overwrites the first fragment with the > ICMPv6 router advertisement. > > Fragment 1: > IPv6 Header > Fragmentation Header > Destination Header (8 bytes) > ICMPv6 with Echo Request > > Fragment 2: > IPv6 Header > Fragmentation Header with offset == 1 (equals position of 8th byte == > start of Echo Request in first fragment) > ICMPv6 with RA > > Note that the handling of overlapping fragments differs between > platforms, some take the first fragment received, others the latest, so > send the packets accordingly to your target. > > > Hackers win again. Sorry Cisco. > Have fun with IPv6! > > Greets, > Marc > > P.S. Cisco is informed, they "accept the risk" ... > P.P.S. thc-ipv6 v1.6 was released 10 days ago :-) > > -- > Marc Heuse > www.mh-sec.de > > Ust.-Ident.-Nr.: DE244222388 > PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de ======================================================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists