Making unidirectional VLAN and PVLAN jumping bidirectional

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, info@xxxxxxxxxx
Subject: Making unidirectional VLAN and PVLAN jumping bidirectional
From: "Andrew A. Vladimirov" <mlists@xxxxxxxxxx>
Date: Mon, 19 Dec 2005 17:27:33 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Arhont Ltd
Reply-to: mlists@xxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050205

Arhont Ltd.- Information Security

Arhont Advisory by:     Arhont Ltd

Advisory: Making unidirectional VLAN and PVLANjumping bidirectional

Class:                          design bug

Vulnerable protocols: 802.1q, various PVLAN implementationsModel Specific: This is a protocol, and not vendor-specific attack


DETAILS:

Wepwedgie, a tool by Anton Rager for traffic injection on 802.11networks protected by WEP, solves the problem of unidirectionalcommunication by bouncing packets from the target host to a thirdexternal host under the attackers control. We employ exactly the sameprinciple to bypass both VLAN and PVLAN network segmentation.


1. Modification of the double-tagging VLAN jumping attack.

The attacker tags his malicious data with two 802.1q tags and sends thepacket with a spoofed source IP of a host under his or her control. Thiscan be any host to which a valid route from the target VLAN is present,including an external host on the Internet. The first tag gets strippedby the switch the attacker is plugged into and the packet is forwardedto the next switch. The remaining tag contains a different VLAN number,to which the packet is sent. So, data is forced to pass between theVLANs. The receiving host will check the source IP of the arrivingpacket and send the reply to this IP, which is a host that belongs tothe attacker.

This attack can be launched using Yersinia(http://sourceforge.net/projects/yersinia/).


2. Modification of the MAC spoofing PVLAN jumping attack.

The attacker sends a packet with a valid source MAC but a spoofed sourceIP of a host under his or her control. This can be any host to which avalid route from the target PVLAN is present, including an external hoston the Internet. The target MAC address is replaced with the one of agateway router. A switch would forward such packet to the router, whichwill then look at the IP and direct the packet to the target. Of course,the source MAC of the packet will be replaced by the one of the router,which would then direct the reply packet from the target to the hostthat belongs to the attacker.

This attack can be launched using pvlan.c from the Steve A. Rouiller's"Virtual LAN Security: weaknesses and countermeasures" GIAC SecurityEssentials Practical Assignment.

Note: Such attacks can be used for different purposes from portscanningto communicating with a backdoor on a different VLAN or PVLAN.


Risk Factor: Medium

Workarounds: There are no direct workarounds. Implement strict egressfiltering against the spoofed packets described.


Communication History: sent to CERT on 17/10/05

*According to the Arhont Ltd. policy, all of the found vulnerabilitiesand security issues will be reported to the manufacturer at least 7 daysbefore

releasing them to the public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this issue, please donot hesitate to contact Arhont team.*

Prev by Date: Authenticated EIGRP DoS / Information leak
Next by Date: about phpMyAdmin's server_privileges.php announced vulnerability
Previous by thread: Authenticated EIGRP DoS / Information leak
Next by thread: Re: Making unidirectional VLAN and PVLAN jumping bidirectional
Index(es):
- Date
- Thread