Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Linux problem, steal of IP and traffinc redirection could bypass a firewall
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Sun, 07 Nov 2004 12:16:38 +0100

Le samedi 06 novembre 2004 à 21:35 +0100, NetExpress a écrit :
Because of this, If I have a gateway, with IP IPA, and set a
desktop/server on the lan with the same ip IPA, when it start it will
be the new gateway for the all network.

For this to work, you must assume gateway ARP entry (MAC/IP association)
is not in targeted system ARP cache, which is a quite hasardous
assumption as a system is supposed to interact quite often with it.
Moreover, even if it is not present, you will have an ARP answer race on
this very IP (yours and the gateway's one), which has to be solved in
order to correctly achieve redirection.

If linux would send a gratious arp when it give up an IP  real or virtaul
this problem will not be possible, because it could not bind a IP that is
already present on the net.

I really don't see why.
If I want to spoof an IP the way you exposed, the _very_ simple way is
to filter that very gratuitous ARP, using ebtables, so it will get
droped.

Moreover, there's more efficient ways to achieve network MiM attacks,
especially ARP cache poisoning, that do not need to spoof an IP the way
you exposed. See http://www.arp-sk.org/ as a one among all article on
this technic.

In addition to this, simply relying the assumption the _compromised_
host will just say "hello, I'm spoofing your IP" to everyone is blindly
naive. MS Windows does send gratuitous ARP, and it really does not
prevent anyone to spoof IPs from Windows system. What can prevent one
from writing a program (relying on WinPCAP) that listens to ARP requests
and answers them with its own IP, which achieve just the same than
aliasing the IP ? Moreover, the way gratuitous ARP reception is handled
by sending a "Hey man, I'm spoofed" window can be used a clear DoS for
the guy logged who will spend his time closing such alerts... This
raises the problem of "how would you treat a spoofed gratuitous ARP ?",
which is to me an clear open boulevard to network DoS.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]