Breaking
by Enno Rey

Follow-Up on CVE-2016-1409 – IPv6 NDP DoS Vulnerability

This is a guest post from Jed Kafetz.

After seeing Christopher’s post I decided to create a proof using GNS3 and Virtualbox.
The aim is to perform the exact attacking using Antonios Atlasis’ Chiron tools and run a Wireshark packet capture to prove the hop limit drops below 255.

The following topology is used in GNS3:

nw_diagramThe routers used are Cisco C372 and the machine labled Ubuntu is running 14.04 LTS Ubuntu Desktop, default installation. F0/0 is on the right and F0/1 is on the left.

The following configs are extracts from the routers using ‘show run’:
highlighted are relevant commands

R1

ipv6 router rip rp
!
no ip domain lookup
ipv6 unicast-routing
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address 2212::/64 eui-64
ipv6 rip rp enable
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address 2211:1::/64 eui-64
ipv6 rip rp enable

R2

no ip domain lookup
ipv6 unicast-routing
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address 2213::/64 eui-64
ipv6 rip rp2 enable
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address 2216::/64 eui-64
ipv6 rip rp2 enable
!
no cdp log mismatch duplex
ipv6 router rip rp2

R3

ipv6 unicast-routing
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address 2217::/64 eui-64
ipv6 rip rp3 enable
!
ipv6 router rip rp3
The command run on the Ubuntu machine was:
./chiron_local_link.py eth0 -neighadv -d 2217::c003:52ff:fe6d:0

The packet capture was placed at f0/0 on R3 and the following packet was captured (full pcap can be found here):

pcap1

The screen shot clearly displays the IPv6 source address is on the 2211:1:/64 network and the destination is on the 2217::/64 network, and the Hop limit is 253 which obviously violates the RFCs referenced in Christopher’s post.

As a result of this (some) NDP attacks that were possible on the link-local network are possible across the Internet.

If you have any comments please leave a comment or contact me on Twitter.

Thanks,

Jed Kafetz

Comments

  1. Thanks for the informative article.
    A minor hint for the readers. To test more easily the hop limit using Chiron, you can always use the ­-hoplimit switch, e.g.:
    -hoplimit 50

    Of course, your testing approach is more realistic.

    Best

    Antonios

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *