As every year some of us used the holidays to visit the Chaos Communication Congress to socialize with like-minded people and to hear interesting talks.
I mean what other reasons than learning about security might exist to leave behind all your lovely in-laws you’ve been sharing some relative’s house with the days before … 😉
Here is a short recap of some of the talks we found most interesting:
DHCPv6 Guard: Do It Like RA Guard Evasion
Or: When Cisco ACL Can Count Up to Five 🙂
This is a guest post by Antonios Atlasis.
Hi all,
RA Guard Evasion is well-known in the IPv6 “circles”; there is RFC 7113 Advice for IPv6 Router Advertisement Guard (RA-Guard) and many interesting blog-posts like this one here, here, and this excellent write-up here that discuss this issue.
Moreover, as Jim Smalls states in his comprehensive “IPv6 Attacks and Countermeasures” presentation given at the North American IPv6 Summit 2013, DHCPv6 Guard or a corresponding IPv6 ACL can stop a DHCPv6 Rogue Servers, but (only?) for non-malicious/non-fragmented DHCPv6 packets (slide 35). However, at that time there wasn’t any known attack tool in the wild that had the fragmentation evasion built in.
Continue reading “DHCPv6 Guard: Do It Like RA Guard Evasion”
Continue readingShould IPv6 Packets With Source Address ::1 Be Processed When Received on an External Interface?
This is a guest post from Antonis Atlasis.
Most of you are probably aware of the recently discovered/-closed severe ntpd vulnerabilities (CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, see also the initial ntp.org security notice). Some days ago the Project Zero team at Google published a blog post “Finding and exploiting ntpd vulnerabilities” with additional details. In this one they mentioned a seemingly minor but quite important detail: on a default OS X installation one of the built-in protection mechanisms of ntpd (that is the restriction to process certain packets only if they are sourced on the local machine) can easily be circumvented by sending IPv6 packets with a spoofed source address of ::1 (the equivalent to 127.0.0.1 in IPv4 which would be discarded by the kernel once received from an external source).
This brought up a number of more generic questions:
a) Should such packets having as source address the IPv6 loopback one be processed at all?
b) Which OSs process such packets?
c) How can we protect our systems from them?
Some Design Aspects of Hacking Challenges
We’re currently starting the preparation for the Troopers15 PacketWars Challenge, and since I’ve participated in quite some CTF games and have been involved in the preparation of a number of PacketWars Battles, I thought I’d write down some thoughts on the design of hacking challenges.
First of all, my experience is limited almost exclusively to attack-defend-CTFs or interactive war games (such as PacketWars or CCDC). While thinking about this blogpost, I also came across several terms which are used, so I decided to give a short summary:
Continue reading “Some Design Aspects of Hacking Challenges”
Continue readingTroopers15 – 5th Round of Talks Selected
Happy new year and all the best for 2015 to everybody!
Here’s the next round of Troopers15 talks (all the others can be found here):
Continue reading “Troopers15 – 5th Round of Talks Selected”
Continue readingTelco Research 2015
Hello and a happy new year 2015 to everybody!
As follow up of our 2014 talk “LTE vs. Darwin” I want to inform you about our telco research in 2015. We are currently dealing with the so called IP Multimedia Subsystem (IMS), which handles the call and media logic of 4G telecommunication networks. This network part provides functions like VoIP (or VoLTE) and takes care of the interconnection to other call or media related networks.
Continue reading “Telco Research 2015”
Hardening Against Local PrivEsc: Protecting Your Links
Following up on this post, we want to provide some details on two rather new (well, compared to its lifespan) Linux kernel parameters — and emphasize the need to enable those:
- fs.protected_hardlinks
- fs.protected_symlinks
Continue reading “Hardening Against Local PrivEsc: Protecting Your Links”
Continue readingTroopers15 – Fourth Round of Talks Selected
As we promised some days ago here’s the fourth round of Troopers15 talks (the first three can be found here). We really can’t wait for the con ourselves 😉 !
Continue reading “Troopers15 – Fourth Round of Talks Selected”
Continue readingRevisiting an Old Friend: Shell Globbing
One interesting observation we make when testing complex environments is that at the bottom of huge technology stacks, there is usually a handful of shell scripts doing interesting stuff. More often than not these helper scripts are started as part of cron jobs running as root and perform basic administrative tasks like compressing and copying log files or deleting leftover files in temporary directories. Of course, these high privileges make them an interesting target for privilege escalation attacks and one class of vulnerability we reliably encounter in shell scripts is unsafe handling of globbing or filename expansions. Continue reading “Revisiting an Old Friend: Shell Globbing”
Continue readingIPv6 Hardening Guide for Windows Servers
After we recently released the “Linux IPv6 Hardening Guide” we got a number of suggestions “could you pls provide a similar document for $OS?” (btw: thanks to you all for the overwhelming interest in the Linux document and the active discussion of ip6tables rule approaches on the ipv6hackers mailing list).
Continue reading “IPv6 Hardening Guide for Windows Servers”
Continue reading