ARP issue

To: debian-security@lists.debian.org
Subject: ARP issue
From: Jörg Harmuth <harmuth@mnemon.de>
Date: Mon, 29 Nov 2004 15:29:42 +0100
Message-id: <41AB3256.6090704@mnemon.de>

Hi all,

while playing with nemesis and arp I stumbled across an old issue whichI thought is solved.Searching the list archives gave me no answer, so sorry if this istotally outdated. In fact, it is

the old arp cache spoofing / poisoning thing.

I sent a crafted arp reply to a linux box with the meaning

"Hey, localhost is at <some_spoofed_mac_address>". Looking in the arpcache on this box,I saw that this spoofed mac address was accepted as the boxes newmac-address for

localhost on eth1. This means to me:

1.) There are no checks about arp packages.
2.) Nobody keeps track of  the balance between arp requests and replies
     (why accepting a reply without having sent a request before ?).
3.) All the usual arp attacks are possible.

Ok, this is an old box with kernel 2.4.19 (and isn't used for production).

Question: Does anybody know wether this changed with newer kernels ? Andif not - why not ?


Thanks in advance and have a nice time

Joerg

Reply to:

Follow-Ups:
- Re: ARP issue
  - From: Jan Minar <jjminar@FastMail.FM>

Prev by Date: Re: [SECURITY] [DSA 599-1] New tetex-bin packages fix arbitrary code execution
Next by Date: Re: ARP issue
Previous by thread: Re: [SECURITY] [DSA 599-1] New tetex-bin packages fix arbitrary code execution
Next by thread: Re: ARP issue
Index(es):
- Date
- Thread