Attack hijacks sensitive data using newer Windows features Security researchers have outlined a way to hijack huge amounts of confidential network traffic by exploiting default behavior in Microsoft's Windows operating system. The MITM, or man-in-the-middle, attacks described on Monday take advantage of features added to recent versions of Windows that make it easy for computers to …
Who needs to worry about introducing hardware to exploit this? I've dealt with virus's introduced via email in a v4 environment that act as rogue DHCP servers, making themselves the default gateway for clients so they get to see outgoing traffic from affected clients. Not really news because v6 is hardly more affected than v4
Only if your networking config is that bad in the first place. I.e. if it allows rogue DHCP servers, if it allows promiscuous traffic sniffing / injection, etc.
Any decent network config with, literally, an off-the-shelf £100 switch will let you stop such things happening. And then "compromised PC" (of any ilk) is only able to contact things it was ALLOWED to contact anyway.
Seriously, this isn't a Windows/Linux/etc. problem. It's a networking problem. If you have crap networking, this could affect the network. Otherwise it's a single rogue PC (and the implications of that, e.g. if it stores plaintext passwords, etc.)
"have physical access to the targeted network in order to install a tainted router"
Something like a laptop with a wireless AP, perhaps?
Agreed if you want to catch wired networks in big companies you'll have to borrow the janitor's set of keys (hardly unfeasible, but necessitates BOFH-like planning). But whip out Ye Olde dual-WiFi card laptop at your local Starbucks (or in the lobby of you main competitor's building) and I'm sure you can catch enough juicy data to keep your Nigeria-based startup busy (or to do very nasty things to your main competitor).
I don't think that a coprorate network would be vulnerable, unless they are already routing IPv6 packets, if they are the chances are that they are using IPv6 already and therefore wouldn't be vulnerable.
If they have IPv6 turned on and weren't using it, routers would have to be configured to pass DHCP to your tainted router, which isn't very likely.
If you install an IPv6 wireless router into a corporate environment, this will also probably not work becuase the laptops would not be configured to connect to this new AP, also more than likely not speak IPv6.
I think this is a small company/home user problem, which requires physically installed hardware in a compromised site, or a wireless user to connect to a new AP.
"or a wireless user to connect to a new AP."
Yes, that was the problem I was referring to. Given that the vulnerable OSes also have a tendency to connect to whatever AP is "best" -without warning- by default, you'd catch a lot of people at Starbucks.
Depending on how the corporate WiFi is set, you'll probably be able to also catch data from visitors and/or personal laptops from management at your competitor's. Probably enough to really harm them (you don't need much info to mount a devastating social engineering attack).
So what this boils down to is that by inserting a rogue piece of hardware onto a network, you can hijack traffic and have it rerouted through your machine, using ipv6...
Assuming ipv6 is turned on
Assuming the application your hijacking is ipv6 aware
Assuming you can create ipv6 dns records (afaik ipv6 stateless autoconfig doesnt set dns)
Assuming the hosts someone is trying to access are looked up via dns and not referenced by ip
Or, since you have access to the local network you could just stick to the traditional arp spoofing or dhcp hijacking attacks which have worked well for years.
All this does is further impede the progress of ipv6 and spread fud.
> by inserting a rogue piece of hardware
...Or a rogue piece of software.
> Assuming ipv6 is turned on
It is, by default.
> Assuming the application your hijacking is ipv6 aware
No - that happens in the network stack. The application may neither know nor care that its transport is IPv6.
> Assuming you can create ipv6 dns records
If you're hijacking traffic, you can.
> All this does is further impede the progress of ipv6 and spread fud
Not entirely. There's a real story here, even if it's a problem that's quite easily solved.
Vic.
One of the points here is that most exploits in IPv4 have been dealt with so you have no end of knobs to turn, e.g. "Dynamic ARP Inspection", "DHCP Snooping" et cetera. Features similar to these are much less common in IPv6, which is a shame. Though there's not much new in the article one can hope it helps forcing the vendors to supply RA Guard et cetera.
The attack works simply because IPv6 is preferred. So if you set up your own router to use IPv6 the problem is solved, yes? If IPv6 is already configured the attack would be ineffective as the computer would already be attached and not find the alternate router's proposal attractive.
Paris, because your computer is just as promiscuous...
Any other machine already plugged into the network could act as the evil router in this exploit if they can run a daemon to respond to the SLAAC requests. This means any compromised system could potentially become the gateway for this type of attack.
Physically installing a router is not required to pull this off, it just makes it quite simple to do.
