From: Thor (Hammer of God) (thor@hammerofgod.com)
Date: Sun Dec 04 2005 - 17:07:54 EST
Actually, I've been playing with it since we've been talking about it, and I
now agree with Cedric too ;)
The stack must be specifically designed to grab the destination address from
the received frame and set it as the source in the reply packet in the
absence of an "already assigned" IP in the config. I had an extra camera in
the closet (bad color element, but it still works). I powered it up, added
the MAC to an arbitrary IP via static ARP , and captured the traffic while
connecting. The reply packet did indeed come *from* the arbitrary IP
address during the 3-way and all subsequent HTTP replies. When I went to
config it, it already had the arbitrary IP in place. Upon saving the
config, I could remove the static entry and get to the unit with normal
dynamic resolution.
Interesting thing is that at that point, the only way I could get to the
unit was via the now "bound" IP, even if I assigned a different arbitrary IP
via ARP and deleted the other entry. Looks like I would have to reset the
config in order to do it again. I guess that's a good thing ;)
So, it looks like I was a bit too quick to reference my "magic arbitrary IP
via ARP" method :-p
t
----- Original Message -----
From: "Dario Ciccarone (dciccaro)" <dciccaro@cisco.com>
To: "Cedric Blancher" <blancher@cartel-securite.fr>; "Thor (Hammer of God)"
<thor@hammerofgod.com>
Cc: "Roni Bachar" <roni@avnet.co.il>; <pen-test@securityfocus.com>
Sent: Sunday, December 04, 2005 1:47 PM
Subject: RE: Ping a mac address
>
> > For instance, I have a few IP cameras around my
> infrastructure... If
> > I add a static ARP entry for the MAC to some arbitrary IP
> (that's still on
> > my subnet) I can use that arbitrary IP to access the unit's HTTP
> > configuration... works just fine.
>
> You're lucky to be facing theses non RFC compliant devices :)))
Agree with Cedric here. Which opens another issue: say your device
assigned IP address is 1.2.3.4, MAC A, and the device also allows you to
configure access control based on IP address - this would probably allow
you to bypass those controls.
But - iff the IP stack is so dumb, which source address does it use to
reply? The real IP address configured on its interface? Or it just swaps
SRC/DST on the original packet? That would allow 2-way communications.
Guess it works on Axis cameras at least, if you're able to do the 3-way
and actually configure them ;)
Dario
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:14 EDT