The MAC address table mappings on switches have absolutely no effect on
this. The switch still sees the offending machine as having the correct
MAC address and the victim as having the correct MAC address. This
exploit works due to the ARP cache poisoning of the victim as discussed
in this thread.

You prevent this from happening like you do other exploits. Use an IDS.
One that detects these ARP flip-flops.

-Shannon

-----Original Message-----
From: Anthony Kim [mailto:Anthony.Kim (at) VW (dot) COM [email concealed]]
Sent: Thursday, February 13, 2003 12:43 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Windows 2000 Static arp not static

On Thu, Feb 13, 2003, Tim Habex wrote:

> Dear all,
>
> I am quite new to this. I posted this on bugtraq first, but
> David Ahmad asked to post it in FOCUS-MS and vuln-dev. So here
> I go :o)
>
> This is the setup : 1 Windows 2000 Professional (SP3) 1 Linux
> Slackware (gateway) 1 Debian Linux 1 switch
>
> (The linux distro's doesn't really matter)
>
> When using ethercap on the network from de Debian machine, I
> was able to see and control all trafic. (nothing new right?)
> Ethercap is doing this by making the network believe everything
> should be sent to the MAC-address of the ethercap machine which
> in my case was the Debian machine.

> To prevent this behaviour, I setup static routes both on the
> gateway and the Windows machine. Yet I didn't get the result I
> was expecting. I was still able to see packets on the Debian
> machine, yet I was no longer able to control the packets.

Because arp happens before routing, I'm not sure how much static
routes will get you, unless you meant static arp entries.

> When I looked at the arp cache of Linux, the static entry was
> there and working (?), but on the Windows machine, THE VALUE OF
> THE STATIC ARP WAS CHANGED. When ethercap was disabled, the
> static arp entry was returned to the original value.

I wouldn't be surprised if this was still true. (Won't test here
at work ;-)

It was a deficiency back in the NT days that caused all sorts of
problems for software firewalls requiring an arp proxy.
(Checkpoint anyone?)

> Meaning Windows 2000 desktops (and servers?) can always be
> sniffed even when using a switch. On top of that, your network
> is probably vulnerable to the man-in-the-middle attacks if
> you're relying on MS-technology only. I don't know if they are
> still vulnerable to a man-in-the-middle attack if you're using
> eg. a Linux router with static routes. My "hacking" knowlege is
> quite limited. But I can imagine there are people who know how
> to gain from this "feature".

Most people would lock arp tables on the switch and not on the
host. If you're relying on MS-technology only, you probably have
a boatload of other problems to take care of... ;-)

[ reply ]