Actually, I've seen some weird network stuff that makes me wonder if this is already going on in certain providers' networks, possibly on a large scale. Unfortunately, I'm not a network expert, and what looks quite anomalous to me might be perfectly reasonable and safe to someone who actually understands these things. In the situation where a legitimate IPv6 network is in use, what should the configuration state of the IPv4 data look like?
It depends on what you mean by "configuration state". Most deployments are dual stack where IPv4 and IPv6 live together. Each one is configured just like if it was the only one. In some deployments you could have tunnelling here and there, but for most users/uses this should appear transparent.
If you suspect your ISP is incapable of handling issues like these you really should choose another. Protecting customers from each other has long been a standard ISP practice and IPv6 doesn't change this at all.
Just a protip: turning off IPv6 on your machines is both pointless and silly unless there's a possibility of someone plugging their own router into your stuff, in which case, why not just go with the good old tried and tested IPv4 attacks... hell, a rogue radvd + DHCPv6 server will work just as well as a rogue DHCPv4.
Correct mitigation? don't let people install crap inside your network.
RA Guard is a switch feature that allows the sysadmin to configure an L2 switch so as to only accept RA messages from specified ports. Obviously you'd only accept RAs from the port with the router on it.
Unfortunately that's only available on rather upmarket kit (e.g. Cisco with rather recent IOS loads) at the moment.
Never mind, by the time I get around to rolling out IPv6, even cheap switches should have that feature. Or my employer won't be buying them!
many PCs are connected to cable modems or 3G modems that have no router or firewall. Presumably the ISP though would need to be providing you with IP6 though.
So it's hard to see that many people would be vulnerable as almost no 3G connections provide IP6
It's hard to see how this can work easily.
Start -> Control Pannel -> Network and Sharing Centre
Click on 'Connections: Local Area Connection' (unless you've renamed the default NIC), then Properties.
In the "Networking" tab that pops up deselect "Internet Protocol Version 6 (TCI/IPv6)"
Then ok.
This unbinds IPv6 from your NIC, if you've got multiple NICs, do it for each NIC.
>> For good, technical reasons!
>> http://apenwarr.ca/log/?m=201103#28
Most of those "good reasons" are (IMO) actually good arguments FOR IPv6. Much of what is written is simply drivel written by someone who has never had to deal with the problems caused by s**t like NAT. IMNSHO, if you think NAT is a good idea, you are completely unqualified to talk about networking.
Part of the problem getting IPv6 off the ground is that some f**kwit invented NAT and made people believe the problem was "solved". We'd be far better off now if the effort that's gone into sorting out the s**t caused by NAT has been invested in fixing the real problem instead of new artificial problems.
If you think NAT is easy to deal with (just use STUN I hear being uttered), try it with a Zyxel router and see how well it doesn't work ! uPnP isn't an answer unless you think having a service designed to allow an untrusted bit of software to completely bypass your security is a good thing.
True there are going to be some adjustments needed, and issues to work out. The subject of this article is **NOT** one of them - it's simply an old problem using the new protocol and the tools haven't caught up *YET*. For example, our helpdesk aren't looking forward to diagnosing connection problems with users who struggle to : "type ping 192.168.1.1 and press the return key" even when you spell it out keypress by keypress.
PS - yes I do think some aspects of IPv6 are sub optimal, but that is just detail - there's nothing fundamentally wrong.
While this is worth pursuing and holes need to be filled, sadly the biggest threat to computer security is still the dingbat sitting at the keyboard clicking away with wild abandon. Until everyone is educated to take precautions, the nasties will find the easiest route into a system.
We're the weakest link, goodnight!
IPV6 was going to solve everything! Every implementation is beyond question and it makes PERFECT SENSE to give every bloody device on your network a publicly routable address! This didn't happen; it's obviously been reported wrong. Nothing bad could ever happen to anything involving IPV6 or any of it's implementations because the END-TO-END MODEL IS SACRED AND IT REALLY, REALLY, MATTERS (tm)!!!
Go IPV6 now and unicorns will fall from the sky, ensuring peace, love and the continuation of God's Own End-To-End Model.
Got some private replies which suggest my comment was not constructive :).
http://sourcedaddy.com/windows-7/understanding-isatap.html
Is a good place to start. You really do not need dhcp, dns or any of the protocols you are used to. You need a machine to answer wth a certain name (which can be auto discovered in an ipv6 network).
The 'exploit' described in the article remains a corner case to a large extent but let's face it, our hacker/malware friends have demonstrated their imagination too many times for us to not take all threats seriously.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
