Re: SLAAC Attack - 0day Windows Network Interception Configuration Vulnerability

[Nate Lawson <nate () root org>]

On 4/4/2011 8:34 AM, Adam Behnke wrote:
> InfoSec Institute security researcher Alec Waters has just released a new
> article on SLAAC Attacks. The basic premise is to use the default network
> configuration found on all Windows 7 (as well as Server 2008, Vista)
> installations to intercept and hijack all network traffic without any user
> knowledge or interaction. 
>
> The testing in our lab shows that this attack requires no interaction on the
> user's part, and is totally transparent. It is hard to detect even in
> enterprise computing environments with significant security gear in place.
> It works on wired and wireless networks. Even though we are exploiting the
> IPv6 to IPv4 translation process, it does not require an existing IPv6
> network to be set up or functional. It only requires the operating system to
> have IPv6 enabled by default. Mac OS-X is also likely vulnerable, but we
> have not tested it yet. 

Summary: attackers who have layer 2 access to your network can do IPv6
RA spoofing (similar to DHCP) and get targets to use them as the
gateway. This is nothing they can't already do with DHCP or ARP spoofing
in IPv4.

Here is a summary of the various countermeasures for this devastating
and novel attack:

http://www.rfc-archive.org/getrfc.php?rfc=6104

"You can't claim 0-day if there's already an RFC with recommended fixes."

-- 
Nate

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave