Full Disclosure mailing list archives
RE: Microsoft Vista's IPv6: Dangerous Information Leak?
From: "TJ" <trejrco () gmail com>
Date: Wed, 30 Aug 2006 18:19:50 -0400
Assuming you are not default-denying almost all traffic (and perhaps proxying most other?) . Yes, all you need to do is block the server traffic (UDP/3544) ... without which Teredo clients won't establish their tunnel, and the relays never come into play. Hopefully, as more firewalls/IDS's become more IPv6 savvy they will learn to crack open all of the "transition mechanism" tunnels - Prot41, UDP-encaps, etc . sooner would be better than later. Also, to (hopefully) answer another of Hadmut's original questions - "Am I correct or did I overlook anything" . the only thing I would add is that Vista is intended to "just make IPv6 work" for the unmanaged environment, which it looks to do a decent job of . for better or worse! To change the topic just a bit - TSP (a la Hexago/Tunnel Broker) can also traverse NAT via UDP-encapsulation and while it (IIRC) uses UDP/3653 by default since the TSP client needs to be manually installed anyway someone could certainly tweak the port# L. Thanks; and I'd love to hear more on IPv6-related topics/advancements (offlist if not FD-relevant) . especially any distributed FW/IDS implementations! /TJ PS - The availability of Teredo servers/relays is limited, for now . and the host needs to be explicitly told the addresses of the server(s), IIRC.
-----Original Message-----
From: Jim Hoagland [mailto:jim_hoagland () symantec com]
Sent: Wednesday, August 30, 2006 16:30
To: TJ
Subject: Re: [Full-disclosure] Microsoft Vista's IPv6: Dangerous
Information Leak?
How do you recommend blocking all Teredo traffic? Can't Teredo clients
and relays run on arbitrary ports?
Server-bound traffic is easy to block, assuming they are only on port
3544.
Thanks,
Jim
--
Jim Hoagland, Ph.D., CISSP
Principal Security Researcher
Advanced Threats Research
Symantec Security Response
<http://www.symantec.com> www.symantec.com
On 8/27/06 5:43 PM, "TJ" < <mailto:trejrco () gmail com> trejrco () gmail com>
wrote:
Yes, Teredo is a concern - both for Vista (V6 enabled by default) and
for those who have enabled V6 in WinXP (takes one command) ... or for
those who have installed a 'nix Teredo client. All predicated on
Teredo servers + eelays being available, of course.
And, for the enterprise / managed env. - easily blockable if you try,
even assuming you aren't following a default deny policy :).
(BTW - blocking IP prot41 tunnels is also recommended, unless you
mean
to let them out!)
/TJ (mobile)
PS - there is atleast one other UDP-encapsulating 'transition
mechanism' as well ... thinking specifically of TSP.
-----Original Message-----
From: "Hadmut Danisch" <hadmut () danisch de>
To: full-disclosure () lists grok org uk
Sent: 08/27/06 06:32
Subject: [Full-disclosure] Microsoft Vista's IPv6: Dangerous
Information Leak?
Hi,
I haven't been using a Microsoft Windows Vista so far, just read some
announcements and white papers. However, it appears to me at a first
glance, as if it had a significat information leak.
Microsoft introduced a new IPv6 over IPv4 tunneling mechanism called
Teredo. (See e.g. RFC 4380). It is somehow similar to 6to4, but the
differences are:
- IPv6 packages are wrapped in UDP
- Thus, they run more easily through Firewalls and NAT devices
- You can do it with RFC1918 addresses
- In contrast to 6to4 it is intended to be used host-to-host.
While 6to4 is something you would run on your outermost router
(the one with an official IPv4 address) and provide plain IPv6 to
your internal network (then you know what your're doing, you
actively have to configure it), Teredo is designed to run
automatically on the local host. So every desktop machine becomes a
tunneling client.
As announced by Microsoft, Teredo is activated by default. Windows
Vista will allways prefer IPv6 to IPv4 where possible. So most Vista
users, especially common users with network experience, would not
even
realize that they are using IPv6.
Most network and security devices, and network admins will not
realize
this either, since they see only plain IPv4 UDP packets. I haven't
seen any firewall so far able to unpack Teredo packets.
So the implications can be severe. As far as I can see at the moment:
- You are using IPv6 without realizing or enabling it.
- You are running it from your desktop machine.
- You are thus opening a tunnel through your NAT/Firewall device
passing _all_ kind of traffice unfiltered through, no logging.
- Many connections (i.e. Teredo-Teredo and Teredo-IPv6) will be
routed
over a central Teredo server or relay, which is "helping" in the
configuration of the Teredo client and routing Teredo packets to
other Teredo clients or plain IPv6.
So these servers (and thus network devices and IP providers close
to
the servers) can easily wiretap your traffic.
- I guess that every Vista client will try to register at a Teredo
server, so the server will/can generate an almost complete list of
all clients.
Can anyone experienced with Windows Vista comment on? Am I correct or
did I overlook anything? (Did not have a running Vista yet...)
regards
Hadmut
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Microsoft Vista's IPv6: Dangerous Information Leak? TJ (Aug 27)
- Re: Microsoft Vista's IPv6: Dangerous Information Leak? Peter Dawson (Aug 27)
- Message not available
- RE: Microsoft Vista's IPv6: Dangerous Information Leak? TJ (Aug 30)