ETHEROOPS

General Overview

The Armis research team has discovered novel methods to exploit a vulnerability in Ethernet cables, which was previously considered non-exploitable. Dubbed “EtherOops,” the attack vector includes methods to exploit packet-in-packet attacks in Ethernet cables. These methods can be used to bypass perimeter security devices such as firewalls and NATs. Bypassing these defenses can allow attackers to mount various attacks to:

• Penetrate networks directly from the Internet
• Penetrate internal networks from a DMZ segment
• Move laterally between various segments of internal networks

Although this attack vector is complicated, and would likely be exploited by sophisticated attackers (such as nation-state actors), it targets the most basic element that is used in all networks – the Ethernet cable. In some ways, the Ethernet packet-in-packet attack may resemble some of the traits that are sometimes attributed to speculative execution vulnerabilities. On one hand — it is a very complicated attack that requires certain prerequisites to pull off. But on the other hand, an attack that targets a fundamental component which we fully trust in our digital lives — the CPU itself, in the case of speculative execution vulnerabilities, and the Ethernet cables used in our networks, in the case of EtherOops. Both attacks require some ingenuity to pull off, but if successful an attacker can leverage them to break through very powerful barriers.

Why the Ethernet Cord?

Ethernet (a.k.a IEEE 802.3) is the underlying protocol used to transfer packets within internal networks, and it has been around since the 1980s. Not only is it the data link layer used by Ethernet cables (sounds about right :P), but it is also the basis for the MAC addressing scheme used by Wi-Fi. Wi-Fi access points connect to the network using Ethernet, and part of their role is to convert the Ethernet frames from the wired network to Wi-Fi frames over the air. So, both wired and wireless networks rely on Ethernet.

The design of corporate networks consists of layers of barriers (firewalls, NATs), relay stations (switches, routers), and endpoints. And the pipelines that connect these elements (in most cases) are Ethernet cables. A very basic underlying assumption that exists in this design is that an Ethernet packet that is sent from one point to another will either be received as is, or it will be dropped. Packet-in-Packet attacks challenge this underlying assumption, by abusing edge cases in which a packet may change en-route, and still be processed on the other end as a valid packet. When these edge cases occur, a packet may pass through a Firewall, for instance, as a legitimate, benign packet, and later on be re-interpreted as a new packet that might also be a malicious one.

Ultimately, if an attacker is able to send a fully controlled Ethernet packet within an internal network, he or she may have a great hazardous potential. This is due to the expectation that internal networks are considered a “safe-zone,” in various ways. But they are not always “safe.” For example, attackers may be able to abuse DNS and proxy configurations, that are by design distributed to endpoints via unauthenticated broadcast packets within the internal network, and thus gain a Man-in-the-Middle position on web traffic, and use it as a foot in the door to further their attack.

What is an Ethernet Packet-in-Packet Attack?

An Ethernet packet-in-packet attack works by relying on the fact that when bit-errors randomly occur in transmissions, an attacker can leverage and abuse them to inject fully controlled packets when they occur in a certain way.

The following is how such an attack could happen: 

1. The attacker sends lots of benign packets, that are permitted to enter the network by its perimeter security defenses (firewall/NAT), as fast as possible. These packets will encapsulate the packet-in-packet payload and will traverse through the network on an Ethernet cable that might experience random bit-errors – either due to imperfect cabling, or malicious interference attacks (more on that in a moment).
2. The attacker will then wait for bit-errors to occur on a certain byte in the Ethernet low-level framing header of the packet, on the wire. 
3. When this occurs, it can fool the Ethernet controller on the other end to interpret the payload of the packet (that is attacker-controlled) as an entirely new packet. This will allow the attacker to control low-level headers of injected packets – essentially sending fully controlled Ethernet frames. These types of packets would have been otherwise blocked by firewall/NAT solutions.

