x404.co.uk
http://www.x404.co.uk/forum/

Attack hijacks data using newer Windows features
http://www.x404.co.uk/forum/viewtopic.php?f=19&t=13258		 Page 1 of 1
Author:  rustybucket [ Tue Apr 05, 2011 3:54 pm ]
Post subject:  Attack hijacks data using newer Windows features
Quote:
Mac OS X probably vulnerable too

Security researchers have outlined a way to hijack huge amounts of confidential network traffic by exploiting default behavior in Microsoft's Windows operating system.

The MITM, or man-in-the-middle, attacks described on Monday take advantage of features added to recent versions of Windows that make it easy for computers to connect to networks using the next generation IPv6 protocol. The attack will also work against Apple's OS X for Macs, although the proof-of-concept has not been tested on that platform, said Jack Koziol, a program manager at InfoSec Institute, an information security services company.

The attack exploits an industry standard known as SLAAC, or Stateless Address Auto Configuration for allowing clients and hosts to find each other on IPv6 networks. When the next-generation addressing scheme is turned on, as it is by default in OS X, Windows Vista, Windows 7 and Server 2008, SLAAC can be used to create an unauthorized IPv6 network that reroutes data through hardware controlled by the attackers.

...By default, Linux, FreeBSD and other operating systems aren't vulnerable, Koziol said....

http://www.theregister.co.uk/2011/04/04 ... t_windows/
Author:  jonbwfc [ Tue Apr 05, 2011 4:19 pm ]
Post subject:  Re: Attack hijacks data using newer Windows features
simple fix : Switch off IPV6 if you're not actually using it. However the actual chance for this to be an issue to people outside the corporate world is quite small, since most home routing equipment (i.e. cable/ADSL modems) doesn't route IPv6. Therefore to be vulnerable to this, you already have to have a compromised machine inside your home LAN; either a piece of hardware or a PC running a 'nasty' IPV6 router. In short, if you're vulnerable to this at home you're probably already stuffed anyway.

Jon
Author:  JJW009 [ Tue Apr 05, 2011 6:14 pm ]
Post subject:  Re: Attack hijacks data using newer Windows features
jonbwfc wrote:
Therefore to be vulnerable to this, you already have to have a compromised machine inside your home LAN; either a piece of hardware or a PC running a 'nasty' IPV6 router. In short, if you're vulnerable to this at home you're probably already stuffed anyway.

Quite, as Microsoft said in their reply:

Quote:
The attack method described would require that a would-be attacker have physical access to the targeted network in order to install a tainted router - a situation that does not provide a security boundary.


If a bad guy is inside your house plugging stuff into your network, then you might say the security problem lays with your house rather than your computer.

You could actually do something not entirely dissimilar with IPv4 by introducing a bogus DHCP server to a network. Most versions of Windows Server are set to back-off if they detect another DHCP server on the network, so you can issue your own IP as the default gateway and all WAN traffic from computers that pick up your address will go through you.
Author:  jonbwfc [ Tue Apr 05, 2011 8:30 pm ]
Post subject:  Re: Attack hijacks data using newer Windows features
JJW009 wrote:
If a bad guy is inside your house plugging stuff into your network, then you might say the security problem lays with your house rather than your computer.

Not.. entirely true. It's very possible for a PC that has previously been compromised to act as the 'evil router'. There is already malware that will run a DHCP server on the machine it takes over, completely independently and invisibly to the user. They have to be able to get onto your network, but not necessarily physically access the wires. Physical security will stop lots of things but this can be done entirely remotely, IMO.

However, the point still holds. If you're sat at home - maybe you have a couple of PC's and a games console or media server on your home network - and they've got hold of one of the machines to the point where they can install and run software on it, you're already buggered. if they can install an IPv6 router on the PC, they can instal pretty much anything they like - packet sniffers, key loggers etc.

It's generally held to be a good idea to switch off any service or function on your PC you're not using anyway. This is just another reinforcement of that.

Jon
Author:  big_D [ Wed Apr 06, 2011 4:18 am ]
Post subject:  Re: Attack hijacks data using newer Windows features
rustybucket wrote:
Quote:
Mac OS X probably vulnerable too

Security researchers have outlined a way to hijack huge amounts of confidential network traffic by exploiting default behavior in Microsoft's Windows operating system.

The MITM, or man-in-the-middle, attacks described on Monday take advantage of features added to recent versions of Windows that make it easy for computers to connect to networks using the next generation IPv6 protocol. The attack will also work against Apple's OS X for Macs, although the proof-of-concept has not been tested on that platform, said Jack Koziol, a program manager at InfoSec Institute, an information security services company.

The attack exploits an industry standard known as SLAAC, or Stateless Address Auto Configuration for allowing clients and hosts to find each other on IPv6 networks. When the next-generation addressing scheme is turned on, as it is by default in OS X, Windows Vista, Windows 7 and Server 2008, SLAAC can be used to create an unauthorized IPv6 network that reroutes data through hardware controlled by the attackers.

...By default, Linux, FreeBSD and other operating systems aren't vulnerable, Koziol said....

http://www.theregister.co.uk/2011/04/04 ... t_windows/

It doesn't sound any different to DHCP under IPv4. It does the same thing, although it is usally quick to see, because half the network will configure over one DHCP server and the other half over the 2nd DHCP server and they won't be able to see each other...

I've worked on several sites, where there have been problems with machines not seeing all network resources or not getting onto the internet. The problem was often intermittent and the cause was usually somebody putting in their own/department wireless router, without clearing it with the IT department, and leaving the default configuration of it being a DHCP server.

If you know what you are doing, you could easily set up a DHCP server on the local network and get all the traffic coming over your machine. That affects ALL operating systems, where dynamic addresses are assigned at boot time.
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/