Re: Spanning Tree Switch Exploits? Fact or Fiction?

[FX <fx () phenoelit de>]

Sean,

let me comment on these two posibilities:

1) DoS condition
Yes, it is possible and was tested on Cisco Cat. Due to time constrains, I did
not release a tool in IRPAS at this time, but given the common interest, it
will be included in the next release (hopefully ;-)

The switch configuration is the only limitation for this attack - as long as
your BPDU frames are standard conform, there are no vendor specifica I know of. 
The switch has to run Spanning Tree and your port has to be enabled for receiving
BPDUs.
Ideally, there has to be more then one switch in the network to
make the attack usefull, since the switch would otherwise perform the
recalculation in no time. To be true: this makes only sense in networks, where
at least three switches exist and form a triangle. It is very effective in
fully meshed switched networks.

2) Becomming Root Brdige
This, as I stated in the talk, I did not test myself. In fact, I asked several
people on conferences if anyone ever did that. Some people stated that they
have done this in their Cisco gear networks successfully - but this is third
hand information. For some reason, nobody with a bigger switched network gave
me access to try this out (I wonder why ;-). (The truth: I missed the only 
appointment to test this).

This attack of course would only give the attacker some traffic, not all of it.
Consider the following scenario:

<ASCII ART>

 [SW1]--[SW2]--[SW3]
   |            |
   +------------+

</ASCII ART>

Assumed the attacker sits on switch 3 and would successfully perform the
attack, he would never see traffic that is locally handled on one of the other
switches. If two hosts on SW1 would speak to each other, the switch would not
forward the frame to the root bridge, since he already knows where to send it.

Corrections welcome,
Peace,
FX

-- 
         FX           <fx () phenoelit de>
      Phenoelit   (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564