These three steps are the basis for Ethernet packet-in-packet attacks, and while there are quite a few prerequisites for this attack to work, it can enable an attacker to send fully controlled Ethernet packets within an internal network, bypassing it’s perimeter security devices (firewalls/NATs). Due to the fact this attack relies on random bit flips occurring in transmission, it’s reasonable to assume that an attacker that exploits this method would aim to gain a foothold in the network, using a single injected packet. This may be achieved by exploiting certain RCE vulnerabilities, that may be triggered by a single broadcast packet (such as CDPwn, and URGENT/11, but others exist as well). In addition, an attacker can exploit certain design flaws that are inherent to how networks work, and establish a Man-in-the-Middle position on DNS and HTTP requests of the various endpoints within the network. This can be established by abusing certain broadcast IPv6 packets, for instance (more on that in our technical white paper below).

But before an attacker is able to inject Ethernet packets using this attack, he needs to jump through several hoops that this attack relies on.

Prerequisites for a Successful Attack

As described above, there are a few prerequisites that are needed for this type of attack to be successful, and this is why it is more likely to be exploited by sophisticated attackers. Some of these prerequisites were considered impossible to overcome in the past, and our research had discovered various ways in which they can be challenged.

1) Sending benign packets through the Firewall/NAT

The first step of this attack requires sending a stream of benign packets, through a firewall/NAT, in the hope that one (or more) of them will later be corrupted in a certain way that will trigger the packet-in-packet condition. To be able to send a stream of packets through the firewall/NAT an attacker can choose one of two attack scenarios:

• 1-click attack scenario can be used, where a target user, inside the internal network, is sent a link to an attacker’s website. By pressing the link, the target device will create outgoing traffic to the attacker’s website (on the Internet), and that will allow the attacker to send a stream of benign packets back to the target, for a very long time (even after the browser of the target is closed, for instance).
• Zero-click attack scenario can also be used, if the attacker is able to spoof a DNS response packet, from the IP of the DNS resolver used by the target organization (in many cases, Google’s DNS resolver will be used, for example). An attacker that uses this method will need to guess a 16-bit number (the source port of a DNS request) in order to pass successfully through the firewall/NAT, and this can be achieved by brute force. However, detecting that his attempt was successful requires a side channel (more on that later – in the proximity EMP attack scenario detailed below).

2) Occurrence of bit-flips (or: Bad Cables)

For this attack to work, bit-flips need to randomly occur on target Ethernet cables. In fact, the belief that these are unlikely to occur in wired cables is what led researchers in the past to dismiss this type of attack. At a Black Hat talk back in 2013, titled “Fully arbitrary 802.3 packet injection”, the researcher deemed this attack impractical, due to the following reason:

“…the reliability and extremely low error rate of wired cables make it [the Ethernet packet-in-packet attack] unrealistic.”

We performed a survey on Ethernet cables throughout a wide variety of organizations in which Armis operates, to find out whether this common belief is true. We were surprised to discover that imperfections in Ethernet cables are actually much more prevalent. Leveraging data from about 500K switch ports used in enterprise networks, we found that about 3.7% of them experience a significant amount of bit-errors. According to the industry standard, the maximum allowed bit-error-rate (BER) in Gigabit Ethernet cables, for example, is one bit error in 10 billion bits. The high-error-rate cables identified in our survey are ones that experience a BER that is greater than this maximum BER, as defined by the industry standard. In these types of cables, a packet-in-packet attack can occur within a reasonable time (hours or less).

When imperfect cabling exists in a network, a fully remote attack can be executed, and rely on the fact that bit-flips would occur on such cables. Those bit flips would allow an attacker to gain entry past the firewall and NAT. Once on the network, the opportunities increase for device manipulation or data exfiltration.

When we looked across different segments of our install base, we noted that the rate of error varied between them:

As defined above, high-error-cables experience more than one bit error every 10 billion bits.

