Full Disclosure mailing list archives

Re: Exploitation of unused IPv6-capabilities

From: Sebastian Krahmer <krahmer () suse de>
Date: Tue, 20 Jan 2009 11:05:32 +0100


Hi,

The papers pointed to by the others are basically straight
forward and not really new issues if you know how
ARP poisoning works. The thing that makes me wonder
and adds some new points is

'As soon as the "victim" has an IPv6 address issued by your radvd it will
 prefer AAAA-entries over A-entries'

What do you mean by that? I looked at the glibc resolver,
it might be that if getaddrinfo() does not get proper
ai_family arguments of AF_INET, it will accept AAAA records.
So, the application which thinks is using IPv4 DNS resolving
will eventually connect using IPv6?
This however will require built-in functionallity in the
application (for example ssh client has it) and you need to
play DNS tricks. Or I am completely mistaken and
dont understand what you mean with the A-records?!

Sebastian

On Sun, Jan 18, 2009 at 10:17:44PM +0100, Lukas Th. Hey wrote:

Hi folks,

while playing around I had an idea for some "new kind of mitm" which
works quite well here.

Affected:     All operating systems with unused IPv6 capabilities
              listening to router advertisements (radvd for example)

Attack:               Have an IPv6 tunnel with appropriate prefix delegated.
              Configure your machine to propagate the prefix and
              switch on IPv6 routing.

As soon as the "victim" has an IPv6 address issued by your radvd it will
prefer AAAA-entries over A-entries and connect via your tunnel where
you're waiting with a password sniffer of your choice ;).

This works in any computing center where you have colo'ed you box, have
a dedicated system or...simply physical access. During my
proof-of-concept I was able to intercept SMTP, HTTP and DNS sessions. It
should also work in LANs (lanparties, corporations). The "danger" of
misled connections will dramatically increase with the increasing amount
of ISPs also offering services usable via IPv6. 

Advisory:     Turn off your sever's/client's entire IPv6 capability or
              at least the capability to catch up router
              advertisement messages

I hope you find the contents of my mail useful, entertaining or at least
noch entirely shitty.

Night!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Exploitation of unused IPv6-capabilities Lukas Th. Hey (Jan 18)
- Re: Exploitation of unused IPv6-capabilities A . L . M . Buxey (Jan 18)
  - Re: Exploitation of unused IPv6-capabilities Lukas Th. Hey (Jan 18)
- Re: Exploitation of unused IPv6-capabilities Valdis . Kletnieks (Jan 19)
  - Re: Exploitation of unused IPv6-capabilities TJ (Jan 25)
- Re: Exploitation of unused IPv6-capabilities Sebastian Krahmer (Jan 20)
  - Re: Exploitation of unused IPv6-capabilities Florian Weimer (Jan 20)