Hello, Before the Cisco network-witty guys will start poking around calling it a fudge and welcoming you to the last week, I might outline this for you: http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap7.html#wp1058965 It's a feature, not a bug, and it's as oldschool as email forging with telnet or BGP poisoning by more specific route injection. Of course, there might be STP enabled switches out there with no security features, but the problem resides in the risk management not in the product. Sounds to me more like the description of a threat, not like a vulnerability. Great for Risk Assessment scenarios, though. Stefan Laudat Information Security Manager CISSP-ITIL Manager-PrInCE2 Practitioner Allianz-Tiriac Asigurari SA Tel: +4012082381 / Int 100381 80-84 Caderea Bastiliei str., Bucharest 1, 010616, Romania Please note: This email and any files transmitted with it is intended only for the named recipients and may contain confidential and/or privileged information. If you are not the intended recipient, please do not read, copy, use or disclose the contents of this communication to others and notify the sender immediately. Then please delete the email and any copies of it. Thank you. Please consider the environment before printing this e-mail. Allianz is committed to achieve a group-wide CO2 reduction of 20% by 2012: Print two pages on one side and bothsides Avoid handouts; send your presentation electronically Use recycled paper whenever possible Scan mail documents and send them per email Use one-sided prints as scratch papers Select the "Power saver" plan option on your computer -----Original Message----- From: xperience@xxxxxxxxxx [mailto:xperience@xxxxxxxxxx] Sent: Tuesday, April 27, 2010 8:55 PM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: STP mitm attack idea As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs. That attack is in most cases useless because: - we need physical access to two (not one switch) - two cards in station As two cards are possible, that access to two switches in one ie. office is almost impossible. My idea for modification of this attack needs: - two stations to attack by mitm (A and B) - two or more switches with STP protocol - two attacking stations connected to two different switches in way beetween attacked stations (C and D) A ---- switch 1 ----- switch 2 ----- B | | | | C D Take first scenario: 1. A - sends frame to B 2. Switch 1 - accepts frame and forwards it to switch 2 3. Switch 2 - accepts frame via link from switch 1 and forwards it to B Second scenario: 1. Station C and station D starts to send frames to break link beetween switch 1 and switch 2, and announce non existing connection and switch from C port on switch 1 to D port on switch 2 A ---- switch 1 --X-- switch 2 ----- B | | | | C --no conn-- D 2. Station A sends frame to B 3. Frame is forwarded to C station 4. Station C stores frame in memory 5. After equal timing station C and station D repair link beetween switch 1 and 2 6. station C resends stored packet to station D (ie in tunnel or encapsulated in ip packet) 7. stations C and D break link beetween switches 1 and 2 8. station D sends transmitted packet to station B Advantages - no need for one station with two links to two switches - needs two stations, either compromised or not (in large multiswitch enviroment with many stations sometimes we can find in example two compromised windows or linux hosts) - when we have good timing and packet detection method, we can separate one protocol connection from whole traffic Disadvantages of method. - stops whole traffic beetween switches, and needs delicate timing - when link beetween switch 1 and 2 is working we can't see frames that flying across wire Additional information. - timing question, ie - retransmition time beetween tcp frames, and time to break and repair link - is it possible to do it before frame is retransmited? Uh that's all. Please think about it is possible, because my programming skills are to low to make it working. With regards Xperience
