Abusing ICMPv6 to manipulate network traffic

 In this blog I will explain the mechanics of the attack that uses ICMPv6 protocol, more particularly, two of its message types to redirect the network traffic over an arbitrary device.

ICMPv6 shares a lot of common functionality with its v4 equivalent. Even the two attacks I will describe in more details have been proven in the ICMPv4. It seems the reason that ICMPv6 remains vulnerable to them is vendors view that the desired behavior of the operating systems is such by design. 

The foundation of the attacks are two message types - Router Advertisement and ICMP Redirect. As one may infer, Router Advertisement is essentially telling the network devices that a new (attacker's) device is a router for a designated route. ICMP Redirect missuses the capability of ICMP protocol to redirect traffic over an alternative IP address if the network gets congested, for example, and the default gateway is no longer the best route.

Let us start with an example of Router Advertisement where an attacker device declares itself as being a legitimate router for an arbitrary route. In my attacks , I will use the "dead:beef" route as it's easy to remember. In the diagram below, this is the ATTACK 1.  

The attack constructs the Router Advertisement ICMP message , but it manipulates the parameters of the message so that the desired router for our "dead:beef" route is an attacker's device. I use Python in conjunction with Scapy, a network library, to construct the packet from the scratch as we need to modify some lower-OSI layer headers.


When the above script is run, the "dead:beef" route gets happily injected into the IPv6 routing table of the victim operating system. Both CentOS and Windows OSes were tested.


The above figure shows the injection into the CentOS , however, the same logic applies equally to the Windows. With a slight modification of the prefix being injected, you can still identify the newly inserted entry into the Windows routing table.

The root cause of these two vulnerabilities is the default setting of the kernel parameters that allow processing of the ICMP messages in question.  In Windows, the feature is labelled "Router Discovery" and is enabled by default.

Similarly, in CentOS it is the kernel parameter "accept_ra". Note they are set to "1" meaning "enabled".


The next attack is an example of ICMP Redirect whose logic is depicted in the below figure.

When user wants to load an external web page and the network is congested, for example, the default gateway may broadcast ICMP message instructing devices to reroute their traffic via an alternative gateway. This is an example of a network traffic redirection.

For this attack we are constructing a slightly different ICMP message, this time using the Redirect packet flag. Note the "tgt" now points to our attacking machine equipped with network monitor to view the traffic.


These two attacks can be combined so that we first instruct the victim to send the traffic for a particular route to the attacker's device and then superimpose another attack that will redirect the injected route over yet another device of our choice. A single attacking device can be used for both attacks - in my setup I had two attacking devices.

The first one was the Kali Linux simulating the legitimate routing device whereas the other device was Windows 10 with wireshark that was simulating the attacker's interception. When both attacks chained, the packet flows look as follows:

After experimenting with the attacks and trying to understand the underlying conditions that allowed those exploits, i contacted Microsoft Security to check their view. Apparently, this is by design.


Even though I do understand that every routing engine must have the capability to update its state based on the changes that may happen to the network topology, I am not sure that "regular" operating systems such as Linux and Windows should have these capabilities turned on by default.




Comments

Post a Comment

Popular posts from this blog

Signature verification bypass vulnerability in some Huawei routers

Image
This blog will describe the discovery of the digital signature bypass on some Huawei routers.  The idea of digital signature check is simple - you have a piece of code and you calculated the checksum/hash of that file. The hash or checksum can be thought of as a "signature", a mathematical value that is uniquely assigned to the code (in our case the code was a firmware file). As soon as you change anything in the file and recalculate the hash, it should be significantly different from the original value - that is the feature of the hashing algorithm. Even the small change in the code will change the hash significantly. Vendors in most cases provide the such a pre-calculated hash so that the customer or the system may check if the hash of the image is indeed the same as vendor required. What was found in this investigation was that the system command on the Huawei AR1220E router does not perform this check properly. As a consequence, the attacker might be abl
Read more

Attacking encrypted VOIP (SIP) protocols

Image
In this post I will be explaining the approach in attacking the encrypted voice over IP (VOIP) protocol, more specifically, SIP (Session Initiation Protocol).  When we are talking about the SIP encryption, it will most likely assume some kind of SSL/TLS wrapping (SIP over TLS). An example below shows the solution design that allows interception, decryption and manipulation of SIP messages. The central component consists of mitm_relay.py and BURP. It is not required that both BURP and mitm_relay run on the same machine, but my setup did run both of them on the same virtual instance. The communication chain looked like this: Client -> mitm_relay->BURP->SIP Server->Client 2 The mitm_relay.py is a python script available at https://github.com/jrmdev/mitm_relay Before we fire up the mitm_relay, we need to configure couple of things- its certificate (self signed in my case, and private key). Once this is in place, we can run it: Few details about the mitm_relay setup:
Read more

DNS insights - UDP vs TCP and EDNS

Image
In this article I will elaborate the research I did in relation to DNS (Domain Name Service). The particular issue discussed here is when and how DNS uses TCP or UDP transport layer in relation to the packet size. Normally, DNS will run queries and replies via UDP protocol unless there is a Zone Transfer , incremental or full (IXFR or AXFR , respectively). According to the original DNS specification as given in the RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt), DNS will also use TCP for packets larger than 512 bytes. However, there was another RFC issued in 2013 which is RFC 6891 (Extension Mechanism for DNS), labelled as EDNS(0). https://tools.ietf.org/html/rfc6891 I came across this issue accidentally, but as we will see in the text, some issues were noticed that are some not well documented reasons why DNS may fail to comply with EDNS. To do the proper investigation, here are some assumptions I worked with: a) I wanted to check DNS clients from both Windows and Linux b) I wan
Read more