放大和摧毁：发现和利用易受攻击的隧道主机.pdf

1、#BHUSA BlackHatEvents#BHUSA BlackHatEventsAmplify and Annihilate:Discovering andExploiting Vulnerable Tunnelling HostsAngelos Beitis,Mathy Vanhoef1#BHUSA BlackHatEvents2#BHUSA BlackHatEventsIntroduction3#BHUSA BlackHatEventsIPPayloadEncapsulatorDecapsulator4#BHUSA BlackHatEventsIPPayloadEncapsulator

2、Decapsulator5#BHUSA BlackHatEventsIPPayloadEncapsulatorDecapsulator6#BHUSA BlackHatEventsIPPayloadEncapsulatorDecapsulator7#BHUSA BlackHatEventsAuthenticationEncryptionData Integrity8#BHUSA BlackHatEventsCVE-2020-101369#BHUSA BlackHatEventsCVE-2020-10136IP-in-IP protocol specifies IP Encapsulation w

3、ithin IP standard(RFC 2003,STD 1)that decapsulate and route IP-in-IP traffic is vulnerable to spoofing,access-control bypass and other unexpected behavior due to the lack of validation toverify network packets before decapsulation and routing.Reported by:Yannay Livneh10#BHUSA BlackHatEventsABIP(A B)

4、IP(B C)Payload11#BHUSA BlackHatEventsABIP(A B)IP(B C)Payload12IP(A B)IP(B C)Payload#BHUSA BlackHatEventsAB13#BHUSA BlackHatEventsABIP(B C)Payload14#BHUSA BlackHatEventsIP(B C)PayloadBC15#BHUSA BlackHatEventsIP(B C)PayloadBC16#BHUSA BlackHatEventsIP(SPOOFED C)PayloadBCPayload17#BHUSA BlackHatEventsBC

5、IP(SPOOFED C)PayloadPayload18#BHUSA BlackHatEvents2020:150k vulnerableCisco NX-OS Software vulnerable by default19#BHUSA BlackHatEvents20#BHUSA BlackHatEventsThe Culprits21#BHUSA BlackHatEventsThe CulpritsIPIPGRE6in44in622#BHUSA BlackHatEventsIPIPOuter IPInner IPPayloadNo encryptionNo authentication

6、 23#BHUSA BlackHatEventsIPIPGRE6in44in624#BHUSA BlackHatEventsGREOuter IPL2/L3PayloadGRE HeaderAdds GRE headerCan encapsulate L2/L34-byte optional key field25#BHUSA BlackHatEventsIPIPGRE6in44in626#BHUSA BlackHatEvents6in4 4in6Outer IPXInner IPYPayloadTransition to IPv6IPX packet in IPYnetworks27sysc