Code Insertion Through ARP Spoofing
|
Once you've got control of a system inside a network, it's amazing what you can do with it. Neil Carpenter of Microsoft's Security Incident Response team recently ran into an example of a particularly powerful and scary attack using ARP cache poisoning. In their case, users inside the network were having an IFRAME tag inserted into their Web page requests. The IFRAME, of course, pointed to a page with malicious software, specifically an exploit of the MS07-17 JPG vulnerability. How was it being inserted? They were able to determine that it came from the local network (read the link for details, it is interesting) and eventually narrowed it down to a specific system. On this system they found winpcap and other legitimate, free hacking software, which can perform sophisticated network attacks. In this case, the system was ARP spoofing to make itself the LAN gateway. This made it a "man in the middle" for Web requests, and it could insert the IFRAME into responses. At first this looks like something that will be very difficult to detect, but I'm not so sure. IPS should be able to examine MAC addresses on the network periodically to see if the types of hardware are changing in suspicious ways, just as in the article when they saw that the NIC in the gateway wasn't what it should have been. I should follow up with IPS vendors on this. |
Comments (3)
ARP poisoning based man-in-the-middle attacks are terribly dangerous. We sometimes use them to demonstrate how vulnerable network security can be to skeptical clients. They are also cumbersome to prevent - locking down ports to MAC addresses is a management nightmare.
We think we have come across a way to defeat them in a manageable and thus safe and affordable manner. We are experimenting with integrating the open source ISCS network security management project (iscs.sourceforge.net) with 802.1x. This allows us to grant network access on an as needed basis within the LAN (rather than VLAN based defenses). In other words, specific users are only allowed to specific services.
As a result, although we cannot stop the actual ARP poisoning, we can prevent the user from inserting themselves into the data stream, i.e., thwart the man-in-the-middle part. The same approach also stops LAN based worms even on and against unpatched computers.
We hope to have a working prototype with a few weeks and then hope to work on partnering with our various switch vendors to integrate the technology.
Thanks for making others aware of this very dangerous type of attack.
Posted by John Sullivan | July 6, 2007 7:41 AM
John,
"IPS should be able to examine MAC addresses on the network periodically to see if the types of hardware are changing in suspicious ways, just as in the article when they saw that the NIC in the gateway wasn't what it should have been."
The attacker can set his MAC to be anything he wants, including the same vendor as the "expected" return value, this is not a valid detection mechanism.
Posted by Alan | August 9, 2007 6:07 PM
We have developed a windows application that will pinpoint the IP address of the computer spoofing ARP. And we decided to release the tool as freeware.
you can download ARProtect from www.netoptima.in/arprotect
Posted by Anil Chandra K | February 4, 2008 10:10 PM