Re: Spanning Tree Switch Exploits? Fact or Fiction?

From: Olli Artemjev (olliat_private)
Date: Wed Apr 17 2002 - 11:23:55 PDT

Next message: frog frog: "Smalls holes on 5 products #1"

Previous message: eSDee: "gawk bufferoverflow"
In reply to: Sean Convery: "Spanning Tree Switch Exploits? Fact or Fiction?"
Next in thread: FX: "Re: Spanning Tree Switch Exploits? Fact or Fiction?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 17 Apr 2002 02:01:29 -0700
"Sean Convery" <grommondat_private> wrote:

> I've heard a bit of rumbling about STP exploits with ethernet switches. 
> They seem to center around two possibilities:
> 1) Sending bogus BPDUs to a switched network to continually force
> spanning tree recalculation, thereby creating a DoS condition on the switches.
Yes, this is possible due to 802.1d & 802.1q (but not 802.1s) have no security 
related to STP. You may do this since this is normal procedure defined in the standard.

> If you look at FX's prezo from Black Hat Europe last year, he mentions the possibility of both, but doesn't 
> demonstrate anything.  I'm beginning to wonder if this is just a red herring.
> Second question is more of a comment.  With far more useful exploits for
> a  switched network (MAC flooding, ARP spoofing), why would you bother with
> this anyway?  Especially since mitigating the threat is easy enough
> (BPDU guard mode on Cisco at least).
> Thoughts?
> Thanks, Grom
We've published an article in russian with full details on possible attacks against STP algorithm & implementation.
The english version is in progress now. We're planning to publish this on the net after paper post.
The announce in english is avaliable as a link from my ~page (see signature). We also posted this to bugrtaq & some other lists.
Unfortunatelly security focus maintainers have their own opinion on my post (due to the license) - it can't be found on a web
& replay to the question related to the corresponding subject in bugtraq was stopped by moderators. This list also didn't 
receive the announce since it contained a link to information currently avaliable only in russian. Well, there are a few DoS 
variants, MitM & a new sort of sniffing possibilities. More details will be avaliable soon in the english version of our article.
The code will not be published though, at least it's full version due to script-kiddie presence in the world. =)

-- 
Bye.Olli						http://olli.digger.org.ru
MISiS Telecommunications ; CTO, Metaltelecom. 	phone:	+7(095)955-0087
PGP fingerprints:
(expire _soon_,2.6.3i,1024)	= F2 24 BE B9 FB 38 04 B0  ED 9C CC 42 21 DC 12 2C
(expire 2005-02-09,1.0.6,2048)	= 154B 5A59 DF51 6602 F589  2314 C77A 5292 6879 649A

Next message: frog frog: "Smalls holes on 5 products #1"
Previous message: eSDee: "gawk bufferoverflow"
In reply to: Sean Convery: "Spanning Tree Switch Exploits? Fact or Fiction?"
Next in thread: FX: "Re: Spanning Tree Switch Exploits? Fact or Fiction?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 16:32:48 PDT