Full Disclosure mailing list archives
Re: Bypassing Cisco's ICMPv6 Router Advertisement Guard feature
From: Enno Rey <erey () ernw de>
Date: Mon, 23 May 2011 11:07:08 +0200
Hi, some Wireshark excerpts on the attack Marc describes below can be found here: http://www.insinuator.net/2011/05/yet-another-update-on-ipv6-security-some-notes-from-the-ipv6-kongress-in-frankfurt/ thanks Enno On Mon, May 23, 2011 at 10:49:05AM +0200, Marc Heuse wrote:
To bypass the Router Advertisement Guarding feature in the (very few) Cisco switches (and images) that support it: Attack: ======= Make the evil Router Advertisement fragmented and put the ICMPv6 into the second fragment, eg. by putting a very large Destination extension header before the ICMPv6 part. So the packets look like: Fragment 1: IPv6 Header Fragmentation Header Destination Header (~1400 bytes) Fragment 2: IPv6 Header Fragmentation Header Destination Header (continued with some bytes) ICMPv6 with RA Workaround: =========== To prevent this attack, put the following IPv6 ACL on all ports: deny ip any any undetermined-transport This will drop all packets where the switch is not able to identify the IPv6 transport type like in this attack. Note that this might drop some unusual valid traffic too. Workaround Bypass: ================== Craft the packets in a way so that the first fragment has an ICMPv6 echo request and the second fragment overwrites the first fragment with the ICMPv6 router advertisement. Fragment 1: IPv6 Header Fragmentation Header Destination Header (8 bytes) ICMPv6 with Echo Request Fragment 2: IPv6 Header Fragmentation Header with offset == 1 (equals position of 8th byte == start of Echo Request in first fragment) ICMPv6 with RA Note that the handling of overlapping fragments differs between platforms, some take the first fragment received, others the latest, so send the packets accordingly to your target. Hackers win again. Sorry Cisco. Have fun with IPv6! Greets, Marc P.S. Cisco is informed, they "accept the risk" ... P.P.S. thc-ipv6 v1.6 was released 10 days ago :-) -- Marc Heuse www.mh-sec.de Ust.-Ident.-Nr.: DE244222388 PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de ======================================================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Bypassing Cisco's ICMPv6 Router Advertisement Guard feature Marc Heuse (May 23)
- Re: Bypassing Cisco's ICMPv6 Router Advertisement Guard feature Enno Rey (May 23)