lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4DC54157.9010306@computer.org>
Date:	Sat, 07 May 2011 14:55:51 +0200
From:	Jan Ceuleers <jan.ceuleers@...puter.org>
To:	netdev@...r.kernel.org
CC:	Gervais Arthur <arthur.gervais@...a-lyon.fr>
Subject: Fwd: PROBLEM: IPv6 Duplicate Address Detection with non RFC-conform
 ICMPv6 packets

The networking folks are on netdev

-------- Original Message --------
Subject: PROBLEM: IPv6 Duplicate Address Detection with non RFC-conform 
ICMPv6 packets
Date: Thu, 05 May 2011 11:52:05 +0200
From: Gervais Arthur <arthur.gervais@...a-lyon.fr>
To: <linux-kernel@...r.kernel.org>
CC: <arthur.gervais@...a-lyon.fr>

[1.] One line summary of the problem:

A specially crafted Ethernet ICMPv6 packet which is not conform to the
RFC can perform a IPv6 Duplicate Address Detection Failure.

[2.] Full description of the problem/report:

If a new IPv6 node joins the local area network, the new node sends an
ICMPv6 Neighbor Solicitation packet in order to check if the
self-generated local-link IPv6 address already occupied is.

An attacker can answer to this Neighbor Solicitation packet with an
ICMPv6 Neighbor Advertisement packet, so that the new IPv6 node is not
able to associate the just generated IPv6 address.
-- This problem is well known and IPv6 related.

The new problem is that the attacker can modify the Ethernet Neighbor
Advertisement packets, so that they are not RFC conform and so that it
is even more difficult to detect the attacker.

If an attacker sends the following packet, duplicate address detection
fails on Linux:

Ethernet Layer: 	Victim MAC --> Victim MAC
IPv6 Layer:		fe80::200:edff:feXX:XXXX --> ff02::1
			ICMPv6
			  Type 136 (Neighbor Advertisement)
			  Target: fe80::200:edff:feXX:XXXX
			ICMPv6 Option
			  Type 2 (Target link-layer address) Victim MAC

Please find attached a drawing and a proof of concept.

[3.] Keywords (i.e., modules, networking, kernel):

Network, IPv6, Duplicate Address Detection

[4.] Kernel version (from /proc/version):

Latest tested:
Linux version 2.6.35-22-generic (buildd@...hera) (gcc version 4.4.5
(Ubuntu/Linaro 4.4.4-14ubuntu4) ) #33-Ubuntu SMP Sun Sep 19 20:34:50 UTC
2010
(and before most probably)

[6.] A small shell script or example program which triggers the
       problem (if possible)

Please find attached a python script demonstrating the problem.

[X.] Other notes, patches, fixes, workarounds:

The Linux Kernel should not accept incoming Ethernet packets originating
from an internal Ethernet card (identified by the MAC address)


Download attachment "DAD_DoS_Linux_tech.png" of type "image/png" (17435 bytes)

View attachment "dad-dos.py" of type "text/x-python" (999 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