[Full-disclosure] Making unidirectional VLAN and PVLAN jumping bidirectional
Andrew A. Vladimirov
mlists at arhont.com
Mon Dec 19 17:27:33 GMT 2005
Arhont Ltd.- Information Security
Arhont Advisory by: Arhont Ltd
Advisory: Making unidirectional VLAN and PVLAN
Class: design bug
Vulnerable protocols: 802.1q, various PVLAN implementations
Model Specific: This is a protocol, and not vendor-specific attack
Wepwedgie, a tool by Anton Rager for traffic injection on 802.11
networks protected by WEP, solves the problem of unidirectional
communication by bouncing packets from the target host to a third
external host under the attackers control. We employ exactly the same
principle to bypass both VLAN and PVLAN network segmentation.
1. Modification of the double-tagging VLAN jumping attack.
The attacker tags his malicious data with two 802.1q tags and sends the
packet with a spoofed source IP of a host under his or her control. This
can be any host to which a valid route from the target VLAN is present,
including an external host on the Internet. The first tag gets stripped
by the switch the attacker is plugged into and the packet is forwarded
to the next switch. The remaining tag contains a different VLAN number,
to which the packet is sent. So, data is forced to pass between the
VLANs. The receiving host will check the source IP of the arriving
packet and send the reply to this IP, which is a host that belongs to
This attack can be launched using Yersinia
2. Modification of the MAC spoofing PVLAN jumping attack.
The attacker sends a packet with a valid source MAC but a spoofed source
IP of a host under his or her control. This can be any host to which a
valid route from the target PVLAN is present, including an external host
on the Internet. The target MAC address is replaced with the one of a
gateway router. A switch would forward such packet to the router, which
will then look at the IP and direct the packet to the target. Of course,
the source MAC of the packet will be replaced by the one of the router,
which would then direct the reply packet from the target to the host
that belongs to the attacker.
This attack can be launched using pvlan.c from the Steve A. Rouiller's
"Virtual LAN Security: weaknesses and countermeasures" GIAC Security
Essentials Practical Assignment.
Note: Such attacks can be used for different purposes from portscanning
to communicating with a backdoor on a different VLAN or PVLAN.
Risk Factor: Medium
Workarounds: There are no direct workarounds. Implement strict egress
filtering against the spoofed packets described.
Communication History: sent to CERT on 17/10/05
*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer at least 7 days
releasing them to the public domains (such as CERT and BUGTRAQ).
If you would like to get more information about this issue, please do
not hesitate to contact Arhont team.*
Full-Disclosure is hosted and sponsored by Secunia.