<<< Date Index >>>     <<< Thread Index >>>

Making unidirectional VLAN and PVLAN jumping bidirectional



Arhont Ltd.- Information Security

Arhont Advisory by:     Arhont Ltd
Advisory: Making unidirectional VLAN and PVLAN jumping bidirectional
Class:                          design bug
Vulnerable protocols: 802.1q, various PVLAN implementations Model Specific: This is a protocol, and not vendor-specific attack

DETAILS:

Wepwedgie, a tool by Anton Rager for traffic injection on 802.11 networks protected by WEP, solves the problem of unidirectional communication by bouncing packets from the target host to a third external host under the attackers control. We employ exactly the same principle to bypass both VLAN and PVLAN network segmentation.

1. Modification of the double-tagging VLAN jumping attack.

The attacker tags his malicious data with two 802.1q tags and sends the packet with a spoofed source IP of a host under his or her control. This can be any host to which a valid route from the target VLAN is present, including an external host on the Internet. The first tag gets stripped by the switch the attacker is plugged into and the packet is forwarded to the next switch. The remaining tag contains a different VLAN number, to which the packet is sent. So, data is forced to pass between the VLANs. The receiving host will check the source IP of the arriving packet and send the reply to this IP, which is a host that belongs to the attacker.

This attack can be launched using Yersinia (http://sourceforge.net/projects/yersinia/).

2. Modification of the MAC spoofing PVLAN jumping attack.

The attacker sends a packet with a valid source MAC but a spoofed source IP of a host under his or her control. This can be any host to which a valid route from the target PVLAN is present, including an external host on the Internet. The target MAC address is replaced with the one of a gateway router. A switch would forward such packet to the router, which will then look at the IP and direct the packet to the target. Of course, the source MAC of the packet will be replaced by the one of the router, which would then direct the reply packet from the target to the host that belongs to the attacker.

This attack can be launched using pvlan.c from the Steve A. Rouiller's "Virtual LAN Security: weaknesses and countermeasures" GIAC Security Essentials Practical Assignment.

Note: Such attacks can be used for different purposes from portscanning to communicating with a backdoor on a different VLAN or PVLAN.

Risk Factor: Medium

Workarounds: There are no direct workarounds. Implement strict egress filtering against the spoofed packets described.

Communication History: sent to CERT on 17/10/05

*According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer at least 7 days before
releasing them to the public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this issue, please do not hesitate to contact Arhont team.*