The article was prepared by Alexander Kolesnikov as part of the recruitment for a new course stream “Network engineer”.
IPv6 is the protocol that is used for addressing in modern networks. In the article, we will consider several scenarios for using its functions that lead to the exploitation of vulnerabilities.
The protocol has a rather complex structure and flexible capabilities. Its full description can be found in the corresponding RFC 8200. Among the features that we will be interested in:
address types: unicast (Unicast), group (Anycast) and multicast (Multicast).
protocol integrated into operating systems
uses special packets (jumbograms) that can transfer 4 GB
The coolest feature that allows you to transfer huge data packets, but due to the large number of additions to the packet structure, it can be a very problematic object for parsing using applications. In confirmation, the following vulnerabilities can be found:
And this is not a complete list, since the most popular software and hardware solutions were taken. What can these vulnerabilities lead to? In all the examples above, this is DDoS. Operating systems go into exceptional states – bsod, kernel panic, and devices restart or partially fail.
What are the main problems? Almost always, vulnerabilities lie in the fact that software algorithms for processing network traffic do not expect the use of fragmentation mechanisms and the transfer of large amounts of data.
A small example from the list above is CVE-2021-24086. According to here this repository, the problem lies in the processing of jambograms.
If you refer to RFC 8200, you can find a description of the special fields of the IPv6 protocol −
From the picture you can see that all the headings go one after another in the form of a tape. Each heading can describe which heading will be next. And it seems that these are all the features that are in the protocol, but if you read further, you will find that there are special data that can be added along with
Extension Headers. It’s about Padding to be shared. Referring to the same repository with a description of the vulnerability, you can find the script that is used to confirm the existence of the vulnerability:
... reassembled_pkt = IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ...
The package fragment above contains data that is interspersed with Ext Headers and data for alignment. This kind of structure is unlikely to be used for data manipulation, but it is still possible according to the rules of the protocol.
An interesting feature of the protocol is the ability to use special addresses to search for machines and devices on the network. Thanks to the multicast feature, you can search for any information about the topology and roles of network nodes. List that can be used:
All nodes on the local network segment
All routers on the local network segment
OSPFv3 All SPF routers
OSPFv3 All DR routers
IS-IS for IPv6 routers
All DHCP servers and relay agents on the local network segment
All LLMNR hosts on the local network segment
All DHCP servers on the local network site
Simple Service Discovery Protocol
Network Time Protocol
Network Information Service
Precision Time Protocol (PTP) version 2 messages except peer delay measurement
Precision Time Protocol (PTP) version 2 peer delay measurement messages
In any operating system, there are 2 types of interfaces with IPv4 and IPv6, if the setting is not set separately, then the prioritization is set in such a way that IPv6 will be used first.
The most popular default configuration compromise tool is mitm6. The tool, using the functions of the IPv6 protocol, changes data related to the configuration of DNS servers in operating systems. Therefore, mitm6 can be used to create conditions for Man in The Middle attacks in networks with IPv6.
As you can see from the examples, the use of the protocol requires special attention when configuring device interfaces and operating systems. Therefore, a network engineer should set up continuous monitoring of data regarding vulnerabilities that are found in the network stacks of devices and operating systems in order to ensure the necessary level of network security against newly emerging threats. This can be done through similar services, for example this.
We invite everyone to the Demo day of the “Network engineer” course. At this meeting there will be an opportunity to get acquainted with the teacher, learn more about the program and the format of training, ask all your questions. Registration for the event here.