Hi folks,

another neat security issue with IPv6 which can be also exploited on
IPv4-only LANs.
It is possible to identify hosts on the local LAN which are sniffing.
But before spoiling the details, a short rant. Skip it if you don't care.

I am mad at Microsoft how they ignore severe but local LAN security
issues. (see
http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt)

I usually only make an advisory if the the vendor does not fix the bug
in a timely fashion (> 6 months) or it was a deliberate backdoor.
So when I found the IPv6 Router Advertisement flooding DOS, I was
surprised that Cisco fixes the bug fast - and Microsoft doesnt.
It is their stand (as can be read in an interview they gave here
yesterday:
http://www.securityvibes.com/community/en/blog/2011/04/14/ipv6-tackling-the-rogue-ras)
that local LAN attacks are nothing to worry about, as this is only
possible if someone is already in the trusted environment.
That "trusted environment" can mean a conference or university network,
or a public WLAN, doesnt seem to be a problem for Microsoft.

But picture my surprise when I reported Microsoft that it is possible to
detect a Windows system sniffing on the local LAN - they will fix this
security issue.

Yes, read again. Sniffing detection is a serious security issue for
Microsoft to fix, but DOSing all Windows systems on the same network is
nothing to move a finger for.

Enough ranting, lets get the details.

All you need to do is sending an ICMPv6 Echo Request packet to the
potentially sniffing host with a multicast MAC address. Multicast MAC
addresses are special MAC addresses that a system can choose to look
for; they start with 03:03:.....
The multicast MAC address you choose may of course not one the host is
listening to, 03:03:99:00:00:99 should be a safe choice.

This can be tested with the thcping tool from the thc-ipv6 package
(www.thc.org/thc-ipv6):
  ./thcping eth0 YOUR-LINK-LOCAL-ADDRESS TARGET-LINK-LOCAL-ADDRESS
YOUR-MAC 03:03:99:00:00:99 foo
Run a sniffer (e.g. in non-promisc mode ;-) and see if you get an echo
reply. If so, the target host is sniffing.

The target host's link local address can be created from it's MAC
address, e.g. if it is 00:30:48:53:aa:aa, then the link local address is
fe80::230:48ff:fe53:aaaa (note the bit flip on the first MAC address octet).

There is also a way to send this to all local systems at once via
ff02::1, however this involves crafting a special error generating
destination extension header.
(this might even work with IPv4 pings and multicast MACs and not even
need ICMPv6 at all, haven't tried, didn't care.)

Affected OS:
Windows 2008, 7, Vista in default config; 2003, 2000, XP when IPv6 is
activated.
Linux in default config
FreeBSD when IPv6 is activated

CVEs: CVE-2010-4562, CVE-2010-4563
Vendors informed on the 29th December 2010

This does not count as a security advisory :-)

Greets,
Marc

P.S. For the historians, funnily I found a similar issue for IPv4 in
1998 which could detect sniffing Linux machines. History repeating.
Especially with IPv6.

--
Marc Heuse
http://www.mh-sec.de
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A