[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: RE: [Full-disclosure] Microsoft Vista's IPv6: Dangerous Information
From: "TJ" <trejrco () gmail ! com>
Date: 2006-08-30 22:19:50
Message-ID: 000601c6cc82$6c5f7d90$451e78b0$ () com
[Download RAW message or body]
This is a multipart message in MIME format.
[Attachment #2 (multipart/alternative)]
This is a multipart message in MIME format.
Assuming you are not default-denying almost all traffic (and perhaps
proxying most other?) . Yes, all you need to do is block the server traffic
(UDP/3544) ... without which Teredo clients won't establish their tunnel,
and the relays never come into play. Hopefully, as more firewalls/IDS's
become more IPv6 savvy they will learn to crack open all of the "transition
mechanism" tunnels - Prot41, UDP-encaps, etc . sooner would be better than
later.
Also, to (hopefully) answer another of Hadmut's original questions - "Am I
correct or did I overlook anything" . the only thing I would add is that
Vista is intended to "just make IPv6 work" for the unmanaged environment,
which it looks to do a decent job of . for better or worse!
To change the topic just a bit - TSP (a la Hexago/Tunnel Broker) can also
traverse NAT via UDP-encapsulation and while it (IIRC) uses UDP/3653 by
default since the TSP client needs to be manually installed anyway someone
could certainly tweak the port# L.
Thanks; and I'd love to hear more on IPv6-related topics/advancements
(offlist if not FD-relevant) . especially any distributed FW/IDS
implementations!
/TJ
PS - The availability of Teredo servers/relays is limited, for now . and the
host needs to be explicitly told the addresses of the server(s), IIRC.
> -----Original Message-----
> From: Jim Hoagland [mailto:jim_hoagland@symantec.com]
> Sent: Wednesday, August 30, 2006 16:30
> To: TJ
> Subject: Re: [Full-disclosure] Microsoft Vista's IPv6: Dangerous
> Information Leak?
>
>
> How do you recommend blocking all Teredo traffic? Can't Teredo clients
> and relays run on arbitrary ports?
>
> Server-bound traffic is easy to block, assuming they are only on port
> 3544.
>
> Thanks,
>
> Jim
>
> --
> Jim Hoagland, Ph.D., CISSP
> Principal Security Researcher
> Advanced Threats Research
> Symantec Security Response
> <http://www.symantec.com> www.symantec.com
>
> On 8/27/06 5:43 PM, "TJ" < <mailto:trejrco@gmail.com> trejrco@gmail.com>
wrote:
>
> > Yes, Teredo is a concern - both for Vista (V6 enabled by default) and
> > for those who have enabled V6 in WinXP (takes one command) ... or for
> > those who have installed a 'nix Teredo client. All predicated on
> > Teredo servers + eelays being available, of course.
> >
> > And, for the enterprise / managed env. - easily blockable if you try,
> > even assuming you aren't following a default deny policy :).
> >
> > (BTW - blocking IP prot41 tunnels is also recommended, unless you
> mean
> > to let them out!)
> >
> >
> > /TJ (mobile)
> > PS - there is atleast one other UDP-encapsulating 'transition
> > mechanism' as well ... thinking specifically of TSP.
> >
> > -----Original Message-----
> > From: "Hadmut Danisch" <hadmut@danisch.de>
> > To: full-disclosure@lists.grok.org.uk
> > Sent: 08/27/06 06:32
> > Subject: [Full-disclosure] Microsoft Vista's IPv6: Dangerous
> Information Leak?
> >
> > Hi,
> >
> > I haven't been using a Microsoft Windows Vista so far, just read some
> > announcements and white papers. However, it appears to me at a first
> > glance, as if it had a significat information leak.
> >
> > Microsoft introduced a new IPv6 over IPv4 tunneling mechanism called
> > Teredo. (See e.g. RFC 4380). It is somehow similar to 6to4, but the
> > differences are:
> >
> >
> >
> > - IPv6 packages are wrapped in UDP
> >
> > - Thus, they run more easily through Firewalls and NAT devices
> >
> > - You can do it with RFC1918 addresses
> >
> > - In contrast to 6to4 it is intended to be used host-to-host.
> >
> > While 6to4 is something you would run on your outermost router
> > (the one with an official IPv4 address) and provide plain IPv6 to
> > your internal network (then you know what your're doing, you
> > actively have to configure it), Teredo is designed to run
> > automatically on the local host. So every desktop machine becomes a
> > tunneling client.
> >
> >
> >
> >
> > As announced by Microsoft, Teredo is activated by default. Windows
> > Vista will allways prefer IPv6 to IPv4 where possible. So most Vista
> > users, especially common users with network experience, would not
> even
> > realize that they are using IPv6.
> >
> > Most network and security devices, and network admins will not
> realize
> > this either, since they see only plain IPv4 UDP packets. I haven't
> > seen any firewall so far able to unpack Teredo packets.
