RE: Microsoft Vista's IPv6: Dangerous Information Leak?

["TJ" <trejrco () gmail com>]

Assuming you are not default-denying almost all traffic (and perhaps
proxying most other?) . Yes, all you need to do is block the server traffic
(UDP/3544) ... without which Teredo clients won't establish their tunnel,
and the relays never come into play.  Hopefully, as more firewalls/IDS's
become more IPv6 savvy they will learn to crack open all of the "transition
mechanism" tunnels - Prot41, UDP-encaps, etc . sooner would be better than
later.

 

 

Also, to (hopefully) answer another of Hadmut's original questions - "Am I
correct or did I overlook anything" . the only thing I would add is that
Vista is intended to "just make IPv6 work" for the unmanaged environment,
which it looks to do a decent job of . for better or worse!

 

 

 

To change the topic just a bit - TSP (a la Hexago/Tunnel Broker) can also
traverse NAT via UDP-encapsulation and while it (IIRC) uses UDP/3653 by
default since the TSP client needs to be manually installed anyway someone
could certainly tweak the port# L.

 

 

 

Thanks; and I'd love to hear more on IPv6-related topics/advancements
(offlist if not FD-relevant) . especially any distributed FW/IDS
implementations!

/TJ 

 

PS - The availability of Teredo servers/relays is limited, for now . and the
host needs to be explicitly told the addresses of the server(s), IIRC.

 

 

> -----Original Message-----

> From: Jim Hoagland [mailto:jim_hoagland () symantec com]

> Sent: Wednesday, August 30, 2006 16:30

> To: TJ

> Subject: Re: [Full-disclosure] Microsoft Vista's IPv6: Dangerous

> Information Leak?

>

>

> How do you recommend blocking all Teredo traffic?  Can't Teredo clients

> and relays run on arbitrary ports?

>

> Server-bound traffic is easy to block, assuming they are only on port

> 3544.

>

> Thanks,

>

>   Jim

>

> --

> Jim Hoagland, Ph.D., CISSP

> Principal Security Researcher

> Advanced Threats Research

> Symantec Security Response

>  <http://www.symantec.com> www.symantec.com

>

> On 8/27/06 5:43 PM, "TJ" < <mailto:trejrco () gmail com> trejrco () gmail com>
wrote:

>

> > Yes, Teredo is a concern - both for Vista (V6 enabled by default) and

> > for those who have enabled V6 in WinXP (takes one command) ... or for

> > those who have installed a 'nix Teredo client.  All predicated on

> > Teredo servers + eelays being available, of course.

> >

> > And, for the enterprise / managed env. - easily blockable if you try,

> > even assuming you aren't following a default deny policy :).

> >

> > (BTW - blocking IP prot41 tunnels is also recommended, unless you

> mean

> > to let them out!)

> >

> >

> > /TJ (mobile)

> > PS - there is atleast one other UDP-encapsulating 'transition

> > mechanism' as well ... thinking specifically of TSP.

> >

> > -----Original Message-----

> > From: "Hadmut Danisch" <hadmut () danisch de>

> > To: full-disclosure () lists grok org uk

> > Sent: 08/27/06 06:32

> > Subject: [Full-disclosure] Microsoft Vista's IPv6: Dangerous

> Information Leak?

> >

> > Hi,

> >

> > I haven't been using a Microsoft Windows Vista so far, just read some

> > announcements and white papers. However, it appears to me at a first

> > glance, as if it had a significat information leak.

> >

> > Microsoft introduced a new IPv6 over IPv4 tunneling mechanism called

> > Teredo. (See e.g. RFC 4380). It is somehow similar to 6to4, but the

> > differences are:

> >

> >

> >

> > - IPv6 packages are wrapped in UDP

> >

> > - Thus, they run more easily through Firewalls and NAT devices

> >

> > - You can do it with RFC1918 addresses

> >

> > - In contrast to 6to4 it is intended to be used host-to-host.

> >

> >   While 6to4 is something you would run on your outermost router

> >   (the one with an official IPv4 address) and provide plain IPv6 to

> >   your internal network (then you know what your're doing, you

> >   actively have to configure it), Teredo is designed to run

> >   automatically on the local host. So every desktop machine becomes a

> >   tunneling client.

> >

> >

> >

> >

> > As announced by Microsoft, Teredo is activated by default. Windows

> > Vista will allways prefer IPv6 to IPv4 where possible. So most Vista

> > users, especially common users with network experience, would not

> even

> > realize that they are using IPv6.

> >

> > Most network and security devices, and network admins will not

> realize

> > this either, since they see only plain IPv4 UDP packets. I haven't

> > seen any firewall so far able to unpack Teredo packets.

> >

> >

> > So the implications can be severe. As far as I can see at the moment:

> >

> > - You are using IPv6 without realizing or enabling it.

> >

> > - You are running it from your desktop machine.

> >

> > - You are thus opening a tunnel through your NAT/Firewall device

> >   passing _all_ kind of traffice unfiltered through, no logging.

> >

> > - Many connections (i.e. Teredo-Teredo and Teredo-IPv6) will be

> routed

> >   over a central Teredo server or relay, which is "helping" in the

> >   configuration of the Teredo client and routing Teredo packets to

> >   other Teredo clients or plain IPv6.

> >

> >   So these servers (and thus network devices and IP providers close

> to

> >   the servers) can easily wiretap your traffic.

> >

> > - I guess that every Vista client will try to register at a Teredo

> >   server, so the server will/can generate an almost complete list of

> >   all clients.

> >

> >

> >

> > Can anyone experienced with Windows Vista comment on? Am I correct or

> > did I overlook anything? (Did not have a running Vista yet...)

> >

> >

> > regards

> > Hadmut

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/