Arhont Ltd.- Information Security

Arhont Advisory by:     Arhont Ltd
Advisory:                     Making unidirectional VLAN and PVLAN 
jumping bidirectional
Class:                          design bug
Vulnerable protocols:   802.1q, various PVLAN implementations    
Model Specific:           This is a protocol, and not vendor-specific attack

DETAILS:

Wepwedgie, a tool by Anton Rager for traffic injection on 802.11 
networks protected by WEP, solves the problem of unidirectional 
communication by bouncing packets from the target host to a third 
external host under the attackers control. We employ exactly the same 
principle to bypass both VLAN and PVLAN network segmentation.

1. Modification of the double-tagging VLAN jumping attack.

The attacker tags his malicious data with two 802.1q tags and sends the 
packet with a spoofed source IP of a host under his or her control. This 
can be any host to which a valid route from the target VLAN is present, 
including an external host on the Internet. The first tag gets stripped 
by the switch the attacker is plugged into and the packet is forwarded 
to the next switch. The remaining tag contains a different VLAN number, 
to which the packet is sent. So, data is forced to pass between the 
VLANs. The receiving host will check the source IP of the arriving 
packet and send the reply to this IP, which is a host that belongs to 
the attacker.

This attack can be launched using Yersinia 
(http://sourceforge.net/projects/yersinia/).

2. Modification of the MAC spoofing PVLAN jumping attack.

The attacker sends a packet with a valid source MAC but a spoofed source 
IP of a host under his or her control. This can be any host to which a 
valid route from the target PVLAN is present, including an external host 
on the Internet. The target MAC address is replaced with the one of a 
gateway router. A switch would forward such packet to the router, which 
will then look at the IP and direct the packet to the target. Of course, 
the source MAC of the packet will be replaced by the one of the router, 
which would then direct the reply packet from the target to the host 
that belongs to the attacker.

This attack can be launched using pvlan.c from the Steve A. Rouiller's 
"Virtual LAN Security: weaknesses and countermeasures" GIAC Security 
Essentials Practical Assignment.

Note: Such attacks can be used for different purposes from portscanning 
to communicating with a backdoor on a different VLAN or PVLAN.

Risk Factor: Medium

Workarounds: There are no direct workarounds. Implement strict egress 
filtering against the spoofed packets described.

Communication History: sent to CERT on 17/10/05

*According to the Arhont Ltd. policy, all of the found vulnerabilities 
and security issues will be reported to the manufacturer at least 7 days 
before
releasing them to the public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this issue, please do 
not hesitate to contact Arhont team.*