| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 07 May 2011 15:10:02 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Jan Ceuleers <jan.ceuleers@...puter.org> Cc: netdev@...r.kernel.org, Gervais Arthur <arthur.gervais@...a-lyon.fr> Subject: Re: Fwd: PROBLEM: IPv6 Duplicate Address Detection with non RFC-conform ICMPv6 packets Le samedi 07 mai 2011 à 14:55 +0200, Jan Ceuleers a écrit : > The networking folks are on netdev > > -------- Original Message -------- > Subject: PROBLEM: IPv6 Duplicate Address Detection with non RFC-conform > ICMPv6 packets > Date: Thu, 05 May 2011 11:52:05 +0200 > From: Gervais Arthur <arthur.gervais@...a-lyon.fr> > To: <linux-kernel@...r.kernel.org> > CC: <arthur.gervais@...a-lyon.fr> > > [1.] One line summary of the problem: > > A specially crafted Ethernet ICMPv6 packet which is not conform to the > RFC can perform a IPv6 Duplicate Address Detection Failure. > > [2.] Full description of the problem/report: > > If a new IPv6 node joins the local area network, the new node sends an > ICMPv6 Neighbor Solicitation packet in order to check if the > self-generated local-link IPv6 address already occupied is. > > An attacker can answer to this Neighbor Solicitation packet with an > ICMPv6 Neighbor Advertisement packet, so that the new IPv6 node is not > able to associate the just generated IPv6 address. > -- This problem is well known and IPv6 related. > > The new problem is that the attacker can modify the Ethernet Neighbor > Advertisement packets, so that they are not RFC conform and so that it > is even more difficult to detect the attacker. > > If an attacker sends the following packet, duplicate address detection > fails on Linux: > > Ethernet Layer: Victim MAC --> Victim MAC > IPv6 Layer: fe80::200:edff:feXX:XXXX --> ff02::1 > ICMPv6 > Type 136 (Neighbor Advertisement) > Target: fe80::200:edff:feXX:XXXX > ICMPv6 Option > Type 2 (Target link-layer address) Victim MAC > > Please find attached a drawing and a proof of concept. > > [3.] Keywords (i.e., modules, networking, kernel): > > Network, IPv6, Duplicate Address Detection > > [4.] Kernel version (from /proc/version): > > Latest tested: > Linux version 2.6.35-22-generic (buildd@...hera) (gcc version 4.4.5 > (Ubuntu/Linaro 4.4.4-14ubuntu4) ) #33-Ubuntu SMP Sun Sep 19 20:34:50 UTC > 2010 > (and before most probably) > > [6.] A small shell script or example program which triggers the > problem (if possible) > > Please find attached a python script demonstrating the problem. > > [X.] Other notes, patches, fixes, workarounds: > > The Linux Kernel should not accept incoming Ethernet packets originating > from an internal Ethernet card (identified by the MAC address) > I fail to understand the problem. The attacker might use any kind of source MAC address to fool 'Victim' or 'network admins' Why one particular address should be avoided ? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists