IPv6 SLAAC abused

AndyRH

I found this interesting and I thought others might as well.

https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/

Gertjan

@AndyRH

When I finish reading, I had to restart with one thought in mind " .... and what if I introduce a good old IPv4 DHCP server into a network, like kea and/or ISC ? and try to capture DHCOP braodcasted requests with it ?" Rogue DHCP servers, that's not a new thing.
Ok, true, SLAAC stand for "auto configuration" (right ?) but there still needs to be some 'code logic" that determines a usable IPv6, usable IPv6 gateway, DNS and so on. Call it SLAAC, call it a DHCP(v6) server, it's all the same while being different.
Just above a network using SLAAC there must be a DHCPv6 server, as I can't seem to figure out how my entire ISP (40 millions clients ) would use SLAAC to have all these 40 M client devices to auto assign themselves the needed IPv6 stuff, wouldn't that be a broadcast hail storm ?

Anyway, to more I think it over, the more I realize I don't no s**** about anything.

That why I totally abuse this wrong-reasoning : my networks always worked well with a centralized DHCPv4 server. I "te admin", manages this centralized router = pfSense, I assign the devices connected to my network.
Not "let's go plain auto SLAAC" as I prefer to have this impression that I control something with the classic tools.
Also because I prefer
2a01:dead/beef:a6e2::a0
over
2a01:dead:beef:a6e2:92ec:77ff:fe29:392c

Where 2a01 is ... the most obvious IPv6 address range being used right now.
"dead:beef" is my ISP
"a6" is my connections 'ID'.
e2 or 320 decimal is the prefix they gave me (one out of the 255 others = /56)
This "e2" is the prefix I use on one of pfSense's LAN's.
a0 = My NAS on the pfSene LAN.

I also use my pfSense DHCPv6 servers to do the revers IP registration in my own public DNS 'domain name server' so I can forget about the "what is the IPv6 ?" question and use the world wide known host name of my NAS, everywhere. I know, this can be done using SLAAC also (I guess ...).

Hummm ... sorry.... I'll shorten my ranting.
Short answer : to be exposed to the issue, you must first find this "an archive named AVGApplicationFrameHostS.zip", then unzip it, being sure that this is the latest and greatest that you must have. Install it ... and then see what happens ... ?
I'm not sure, it's maybe just me, but isn't that like "throw my credit card out of the windows and see what happens with my bank account ?" Or : the "traffic light is red, so I won't stop" ?
The average pfSense admin would be immune for these situations.

I would feel better if the article was published on toctoc

AndyRH

A common misconception is an interesting attack like this one is the way in. Frequently it is a chain of attacks that get companies and people in trouble. A low access breach is chained with other attacks and quickly the attacker is root. Read the Pwn2Own results. Pwn2Own is a hacking competition and most winners chain attacks.

Since this one is actively being used it must be working. I am sure this will breed new attacks.

Defensive thinking will have you lock your front door, offensive thinking will have you bar the front door.