Download New Vulnerabilities in IPv6

Proactive Network Security
New Vulnerabilities in IPv6
Tyler Reguly
Who Am I?
• Security Research Engineer w/ nCircle VERT
– Interesting research in IPv6, OS X and Web Application Security
• Blogger
– http://www.computerdefense.org
– http://blog.ncircle.com/vert
• Spoken Previously @ TASK and OWASP Toronto
IPv6 Basics / Features
• New Header Format
– Addresses are 4x the size of IPv4, yet the header is only 2x
bigger.
• Larger Address Space
– 128-bit Address Space
• Increased QoS Support
– Flow Label field in header
• Stateful & Stateless Address Configuration
– DHCP or Automatic Address Assignment
• Built-in Security
– IPSec is built into the protocol
Testing Setup
• IPv6 Router (Windows Server 2003 SP1)
• 3 Hosts
– Windows Server 2003 SP1
– Windows XP SP2
– Ubuntu 7.04
• Testing was related to nCircle’s IPv6 research, this issue
was found during that testing.
Background on the Attack
• If you add a IPv6 route to your router (W2K3) and tell it
to publish it, the route is shared to all hosts.
• You can publish large quantities of these addresses
relatively quickly.
– From the command prompt (command on the next page)
– You could spoof these even faster
• Various Operating Systems deal with these large
numbers of advertisements in different ways.
The Command
C:\Documents and Settings\Administrator>
for /L %k in (0, 1, 9999)
DO
for /L %i in (0, 1, 9999)
DO
netsh interface ipv6 add route 2001:db8:%k:%i::/64 "Local
Area Connection" publish=yes
Windows XP Results
• A Denial of Service Situation occurs where Windows XP
will continuously receive and record the published
addresses.
• XP will maintain 100% CPU usage as it attempts to
handle these addresses (svchost.exe running in as
SYSTEM).
• My first round of testing was after ~7500 addresses and
XP generated errors in both ipconfig and netsh
ipconfig Error
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
An internal error occurred: The file name is too long.
Please contact Microsoft Product Support Services for
further help.
Additional information: Unable to query host name.
netsh Error
C:\Documents and Settings\Administrator>netsh interface
ipv6 show address
Querying active state...
No entries were found.
The file name is too long.
Windows Server 2003 Results
• Windows Server 2003 seems to have a 9600 ‘route’ limit.
• If I continue to publish after the 9600 limit is hit, the
addresses tied to the routes are simply discarded.
• Potentially a larger problem then adding all ‘routes’.
• What happens if a valid ‘route’ is published?
– It is ignored!
Ubuntu Results
• Ubuntu beats even Sever 2003
• Ubuntu has a 16 ‘route’ limit.
• If you continue to publish addresses after that, they are
discarded.
Potential Attack
• What’s interesting about this attack is that the router isn’t
‘registered’ or specified.
• Anything on the network can publish ‘routes’
• The Result:
– A malicious individual could spam out invalid ‘routes’.
– Many systems inadvertently have IPv6 enabled
– All of these systems would be affected.
• Hosts could have their CPUs maxed
• Servers could lose communication with other
hosts.
Potential Outcome
• Windows XP
– Effective DoS against the host
• Host is forced to 100% CPU Usage
• Troubleshooting tools are rendered ineffective.
– Mitigation: Don’t use IPv6
• Server 2003 and Ubuntu
– Effective DoS that could limit access to network resources.
• Server will not learn new ‘routes’
– Mitigation: Don’t use IPv6
Vendor Responses
• Ubuntu Security Team
– No Response to my Email
• MSRC
– Immediate response (April ’07)
– Ongoing discussing (April – June ‘07)
– Determination that this issue would be fixed in SP3 (June ‘07)
• Hadn’t tested beyond XP at this point
– Follow-up to see if the fix was in SP3 (April ’08)
• It had be triaged out (deemed unimportant)
– Public Release (May ’08)
Questions / Comments?
Thanks!
Contact
[email protected]