[ipv6hackers] Windows ping6-of-death
Fernando Gont
fgont at si6networks.com
Wed Aug 14 10:11:39 CEST 2013
On 08/14/2013 03:32 AM, Pierre Emeriaud wrote:
> Hello Marc, all,
>
> 2013/8/14 Marc Heuse <mh at mh-sec.de>:
>> hi guys,
>>
>> this months microsoft windows security patches include on that fixes a
>> ping-of-death style ICMPv6 denial of service vulnerability.
>> does anyone have more information how that attack/packet look like?
>
>>From the Sourcefire Vulnerability Research Team blog[0] :
>
> "The second vulnerability (CVE-2013-3183) is in the ICMPv6
> implementation (MS13-065) and can also result in a system crash if an
> attacker send a maliciously crafted ICMPv6 Router Advertisement packet
> that contains an invalid prefix length field."
>
> "We are releasing rules SID 27605-27616, 27618-27620 and 27624 to
> address these issues."
Thanks for the info!
Ironically enough, they are vulnerable to attack because they don't
enforce sanity checks, and the ra6 tool of the IPv6-Toolkit cannot
exploit this attack because it enforces sanity checks on the Prefix
lenghts given by the user. :-)
Now MS has incorporated sanity checks to mitigate the attack, and I'll
remove them so that ra6 can be used to exploit it. :-)
Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers
mailing list