0day Windows Network Interception Configuration Vulnerability

Jeroen van Ingen jeroen at utwente.nl
Mon Apr 4 14:00:10 CDT 2011


On Mon, 2011-04-04 at 19:46 +0200, Mikael Abrahamsson wrote:
> > I believe this attack will work on most networks out 
> > there, simply because IPv6 is enabled on hosts and rogue RA filtering 
> > hasn't been implemented on most switches yet.
> 
> Any responsible ISP will block this kind of L2 "unknown" traffic between 
> customers.

I fully agree, but not all networks are run by ISPs (let alone by
"responsible" persons/entities).

Perhaps not the main audience for Nanog, but there will be enough
enterprises, small ISPs or colo facilities, schools / edu networks etc
where this attack is currently possible.

> We see this happening unwittingly in the wild as of several years ago with 
> Windows ICS announcing RA to both WAN and LAN because it (or thinks it) 
> has 6to4 connectivity and wants to share it.

It's almost the same, but not quite: the same in the sense that it might
result in MITM for traffic and rogue RAs are involved; different because
with the attack described, *virtually all* traffic can be intercepted
with the addition of NAT-PT including modified DNS responses (eg
returning quad-A RRs for (originally) IPv4-only services. That's not the
same as some ICS box which usually doesn't even properly forward the v6
traffic, and if it does, only sees the traffic for the small percentage
of v6-enabled services with both an A and quad-A resource record in DNS.

> Nothing new here, but the wider it's known the better.

To me the NAT-PT part was new, but I don't work for an ISP and perhaps
you wouldn't consider me to be a responsible network admin... even
though our University has been running RA monitors on all segments for a
long time (and will continue to do so until we can properly filter rogue
RA on all edge ports etc). I don't know *everything* there is to know in
networking, nor will I believe anyone who claims he/she does.

The main reason I responded was the "blah blah old news" attitude in one
of the reactions, while I doubt that the possibilities with the
combination of methods as described are that widely known. But if I'm
the only (security) ignorant person on this list, please forgive me ;)


Regards,

Jeroen van Ingen
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands






More information about the NANOG mailing list