RE: ARP hole in Windows NT/2000

["Grzegorz Flak" <Grzegorz.Flak () comarch pl>]

Hi,
Do you think if Microsoft is going to do something with this. I found this:
http://www.secadministrator.com/Articles/Index.cfm?ArticleID=9393.

This is about windows 9x and hole were reported to Microsoft some time ago
(more then a year) without any response from them. Does anybody has access
to XP to check if it is also vulnerable?

Regards


> Hello,
>
>
> I came across this problem awhile back too... the main point
> I think is he
> used "arp -s" which should create a permanent entry in the arp table.
>
> ettercap probably floods the lan with gratuitous arp
> requests, so it can steal
> the gateway's ip address. If NT had a functional arp cache,
> the entry set
> with arp -s should not be changed.
>
> {root@blak 10:07am} ~# arp -S 192.168.1.1 0:60:8:af:8c:e4
>
> {root@blak 10:07am} ~# arp -an
> ? (192.168.1.1) at 0:60:8:af:8c:e4 permanent [ethernet]
>
> I ran arpspoof (from dsniff pkg) for awhile against that host
> {bangel@nomad 11:17am} /home/bangel# arpspoof -i ep0 -t
> 192.168.1.2 nomad
> from another machine, the arp entry never changed, which is
> how it should
> be.
>
> I walked up stairs to a windows95 machine, did this:
> C:\>arp -s 192.168.1.1 00-60-08-af-8c-e4
> C:\>arp -a
> Interface: 192.168.1.3 on Interface 2
>   Internet Address      Physical Address      Type
>   192.168.1.1           00-60-08-af-8c-e4     static
>
> I then ran arpspoof against the 95 machine. The supposedly
> static entry
> changed immediately to the machine i was trying to spoof.
>
> C:\>arp -a
> Interface: 192.168.1.3 on Interface 2
>   Internet Address      Physical Address      Type
>   192.168.1.1           00-a0-c9-89-16-4a     static
>
> I repeated the same thing on win2000 SP1 I had on a laptop
> here... Same
> results.
>
> Awhile back, a friend and I tested many platforms against
> this bug, using
> both spoofed arp replies and spoofed gratuitious arp
> requests. Unfortunately
> I can't find our results, but I do remember that all versions
> of Windows
> we tested were vulnerable to changing static arp entries w/
> spoofed arp
> replies.
>
> Thanks
> Keith
>
> On 23-Nov-2001, Tomas Nybrand IT wrote:
> > Hi
> >
> > Well ARP poisoning can´t be considered as something new, and I would
> > prefer to call it a vulnerability in the ARP protocol rather than a
> > windows vulnerability.
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >  Tomas Nybrand - UNIX Administrator
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >     --   Bene qui latuit, bene vixit.   --
> >
> > Grzegorz.Flak () comarch pl writes:
> > > Hi,
> > >
> > > I am not sure, if it is something new, but I think I found serious
> > > vulnerability in ARP implementation in WindowsNT/2000 (I
> checked it on
> > > NT4 SP6 and Win2000 SP1). The problem is when somebody
> whant to use "man
> > > in the middle" technik to evesdrop your traffic. This
> example was done
> > > with ettercap.
> > > To fill protect I use 'arp -s' to specify correct MAC for default
> > > geteway. So I had :
> > >  10.10.1.4             00-b0-64-49-1e-01     static
> > >
> > > then I use ettercap to capture my traffic to the gateway.
> Ofcourse I
> > > could see my POP3 pass ;) Then I checked arp table once again:
> > >
> > >  10.10.1.4             00-01-02-23-85-e1     static
> > >
> > > The MAC is different (this is MAC of my linux box). I
> checked the same
> > > on Solaris 2.7 and Linux 2.4.8 and they look unvulnerable.
> > > Is this already known vulnerabilty (I found indication of similar
> > > weakness, but that was on Windows 9x).
> > >
> > > Any suggestions how to get rid off that.
> > >
> > > Reagards