calin radoni's humble web presence

home

docs

toolbox

about

Information Disclosure Vulnerability in the IPv6 stack

Introduction
Affected Operating Systems
Sugested correction
How to test - Quick Start
History
Copyright and License
Disclaimer

Introduction

Finding the alive IPv6 enabled hosts is a laborius process because the address space is huge. Sending an ICMPv6 echo request to each possible address is a time and bandwith consuming opration.
I have observed that by sending a single crafted ICMPv6 echo request packet, all enabled IPv6 hosts in my network have given me responses. In the "IPv4 only" era this was called broadcast ping.

Affected Operating Systems

I have been able to probe the existence of this behaviour against the following operating systems:

Microsoft Windows XP SP2
Microsoft Windows Server 2003 Standard Edition
Fedora Core 5
Open Solaris (Nevada 35)

Sugested correction

To prevent this wrong behaviour the IPv6 stack for the affected operating systems, their IPv6 stack must be modified to respond to ICMPv6 echo request packets only if the destination IPv6 address embedded in the received packet is the same as the host's IPv6 address.
This correction may be applied to other types of packets too.

How to test - Quick Start

Software platform used for scanning:

Microsoft Windows XP SP2 with IPv4 and IPv6 protocols installed
WinPcap version 3.1
CHScanner version 0.8.1.960

IPv6 support for Microsoft Windows XP SP2

To activate the IPv6 support for Microsoft Windows XP SP2 type the following in a command prompt:

ipv6 install

IPv6 support for Microsoft Windows Server 2003

To activate the IPv6 support for Microsoft Windows Server 2003 type the following in a command prompt:

netsh interface ipv6 install

If the machine also has the DNS server installed you could make him IPv6 aware by typing the following in a command prompt:

dnscmd /config /EnableIPv6 1

IPv6 support for Fedora Core 5

In Fedora Core 5 the IPv6 support has been installed (in my case) by default.

IPv6 support for OpenSolaris

In OpenSolaris to activate the IPv6 support type the following in a shell :

ifconfig <interfaceName> inet6 plumb up

On a Windows XP SP2 machine, if not installed, install WinPcap.
Download and install CHScanner (In the current version, 0.8.1.960, install means to unzip the archive). Launch CHScanner from a folder where you have write permissions and execute the following actions:

click the Scan button
click the Examples button
double-click the "Ex: IPv6 Broadcast Ping" entry

Shortly, the result(s) should be displayed in the Map window. By selecting one of the entries displayed in the Map window the details should be displayed (where else ?) in the Details window.

History

03 May 2005, First version.

Copyright and License

Disclaimer

No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies that could be damaging to your system. Proceed with caution, the author do not take any responsibility.

All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Hosted on http://www.oocities.org/calinradoni

Last page modification is 03 May 2006