ARP hole in Windows NT/2000

From: Grzegorz Flak (Grzegorz.Flakat_private)
Date: Thu Nov 22 2001 - 10:45:25 PST

Next message: Mariusz Mazur: "Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer"

Previous message: Markus Kern: "Re: Information Leak Bug Discovered in Netscape Mail!"
Next in thread: Tomas Nybrand IT: "Re: ARP hole in Windows NT/2000"
Reply: Tomas Nybrand IT: "Re: ARP hole in Windows NT/2000"
Reply: Chris Green: "Re: ARP hole in Windows NT/2000"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I am not sure, if it is something new, but I think I found serious 
vulnerability in ARP implementation in WindowsNT/2000 (I checked it on 
NT4 SP6 and Win2000 SP1). The problem is when somebody whant to use "man 
in the middle" technik to evesdrop your traffic. This example was done 
with ettercap.
To fill protect I use 'arp -s' to specify correct MAC for default 
geteway. So I had :
  10.10.1.4             00-b0-64-49-1e-01     static

then I use ettercap to capture my traffic to the gateway. Ofcourse I 
could see my POP3 pass ;) Then I checked arp table once again:

  10.10.1.4             00-01-02-23-85-e1     static

The MAC is different (this is MAC of my linux box). I checked the same 
on Solaris 2.7 and Linux 2.4.8 and they look unvulnerable.
Is this already known vulnerabilty (I found indication of similar 
weakness, but that was on Windows 9x).

Any suggestions how to get rid off that.

Reagards

Next message: Mariusz Mazur: "Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer"
Previous message: Markus Kern: "Re: Information Leak Bug Discovered in Netscape Mail!"
Next in thread: Tomas Nybrand IT: "Re: ARP hole in Windows NT/2000"
Reply: Tomas Nybrand IT: "Re: ARP hole in Windows NT/2000"
Reply: Chris Green: "Re: ARP hole in Windows NT/2000"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 22 2001 - 17:31:21 PST