logo

EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet Attacks

Conference:  BlackHat USA 2020

2020-08-06

Summary

The presentation discusses the concept of packet-in-packet attacks and how they can be used to bypass firewalls. The researchers demonstrate how this attack can be carried out on wired networks using an EMP device and a faulty cable.
  • Packet-in-packet attacks can be used to bypass firewalls
  • The attack relies on partially controlled packet payloads and bit flips
  • The attack was first discovered in wireless transmissions but can also be carried out on wired networks
  • The researchers demonstrate the attack using an EMP device and a faulty cable
  • Shielded cables and proper grounding can mitigate the effects of the EMP device
The researchers demonstrate the attack by using an EMP device and a faulty cable to inject packets into a network segment behind a firewall. They show how the attack can be used to register a search domain on a victim device. The researchers caution that while shielded cables and proper grounding can mitigate the effects of the EMP device, the attack can still be carried out with more power.

Abstract

The concept of physical layer conditions in which a packet is re-evaluated in transit leading to a packet-in-packet attack has been shown in multiple protocols in the past. However, applying this logic to the Ethernet protocol was only considered a theoretical capability. In this talk, we explore various ways in which this attack can become both practical and powerful. Using this attack, we show how an attacker can bypass Firewall and NAT solutions, even when targeting networks directly from the Internet. Combining this attack with fringe use-cases we discovered in the IPv6 implementations in Windows and Linux, we show how an attacker can use this attack to establish a man-in-the-middle position on the Internet traffic of a certain organization, through which he can eavesdrop on corporate communications, or carry out additional attacks.Our talk will demonstrate that the set of circumstances in which an Ethernet packet-in-packet condition can occur are much wider than previously considered. We will detail the physical parameters of Ethernet cables in which the likelihood of a bit-flip is rather high, and in which this attack can occur within a few minutes. In addition, we will explore the various ways in which interference can be induced in a wide array of Ethernet cable types using certain radio attacks, leading to a remote Ethernet packet-in-packet attack occurring within minutes.Lastly, we will detail various techniques in which this attack may be triggered from the Internet, in either 1-click attacks that require a user inside the network to click on a certain link, or certain 0-click attacks that work without any user interaction. Once the packet-in-packet attack occurs, the attacker can take-over devices using previously discovered vulnerabilities, or establish a MiTM position on an organization's Internet traffic.

Materials:

Tags: