[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] SLAAC Attack - 0day Windows Network Interception Configuration Vulnerability
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] SLAAC Attack - 0day Windows Network Interception Configuration Vulnerability
- From: "Adam Behnke" <adam@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 4 Apr 2011 10:34:51 -0500
Hi full disclosure dudes,
InfoSec Institute security researcher Alec Waters has just released a new
article on SLAAC Attacks. The basic premise is to use the default network
configuration found on all Windows 7 (as well as Server 2008, Vista)
installations to intercept and hijack all network traffic without any user
knowledge or interaction.
The testing in our lab shows that this attack requires no interaction on the
user's part, and is totally transparent. It is hard to detect even in
enterprise computing environments with significant security gear in place.
It works on wired and wireless networks. Even though we are exploiting the
IPv6 to IPv4 translation process, it does not require an existing IPv6
network to be set up or functional. It only requires the operating system to
have IPv6 enabled by default. Mac OS-X is also likely vulnerable, but we
have not tested it yet.
We detail the vulnerability, the effect, as well as provide scripts and some
tools for setting up the attack here:
http://resources.infosecinstitute.com/slaac-attack-
<http://resources.infosecinstitute.com/slaac-attack---0day-windows-network-i
nterception-configuration-vulnerability/>
--0day-windows-network-interception-configuration-vulnerability/
We contacted Microsoft over the weekend, but, because this is a default
installation configuration vulnerability, Microsoft is not able to release a
patch and states "While you are correct that this may not be something that
is easily/quickly corrected (at least with regards to just pushing out a
patch to change the default configuration if needed) this would be something
that we want to review and explore our options to mitigate against any
potential attacks. "
The fix right now is for Microsoft to default disable IPv6, but this cannot
be done retroactively to production desktops and servers because customers
may be using IPv6 for legitimate reasons. We believe the public needs to
know about the possibility of this attack, because other bad guys could have
figured it out before us and be exploiting unsuspecting companies right now.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/