Vulnerability Development mailing list archives
RE: ARP hole in Windows NT/2000
From: "Grzegorz Flak" <Grzegorz.Flak () comarch pl>
Date: Sat, 24 Nov 2001 17:38:48 +0100
Hi, Do you think if Microsoft is going to do something with this. I found this: http://www.secadministrator.com/Articles/Index.cfm?ArticleID=9393. This is about windows 9x and hole were reported to Microsoft some time ago (more then a year) without any response from them. Does anybody has access to XP to check if it is also vulnerable? Regards
Hello, I came across this problem awhile back too... the main point I think is he used "arp -s" which should create a permanent entry in the arp table. ettercap probably floods the lan with gratuitous arp requests, so it can steal the gateway's ip address. If NT had a functional arp cache, the entry set with arp -s should not be changed. {root@blak 10:07am} ~# arp -S 192.168.1.1 0:60:8:af:8c:e4 {root@blak 10:07am} ~# arp -an ? (192.168.1.1) at 0:60:8:af:8c:e4 permanent [ethernet] I ran arpspoof (from dsniff pkg) for awhile against that host {bangel@nomad 11:17am} /home/bangel# arpspoof -i ep0 -t 192.168.1.2 nomad from another machine, the arp entry never changed, which is how it should be. I walked up stairs to a windows95 machine, did this: C:\>arp -s 192.168.1.1 00-60-08-af-8c-e4 C:\>arp -a Interface: 192.168.1.3 on Interface 2 Internet Address Physical Address Type 192.168.1.1 00-60-08-af-8c-e4 static I then ran arpspoof against the 95 machine. The supposedly static entry changed immediately to the machine i was trying to spoof. C:\>arp -a Interface: 192.168.1.3 on Interface 2 Internet Address Physical Address Type 192.168.1.1 00-a0-c9-89-16-4a static I repeated the same thing on win2000 SP1 I had on a laptop here... Same results. Awhile back, a friend and I tested many platforms against this bug, using both spoofed arp replies and spoofed gratuitious arp requests. Unfortunately I can't find our results, but I do remember that all versions of Windows we tested were vulnerable to changing static arp entries w/ spoofed arp replies. Thanks Keith On 23-Nov-2001, Tomas Nybrand IT wrote:Hi Well ARP poisoning canĀ“t be considered as something new, and I would prefer to call it a vulnerability in the ARP protocol rather than a windows vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Tomas Nybrand - UNIX Administrator ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Bene qui latuit, bene vixit. -- Grzegorz.Flak () comarch pl writes:Hi, I am not sure, if it is something new, but I think I found serious vulnerability in ARP implementation in WindowsNT/2000 (Ichecked it onNT4 SP6 and Win2000 SP1). The problem is when somebodywhant to use "manin the middle" technik to evesdrop your traffic. Thisexample was donewith ettercap. To fill protect I use 'arp -s' to specify correct MAC for default geteway. So I had : 10.10.1.4 00-b0-64-49-1e-01 static then I use ettercap to capture my traffic to the gateway.Ofcourse Icould see my POP3 pass ;) Then I checked arp table once again: 10.10.1.4 00-01-02-23-85-e1 static The MAC is different (this is MAC of my linux box). Ichecked the sameon Solaris 2.7 and Linux 2.4.8 and they look unvulnerable. Is this already known vulnerabilty (I found indication of similar weakness, but that was on Windows 9x). Any suggestions how to get rid off that. Reagards
Current thread:
- ARP hole in Windows NT/2000 Grzegorz Flak (Nov 22)
- Re: ARP hole in Windows NT/2000 Tomas Nybrand IT (Nov 23)
- Re: ARP hole in Windows NT/2000 Gigi Sullivan (Nov 24)
- Re: ARP hole in Windows NT/2000 Keith Simonsen (Nov 24)
- RE: ARP hole in Windows NT/2000 Grzegorz Flak (Nov 24)
- RE: ARP hole in Windows NT/2000 Chris (Nov 24)
- Re: ARP hole in Windows NT/2000 ALoR (Nov 25)
- Re: ARP hole in Windows NT/2000 Nelson Brito (Nov 24)
- Re: ARP hole in Windows NT/2000 Chris Green (Nov 23)
- Re: ARP hole in Windows NT/2000 Tomas Nybrand IT (Nov 23)