26C3: Network design weaknesses

At the 26th Chaos Communication Congress (26C3) in Berlin, security researcher Fabian Yamaguchi demonstrated a number of vulnerabilities that can apparently be found in many average communication networks and affect all levels from the access layer to the application layer. Attackers exploit many minor design flaws which allow "dangerous attacks" when combined, explained the Berlin-based security expert who last year investigated vulnerabilities in the basic TCP internet protocol. Overall, the "bugs" can reportedly be exploited to hijack a proxy server such as Squid and control all of the network traffic that flows through it.

Yamaguchi explained that typical corporate networks, for instance, include a "demilitarised zone" (DMZ) with restricted access to the connected servers. Attackers who compromise a system within this zone have no access to local networks yet, said the researcher. This requires getting over a firewall, he added. It therefore makes little sense to directly attack a machine installed in this zone, said Yamaguchi. A detour via one of the system's clients, which are surrounded by a "zoo of technologies" such as Flash, media players or chat systems, tends to be the much more promising option.

To demonstrate, "fabs" chose the Pidgin instant messaging software, where emoticons in MSN Chat are apparently known to be particularly vulnerable to attacks. According to the security expert, the software's "shoddy" protocol replaces character strings and word strings with images, allowing a more or less unrestricted variety of symbols to be displayed. The protocol's flawed encoding of a text in binary enabled Yamaguchi to download an executable program and eventually gave the researcher a first foothold in the network.

Next, the expert reportedly took a step back onto the access layer to target a driver for an ethernet network card in order to gain access to the network layer. He said that, in this case, he found a flaw in the way a e1000 Linux driver for Intel devices establishes the maximum packet or frame size, which is also called the Maximum Transmission Unit (MTU). This flaw reportedly involves the inability to securely differentiate in any circumstance between "jumbo frames" for gigabit ethernet and their counterparts in networks with lower transmission rates. Furthermore, all the pertinent security advisories released by Intel and Red Hat apparently misinterpreted the flaw, allowing the firewall to be overcome as well.

The hacker's last step for gaining control of the network's web traffic was apparently made easier because the Squid server in question also stores the Domain Name System (DNS) traffic in a 24-hour cache. Yamaguchi said that the authentication used in the process has been frequently criticised because attackers only need to find 32 matching bits to hack it. Using targeted requests, the researcher reportedly managed to trigger a cache confusion and find an exploitable open port. Finally, a flawed TCP implementation allowed the hardware filter to be bypassed by transmitting a sequence of useless patches. Yamaguchi concludes: "Isolated vulnerabilities don't exist." The expert said that the security of network components depends on that of their respective environments.

(Stefan Kermpl)

(djwm)