[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: STP mitm attack idea


Before the Cisco network-witty guys will start poking around calling it a fudge and welcoming you to the last week, I might outline this for you: http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap7.html#wp1058965
It's a feature, not a bug, and it's as oldschool as email forging with telnet or BGP poisoning by more specific route injection. Of course, there might be STP enabled switches out there with no security features, but the problem resides in the risk management not in the product.
Sounds to me more like the description of a threat, not like a vulnerability. Great for Risk Assessment scenarios, though.

Stefan Laudat
Information Security Manager
CISSP-ITIL Manager-PrInCE2 Practitioner
Allianz-Tiriac Asigurari SA
Tel: +4012082381 / Int 100381
80-84 Caderea Bastiliei str., Bucharest 1, 010616, Romania

Please note: This email and any files transmitted with it is intended only for the named recipients and may contain confidential and/or privileged information. If you are not the intended recipient, please do not read, copy, use or disclose the contents of this communication to others and notify the sender immediately. Then please delete the email and any copies of it. Thank you.

ÂïïPlease consider the environment before printing this e-mail. 

Allianz is committed to achieve a group-wide CO2 reduction of 20% by 2012:
Print two pages on one side and bothsides
Avoid handouts; send your presentation electronically
Use recycled paper whenever possible
Scan mail documents and send them per email
Use one-sided prints as scratch papers
Select the "Power saver" plan option on your computer

-----Original Message-----
From: xperience@xxxxxxxxxx [mailto:xperience@xxxxxxxxxx] 
Sent: Tuesday, April 27, 2010 8:55 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: STP mitm attack idea

As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is almost impossible.
My idea for modification of this attack needs:
- two stations to attack by mitm (A and B)
- two or more switches with STP protocol
- two attacking stations connected to two different switches in way beetween attacked stations (C and D) 

A ---- switch 1 ----- switch 2 ----- B
          |              |
          |              |
          C              D

Take first scenario:
1. A - sends frame to B
2. Switch 1 - accepts frame and forwards it to switch 2 3. Switch 2 - accepts frame via link from switch 1 and forwards it to B

Second scenario:
1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2

A ---- switch 1 --X-- switch 2 ----- B
          |              |
          |              |
          C  --no conn-- D
2. Station A sends frame to B
3. Frame is forwarded to C station
4. Station C stores frame in memory
5. After equal timing station C and station D repair link beetween switch 1 and 2 6. station C resends stored packet to station D (ie in tunnel or encapsulated in ip packet) 7. stations C and D break link beetween switches 1 and 2 8. station D sends transmitted packet to station B

- no need for one station with two links to two switches
- needs two stations, either compromised or not (in large multiswitch enviroment with many stations sometimes we can find in example two compromised windows or linux hosts)
- when we have good timing and packet detection method, we can separate one protocol connection from whole traffic

Disadvantages of method.
- stops whole traffic beetween switches, and needs delicate timing
- when link beetween switch 1 and 2 is working we can't see frames that flying across wire

Additional information.
- timing question, ie - retransmition time beetween tcp frames, and time to break and repair link - is it possible to do it before frame is retransmited?

Uh that's all. Please think about it is possible, because my programming skills are to low to make it working.

With regards