> >
> >
> > So the implications can be severe. As far as I can see at the moment:
> >
> > - You are using IPv6 without realizing or enabling it.
> >
> > - You are running it from your desktop machine.
> >
> > - You are thus opening a tunnel through your NAT/Firewall device
> > passing _all_ kind of traffice unfiltered through, no logging.
> >
> > - Many connections (i.e. Teredo-Teredo and Teredo-IPv6) will be
> routed
> > over a central Teredo server or relay, which is "helping" in the
> > configuration of the Teredo client and routing Teredo packets to
> > other Teredo clients or plain IPv6.
> >
> > So these servers (and thus network devices and IP providers close
> to
> > the servers) can easily wiretap your traffic.
> >
> > - I guess that every Vista client will try to register at a Teredo
> > server, so the server will/can generate an almost complete list of
> > all clients.
> >
> >
> >
> > Can anyone experienced with Windows Vista comment on? Am I correct or
> > did I overlook anything? (Did not have a running Vista yet...)
> >
> >
> > regards
> > Hadmut
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 92.4pt 1.0in 92.4pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText>Assuming you are not default-denying almost all traffic
(and perhaps proxying most other?) … Yes, all you need to do is block the
server traffic (UDP/3544) ... without which Teredo clients won't establish their
tunnel, and the relays never come into play. Hopefully, as more firewalls/IDS’s
become more IPv6 savvy they will learn to crack open all of the “transition
mechanism” tunnels – Prot41, UDP-encaps, etc … sooner would
be better than later.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Also, to (hopefully) answer another of Hadmut’s original
questions – “Am I correct or did I overlook anything” …
the only thing I would add is that Vista is intended to “just make IPv6
work” for the unmanaged environment, which it looks to do a decent job of
… for better or worse!<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>To change the topic just a bit - TSP (a la Hexago/Tunnel
Broker) can also traverse NAT via UDP-encapsulation and while it (IIRC) uses
UDP/3653 by default since the TSP client needs to be manually installed anyway someone
could certainly tweak the port# <span style='font-family:Wingdings'>L</span>.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Thanks; and I’d love to hear more on IPv6-related
topics/advancements (offlist if not FD-relevant) … especially any
distributed FW/IDS implementations!<o:p></o:p></p>
<p class=MsoPlainText>/TJ <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><i>PS - The availability of Teredo servers/relays is
limited, for now … and the host needs to be explicitly told the addresses
of the server(s), IIRC.<o:p></o:p></i></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>> -----Original Message-----<o:p></o:p></p>
<p class=MsoPlainText>> From: Jim Hoagland
[mailto:jim_hoagland@symantec.com]<o:p></o:p></p>
<p class=MsoPlainText>> Sent: Wednesday, August 30, 2006 16:30<o:p></o:p></p>
<p class=MsoPlainText>> To: TJ<o:p></o:p></p>
<p class=MsoPlainText>> Subject: Re: [Full-disclosure] Microsoft Vista's
IPv6: Dangerous<o:p></o:p></p>
<p class=MsoPlainText>> Information Leak?<o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> How do you recommend blocking all Teredo
traffic? Can't Teredo clients<o:p></o:p></p>
<p class=MsoPlainText>> and relays run on arbitrary ports?<o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> Server-bound traffic is easy to block, assuming they
are only on port<o:p></o:p></p>
<p class=MsoPlainText>> 3544.<o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> Thanks,<o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> Jim<o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> --<o:p></o:p></p>
<p class=MsoPlainText>> Jim Hoagland, Ph.D., CISSP<o:p></o:p></p>
<p class=MsoPlainText>> Principal Security Researcher<o:p></o:p></p>
<p class=MsoPlainText>> Advanced Threats Research<o:p></o:p></p>
<p class=MsoPlainText>> Symantec Security Response<o:p></o:p></p>
<p class=MsoPlainText>> <a href="http://www.symantec.com"><span
style='color:windowtext;text-decoration:none'>www.symantec.com</span></a><o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> On 8/27/06 5:43 PM, "TJ" <<a
href="mailto:trejrco@gmail.com"><span style='color:windowtext;text-decoration:
none'>trejrco@gmail.com</span></a>> wrote:<o:p></o:p></p>
<p class=MsoPlainText>> <o:p></o:p></p>
<p class=MsoPlainText>> > Yes, Teredo is a concern - both for Vista (V6
enabled by default) and<o:p></o:p></p>
<p class=MsoPlainText>> > for those who have enabled V6 in WinXP (takes
one command) ... or for<o:p></o:p></p>
<p class=MsoPlainText>> > those who have installed a 'nix Teredo
client. All predicated on<o:p></o:p></p>
<p class=MsoPlainText>> > Teredo servers + eelays being available, of
course.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > And, for the enterprise / managed env. - easily
blockable if you try,<o:p></o:p></p>
<p class=MsoPlainText>> > even assuming you aren't following a default
deny policy :).<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > (BTW - blocking IP prot41 tunnels is also
recommended, unless you<o:p></o:p></p>
<p class=MsoPlainText>> mean<o:p></o:p></p>
