[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: STP mitm attack idea

To: <xperience@xxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: STP mitm attack idea
From: Stefan Laudat <Stefan.Laudat@xxxxxxxxxxxxxxxx>
Date: Thu, 29 Apr 2010 10:22:40 +0300

Hello,

Before the Cisco network-witty guys will start poking around calling it a fudge 
and welcoming you to the last week, I might outline this for you: 
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap7.html#wp1058965
It's a feature, not a bug, and it's as oldschool as email forging with telnet 
or BGP poisoning by more specific route injection. Of course, there might be 
STP enabled switches out there with no security features, but the problem 
resides in the risk management not in the product.
Sounds to me more like the description of a threat, not like a vulnerability. 
Great for Risk Assessment scenarios, though.

Stefan Laudat
Information Security Manager
CISSP-ITIL Manager-PrInCE2 Practitioner
Allianz-Tiriac Asigurari SA
Tel: +4012082381 / Int 100381
80-84 Caderea Bastiliei str., Bucharest 1, 010616, Romania

Please note: This email and any files transmitted with it is intended only for 
the named recipients and may contain confidential and/or privileged 
information. If you are not the intended recipient, please do not read, copy, 
use or disclose the contents of this communication to others and notify the 
sender immediately. Then please delete the email and any copies of it. Thank 
you.

 Please consider the environment before printing this e-mail. 

Allianz is committed to achieve a group-wide CO2 reduction of 20% by 2012:
Print two pages on one side and bothsides
Avoid handouts; send your presentation electronically
Use recycled paper whenever possible
Scan mail documents and send them per email
Use one-sided prints as scratch papers
Select the "Power saver" plan option on your computer


-----Original Message-----
From: xperience@xxxxxxxxxx [mailto:xperience@xxxxxxxxxx] 
Sent: Tuesday, April 27, 2010 8:55 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: STP mitm attack idea

As I read in many white papers about attacks on Spanning Tree Protocol, I found 
mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is 
almost impossible.
My idea for modification of this attack needs:
- two stations to attack by mitm (A and B)
- two or more switches with STP protocol
- two attacking stations connected to two different switches in way beetween 
attacked stations (C and D) 

A ---- switch 1 ----- switch 2 ----- B
          |              |
          |              |
          C              D

Take first scenario:
1. A - sends frame to B
2. Switch 1 - accepts frame and forwards it to switch 2 3. Switch 2 - accepts 
frame via link from switch 1 and forwards it to B

Second scenario:
1. Station C and station D starts to send frames to break link beetween switch 
1 and switch 2, and announce non existing connection and switch from C port on 
switch 1 to D port on switch 2

A ---- switch 1 --X-- switch 2 ----- B
          |              |
          |              |
          C  --no conn-- D
2. Station A sends frame to B
3. Frame is forwarded to C station
4. Station C stores frame in memory
5. After equal timing station C and station D repair link beetween switch 1 and 
2 6. station C resends stored packet to station D (ie in tunnel or encapsulated 
in ip packet) 7. stations C and D break link beetween switches 1 and 2 8. 
station D sends transmitted packet to station B

Advantages
- no need for one station with two links to two switches
- needs two stations, either compromised or not (in large multiswitch 
enviroment with many stations sometimes we can find in example two compromised 
windows or linux hosts)
- when we have good timing and packet detection method, we can separate one 
protocol connection from whole traffic

Disadvantages of method.
- stops whole traffic beetween switches, and needs delicate timing
- when link beetween switch 1 and 2 is working we can't see frames that flying 
across wire

Additional information.
- timing question, ie - retransmition time beetween tcp frames, and time to 
break and repair link - is it possible to do it before frame is retransmited?

Uh that's all. Please think about it is possible, because my programming skills 
are to low to make it working.

With regards
Xperience

References:
- STP mitm attack idea
  - From: Przemyslaw Borkowski

Prev by Date: Re: STP mitm attack idea
Next by Date: Re: STP mitm attack idea
Previous by thread: Re: STP mitm attack idea
Next by thread: Re: STP mitm attack idea
Index(es):
- Date
- Thread