Dailydave mailing list archives

By Date By Thread Another Microsoft (and other) IPv6 security issue: sniffer detection From: Marc Heuse <mh () baseline-security de>

Date: Fri, 15 Apr 2011 02:10:53 +0200

Hi Daily Davers, another neat security issue with IPv6 which can be also exploited on IPv4-only LANs. (and yes, this one *is* zEr0 DaY ;-) ) It is possible to identify hosts on the local LAN which are sniffing. But before spoiling the details, a small rant. Skip it if you don't care. I am mad at Microsoft how they ignore severe but local LAN security issues. (see http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt) I usually only publish an advisory if the the vendor does not fix the bug in a timely fashion (> 6 months) or it was a deliberate backdoor. So when I found the IPv6 Router Advertisement flooding DOS, I was surprised that Cisco fixes the bug fast - and Microsoft doesnt. It is their stand (as can be read in an interview they gave here yesterday: http://www.securityvibes.com/community/en/blog/2011/04/14/ipv6-tackling-the-rogue-ras) that local LAN attacks are nothing to worry about, as this is only possible if someone is already in the trusted environment. That "trusted environment" can mean a conference or university network, or a public WLAN, doesnt seem to be a problem for Microsoft. But picture my surprise when I reported Microsoft that it is possible to detect a Windows system sniffing on the local LAN - they will fix this security issue. Yes, read again. Sniffing detection is a serious security issue for Microsoft to fix, but DOSing all Windows systems on the same network is nothing to move a finger for. Enough ranting, lets get the details. All you need to do is sending an ICMPv6 Echo Request packet to the potentially sniffing host with a multicast MAC address. Multicast MAC addresses are special MAC addresses that a system can choose to look for; they start with 03:03:..... The multicast MAC address you choose may of course not one the host is listening to, 03:03:99:00:00:99 should be a safe choice. This can be tested with the thcping tool from the thc-ipv6 package (www.thc.org/thc-ipv6): ./thcping eth0 YOUR-LINK-LOCAL-ADDRESS TARGET-LINK-LOCAL-ADDRESS YOUR-MAC 03:03:99:00:00:99 foo Run a sniffer (e.g. in non-promisc mode ;-) and see if you get an echo reply. If so, the target host is sniffing. The target host's link local address can be created from it's MAC address, e.g. if it is 00:30:48:53:aa:aa, then the link local address is fe80::230:48ff:fe53:aaaa (note the bit flip on the first MAC address octet). There is also a way to send this to all local systems at once via ff02::1, however this involves crafting a special error generating destination extension header. (this might even work with IPv4 pings and multicast MACs and not even need ICMPv6 at all, haven't tried, didn't care.) Affected OS: Windows 2008, 7, Vista in default config; 2003, 2000, XP when IPv6 is activated. Linux in default config FreeBSD when IPv6 is activated CVEs: CVE-2010-4562, CVE-2010-4563 Vendors informed on the 29th December 2010 This does not count as a security advisory :-) Greets, Marc P.S. For the historians, funnily I found a similar issue for IPv4 in 1998 which could detect sniffing Linux machines. History repeating. Especially with IPv6. -- Marc Heuse http://www.mh-sec.de PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave By Date By Thread Current thread: Another Microsoft (and other) IPv6 security issue: sniffer detection Marc Heuse (Apr 14)