<p class=MsoPlainText>> > to let them out!)<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > /TJ (mobile)<o:p></o:p></p>
<p class=MsoPlainText>> > PS - there is atleast one other
UDP-encapsulating 'transition<o:p></o:p></p>
<p class=MsoPlainText>> > mechanism' as well ... thinking specifically of
TSP.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > -----Original Message-----<o:p></o:p></p>
<p class=MsoPlainText>> > From: "Hadmut Danisch"
<hadmut@danisch.de><o:p></o:p></p>
<p class=MsoPlainText>> > To: full-disclosure@lists.grok.org.uk<o:p></o:p></p>
<p class=MsoPlainText>> > Sent: 08/27/06 06:32<o:p></o:p></p>
<p class=MsoPlainText>> > Subject: [Full-disclosure] Microsoft Vista's
IPv6: Dangerous<o:p></o:p></p>
<p class=MsoPlainText>> Information Leak?<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > Hi,<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > I haven't been using a Microsoft Windows Vista
so far, just read some<o:p></o:p></p>
<p class=MsoPlainText>> > announcements and white papers. However, it
appears to me at a first<o:p></o:p></p>
<p class=MsoPlainText>> > glance, as if it had a significat information
leak.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > Microsoft introduced a new IPv6 over IPv4
tunneling mechanism called<o:p></o:p></p>
<p class=MsoPlainText>> > Teredo. (See e.g. RFC 4380). It is somehow
similar to 6to4, but the<o:p></o:p></p>
<p class=MsoPlainText>> > differences are:<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > - IPv6 packages are wrapped in UDP<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > - Thus, they run more easily through Firewalls
and NAT devices<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > - You can do it with RFC1918 addresses<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > - In contrast to 6to4 it is intended to be used
host-to-host.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > While 6to4 is something you would
run on your outermost router<o:p></o:p></p>
<p class=MsoPlainText>> > (the one with an official IPv4
address) and provide plain IPv6 to<o:p></o:p></p>
<p class=MsoPlainText>> > your internal network (then you
know what your're doing, you<o:p></o:p></p>
<p class=MsoPlainText>> > actively have to configure it),
Teredo is designed to run<o:p></o:p></p>
<p class=MsoPlainText>> > automatically on the local host. So
every desktop machine becomes a<o:p></o:p></p>
<p class=MsoPlainText>> > tunneling client.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > As announced by Microsoft, Teredo is activated
by default. Windows<o:p></o:p></p>
<p class=MsoPlainText>> > Vista will allways prefer IPv6 to IPv4 where
possible. So most Vista<o:p></o:p></p>
<p class=MsoPlainText>> > users, especially common users with network
experience, would not<o:p></o:p></p>
<p class=MsoPlainText>> even<o:p></o:p></p>
<p class=MsoPlainText>> > realize that they are using IPv6.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > Most network and security devices, and network
admins will not<o:p></o:p></p>
<p class=MsoPlainText>> realize<o:p></o:p></p>
<p class=MsoPlainText>> > this either, since they see only plain IPv4 UDP
packets. I haven't<o:p></o:p></p>
<p class=MsoPlainText>> > seen any firewall so far able to unpack Teredo
packets.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > So the implications can be severe. As far as I
can see at the moment:<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > - You are using IPv6 without realizing or
enabling it.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > - You are running it from your desktop machine.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > - You are thus opening a tunnel through your
NAT/Firewall device<o:p></o:p></p>
<p class=MsoPlainText>> > passing _all_ kind of traffice
unfiltered through, no logging.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > - Many connections (i.e. Teredo-Teredo and
Teredo-IPv6) will be<o:p></o:p></p>
<p class=MsoPlainText>> routed<o:p></o:p></p>
<p class=MsoPlainText>> > over a central Teredo server or
relay, which is "helping" in the<o:p></o:p></p>
<p class=MsoPlainText>> > configuration of the Teredo client
and routing Teredo packets to<o:p></o:p></p>
<p class=MsoPlainText>> > other Teredo clients or plain IPv6.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > So these servers (and thus network
devices and IP providers close<o:p></o:p></p>
<p class=MsoPlainText>> to<o:p></o:p></p>
<p class=MsoPlainText>> > the servers) can easily wiretap
your traffic.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > - I guess that every Vista client will try to
register at a Teredo<o:p></o:p></p>
<p class=MsoPlainText>> > server, so the server will/can
generate an almost complete list of<o:p></o:p></p>
<p class=MsoPlainText>> > all clients.<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > Can anyone experienced with Windows Vista
comment on? Am I correct or<o:p></o:p></p>
<p class=MsoPlainText>> > did I overlook anything? (Did not have a
running Vista yet...)<o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> ><o:p></o:p></p>
<p class=MsoPlainText>> > regards<o:p></o:p></p>
<p class=MsoPlainText>> > Hadmut<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
</div>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic