[NEWS] Flaws Found Within the Dynamic Host Configuration Protocol
From: support@securiteam.comDate: 09/23/02
- Previous message: support@securiteam.com: "[NT] Vulnerabilities in Microsoft's Java Environment (Additional details)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 23 Sep 2002 15:57:36 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Flaws Found Within the Dynamic Host Configuration Protocol
------------------------------------------------------------------------
SUMMARY
This paper highlights some of the problems with the Dynamic Host
Configuration Protocol (DHCP) such as denial of service, how to perform a
man in the middle attack, and how to steal a machine's identity.
DETAILS
Overview of the Dynamic Host Configuration Protocol
DHCP is used to automatically configure machines with an IP address so
that the hosts do not have to be statically assigned IP addresses. DHCP
helps reduce administration as a central server issues IP addresses to
network cards upon request. DHCP also helps combat the problem of a
shortage of IP version 4 addresses as DHCP allows more machines than there
are available IP addresses. Most ISPs that have dial up access use DHCP to
set a modems IP address, as they assume that not every modem will be
online at the same time.
Packet exchange for a clients interface to obtain an IP address
For a clients network interface card (NIC) to be assigned an IP address
various packets are sent from the NIC to the DHCP server. The packet
exchange is as follows
1. The client sends a DHCP discover packet, indicating that a client's
interface requires an IP address from a DHCP server. The clients interface
may ask for its previous IP address from the server, this may cause
problems with the man in the middle attack (explained later).
2. The server sends a DHCP offer packet, informing the client of what IP
address is on offer. The IP address being offered may or may not be the
one requested (if the interface asked for a specific IP address with the
discover packet) depending on how busy the network is. If the network is
busy then the IP address requested with the discover packet may have
already been re-assigned to a different interface, thus a different IP
address will be offered.
3. The client sends a DHCP request, informing the DHCP server that the
clients NIC wishes to be assigned the IP address sent by the servers
offer.
4. The server sends a DHCP ACK, acknowledging that the NIC has sent a
request for a specific IP address. At this point, the clients interface
assigns / binds the IP address from the DHCP servers offer packet in step
two.
Once this sequence of packets occurs, a client has been assigned an IP
address and probably a default gateway and DNS server. Numerous options
can be set by the DHCP server, for a full list consult the RFC
documentation.
Denial of service attack
By spoofing the clients packet exchange a DHCP server will happily give
all the available leases to spoofed MAC address thus causing a denial of
service. Any machine wishing to join the network after the attack would
not be allocated an IP address as the whole of the DHCP range will have
been either allocated to valid interfaces (i.e. interfaces already joined
to the network before the attack took place) or spoofed MAC addresses
(from the attack). Any interface already joined to the network would not
notice the effect of the attack as they have already been assigned an IP
address, but interfaces without an IP address would not be able to join
the network, as the DHCP server will have no available IP addresses.
Some DHCP servers issue ARP requests or ICMP pings to detect for IP
addresses that may be reclaimed by the server. This is done as operating
systems / interfaces do not release there assigned IP address when
shutdown. Basic testing of the denial of service code successfully defeat
the ARP method of reclaiming IP addresses (ICMP method was not tested) as
the number and speed of requests for IP addresses was significantly higher
than the number of ARP requests issued by the DHCP server (when running
multiple copies of the source code in a script). The source code could be
extended to sniff for ARP requests / ICMP ping requests and reply
accordingly thus defeating the server's method of reclaiming addresses.
A Windows 2000 machine running DHCP with active directory sends a packet
at boot up to check that it is the only DHCP server on the network, if it
is the only DHCP server then it is authorized and allowed to act as a DHCP
server. Further investigation is required to see if this can be reversed
to deny a win2k DHCP server from starting.
Rogue DHCP server
By setting up a rogue DHCP server, a hacker could create a veritable
playground for him/her self. The DHCP protocol can aid a hacker to
redirect traffic through their machine (man in the middle attack) or send
users to false web pages (via a rogue DNS server). This could occur as a
DHCP server can set various options such as what IP address to use for the
default gateway and what DNS servers to use.
Man in the middle attack
By starting a rogue DHCP server, the real DHCP server and the rogue server
will fight to assign an interface an IP address. If a rogue server wins
then the interface could be assigned a different default gateway. By
assigning a different default gateway (i.e. a hacker's machine), all
outgoing packets would be sent via the hacker's machine thus sniff-able.
The machine acting as the default gateway would need to rewrite the MAC
layer to enable the packets to be forwarded to the correct destination
(i.e. the correct default gateway).
How the man in the middle attack works
The source code grabs an IP address from the DHCP server using the same
method as the denial of service but instead of stealing all the IP
addresses only one IP address is stolen. A rogue DHCP server is then
started and listens for a client to send a discovery packet to the
broadcast address. The rogue server and the valid server then both send an
offer packet (the rogue server issues the IP address stolen at the start
of the attack, this is to ensure that no IP address conflicts occur) and
depending on which reaches the client first, determines which server the
client uses. If the client uses the valid DHCP server then the man in the
middle attack will fail.... If the client uses the rogue DHCP server the
man in the middle attack will succeed.
A couple of problems with the man in the middle attack
One problem with the DHCP man in the middle attack is that it may not work
on a small network. The attack may not work if the NIC's request for its
old IP address is fulfilled. If the normal DHCP server can fulfill the
request for the specified IP address, the NIC will be assigned the
previous IP address and not the one from the rogue server. The only way a
rogue server can assign IP addresses is if the requested IP address is not
available on the normal DHCP server (i.e. The address has been
re-allocated to another interface). The rogue server would not be able to
fulfill the NIC's initial request as the rogue servers address range is
based on stolen addresses from the normal DHCP server, and is unlikely to
contain the IP address requested. If a rogue server issues a requested IP
address to any NIC that wanted it, problems would occur on the network as
multiple machines may have the same IP address.
Another problem with the attack is that it would only be a one-way attack
as the default gateway assigned by the rogue DHCP server is not the real
default gateway. The fake gateway would need to sniff the packets and
rewrite the MAC layer to enable the packets to be sent to the correct
default gateway. The problem would occur with packets being sent from the
correct default gateway back to the attacked machine as the packets would
not pass through the rogue gateway, thus can not be sniffed. This means
that all outgoing traffic can be sniffed and all incoming traffic cannot.
A full man in the middle attack can be established using programs such as
Dsniff and Ettercap that both utilize ARP poisoning to establish the man
in the middle attack.
Exploiting DHCP to trick users into using a fake DNS server
As mentioned above a DHCP server can tell a interface which DNS server to
use, so by specifying a hackers machine running a fake DNS server could
make getting usernames, passwords, credit card numbers relatively easily.
The fake DNS server would point for example www.hotmail.com to the hackers
IP address... so as long as the hacker has a convincing copy of hotmail's
front page the username and password could be easily stolen.
Stealing a machines identity
Many servers that use DHCP get re-assigned the same IP address every time
they request an IP address. A list of MAC addresses (maintained by the
administrator) is used to re-assign the same IP address to a specific MAC
address. By spoofing the MAC address of a specific machine and requesting
the corresponding IP address a machines identity can be stolen. For this
to occur the target machine needs to DoSed, and the packet exchange (to
steal the identity) to take place before the machine is rebooted. If
successful the target machines IP address will be given to the hacker and
with a bit of ARP trickery (reply to ARP requests) that state should be
maintained.
Man in the middle attack a machine on a small network (noisy method)
1) Denial of service a machine on the network, try using jolt2.
2) Before the machine reboots, steal the IP address it was allocated so
that it has to request a new address
3) Start a rogue DHCP server, and hope that it wins the fight to assign a
client IP address.
Recommendations
Deploy switches (not hubs) and ensure that MAC spoofing is not allowed on
them.
Use the DHCP protocol monitor (snort IDS plug-in) to identify possible
rogue servers.
More info
RFC 2131 & 2132
Proof of concept:
A proof of concept can be downloaded by going to:
<http://users.pgen.net/lee.bowyer/exploits.html>
http://users.pgen.net/lee.bowyer/exploits.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:root@NetworkPenetration.com>
Ste Jones.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Vulnerabilities in Microsoft's Java Environment (Additional details)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
