Vulnerability Development mailing list archives
Different attack vector - PXE-2.0 protocol
From: ollie () DELPHISPLC COM (Ollie Whitehouse)
Date: Sun, 25 Jun 2000 09:22:13 +0100
All, o Introduction This is really to plant a seed in the minds of many on different attack vectors (i.e. it's theory based). After seeing the posting on BugTraq about the ISC DHCP client it got me thinking (leading on from something we have been working on in the lab). Allot of the Intel NICs these days support PXE-2.0 (2.1) for remote OS loading/booting (RedHat supports this for remote installs). This got me thinking on the possibility of three things o The theory 1) Compromise a machine on boot (i.e. either install a compromised version of the OS from a different builds server or boot a different image - i.e. taking Man-in-the-middle to a new degree). 2) Boots an image that updates firmware of the machine, boot order, boot room (re-flashing an Intel NIC for something else?) 3) The third is what we had been working on in the LAB, CISCO PIX 520 firewalls have three Network cards which (if you install a graphics card in your PIX520) you will see goes though a standard Phoenix bios then attempt to boot of all three network cards via PXE-2.0. Typically in the way you would configure a PIX, it would boot outside, DMZ, inside NICS in that order. So if you can ever get a PIX to crash (it will automatically reboot) and your compromised host on the DMZ can deliver the DHCP answers to the DHCP requests for PXE enabled NIC and then deliver the image via TFTP (the entry to the TFTP server is gained from a DHCP scope property). So you would be able to configure (in theory) a PIX with a new remotely loaded version of an image. o The practice Well from what I have seen a majority of PXE-2.0 enabled network cards are set to boot local rather than network so it does wipe out the above attack vectors (but hey it only takes one). Something for you all to mull over. Rgds Ollie ----- Ollie Whitehouse Security Team Leader Delphis Consulting Plc WWW: http://www.delphisplc.com/thinking/whitepapers/ TEL: +44 (0)20 7916 0200 FAX: +44 (0)20 7916 1620 Disclaimer: This e-mail and any files transmitted with it are intended solely for the addressee and are confidential. They may also be legally privileged. Copyright in them is reserved by Delphis Consulting PLC ["Delphis"] and they must not be disclosed to, or used by, anyone other than the addressee. If you have received this e-mail and any accompanying files in error, you may not copy, publish or use them in any way and you should delete them from your system and notify us immediately. E-mails are not secure. Delphis does not accept responsibility for changes to e-mails that occur after they have been sent. Any opinions expressed in this e-mail may be personal to the author and may not necessarily reflect the opinions of Delphis.
Current thread:
- Re: Another new worm???, (continued)
- Re: Another new worm??? David Knaack (Jun 22)
- Re: Another new worm??? Jason Legate (Jun 22)
- Red Hat 6.2's ftp segmentation fault Paulo Ribeiro (Jun 22)
- Re: Red Hat 6.2's ftp segmentation fault Osvaldo J. Filho (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Michal Zalewski (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Jeff Bachtel (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Philip Rowlands (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Bluefish (Jun 24)
- Re: Red Hat 6.2's ftp segmentation fault Jim Kinney (Jun 24)
- Re: Red Hat 6.2's ftp segmentation fault Blue Boar (Jun 24)
- Different attack vector - PXE-2.0 protocol Ollie Whitehouse (Jun 25)
- Spoofed FTP connections John Scimone (Jun 25)
- Re: Red Hat 6.2's ftp segmentation fault Jason Storm (Jun 24)
- Keyboard recording Martin M Samson (Jun 21)
- Re: Another new worm??? Blue Boar (Jun 21)
- Re: Another new worm??? Steve Mosher (Jun 22)
- disclosure and risk to list subscribers (Re: Another new worm???) Mark Rafn (Jun 22)