In Gigabit Ethernet cables that experience a medium amount of errors, a bit can flip once every 10 seconds, and a packet-in-packet condition can then occur within hours. In Gigabit Ethernet cables that experience a high amount of errors, a packet-in-packet condition can occur within minutes!

One way for an attacker to overcome the prerequisite of bit-flips randomly occurring in Ethernet cables is to simply target an organization that might use imperfect cables, and hope the benign traffic that he sends to the network traverses through one of them. An alternative method that relies on an ability to induce bit-flips in non-faulty cables is also something that we’ve explored (more on this later).

3) Checksum manipulation (or: Finding out internal MAC Addresses)

When bit-flips do occur on an Ethernet transmission, a checksum mechanism exists in the framing headers of Ethernet, that is there to detect such bit-flips and drop corrupted packets. An attacker that attempts to exploit Ethernet packet-in-packet attacks can overcome this mechanism by causing both the inner packet (the one that will be re-interpreted as an entirely new packet) and the original packet to have the same checksum. This can be done, if the attacker knows the entire content of the Ethernet packet in advance, so he can anticipate the value of this checksum.

To achieve this, the MAC addresses of the target device and its nearest router must be identified. However, that is nowhere as impossible as it may sound. MACs are not a secret. Here are a few examples of how MAC addresses can be identified:

1. Firewalls will have adjacent MACs for their physical ports. An attacker located in a DMZ segment –  one hop from the firewall (not over the internet) – can deduce the MACs used by the ports of the internal segments.
2. Wi-Fi exposes MAC addresses over the air. While WPA2 encrypts the traffic, the MAC addresses appear in clear-text.  These exposed MACs are the same ones as on the wired LAN behind the AP (the AP is bridged to the LAN). Because MAC addresses never change, visiting a site once, prior to the attack, is enough.

One-Click Attack Scenario

As detailed in the section above, one of the attack scenarios that leverages the Ethernet packet-in-packet attack is a 1-click attack scenario. This scenario starts with an attacker sending a malicious link to a user inside a target network that leads to an attacker-controlled website. The browser on the user machine will send packets outbound to the attacker’s server, which would allow the attacker to send a stream of benign packets back to the target that will traverse through the network.

The attacker in this scenario operates from the Internet, without needing to be in physical proximity to the target. However, it does require that the attacker has obtained knowledge of MAC addresses from the target, prior, and that one of the cables in which the benign packets traverse through experience enough bit-flips, so the packet-in-packet condition will occur.

In the demo presented below, the above scenario takes place. Once the attacker is able to inject an Ethernet packet to the internal network, he abuses the aforementioned IPv6 packet (IPv6 Router Advertisement) to create a Man-in-The-Middle position on all Windows devices in the LAN – by registering a fake Search Domain and abusing the Windows Proxy Auto Discovery (WPAD) feature. This can lead to more control over the network, and devices, by using the established MiTM position. It is important to note that both IPv6 and WPAD are enabled by default in Windows devices (even in an IPv4 network).

A Controlled Experiment: A Proximity Attack Based on EMP

While our research showed that faulty cables are susceptible to normal, reasonable background electromagnetic interference (EMI) noise, we did ask the question, “But what about unreasonable noise?” We hypothesized that an unshielded cable, carrying an already attenuated signal, may become susceptible to higher levels of EMI. It is somewhat known that there are certain devices that emit an electromagnetic pulse which can cause this type of disruption – EMP weapons. These devices commonly use wideband pulses between 100MHz – 2GHz to interfere with any cabling longer than 5 centimeters or so. 

By studying some public research available on EMP “simulations,” we were able to create our own, small scale EMP device, to conduct a controlled experiment. We needed to design it to do the following:

• Charge a capacitor to a very high voltage
• Discharge it through a fast spark-gap in parallel to an antenna
• Deliver a pulse that will act as a powerful ultra-wideband signal

The result was something that resembles the spark gap radio – the earliest type of radio transmitter, invented in the late 19th century! It transmits wideband pulses at around 100MHz in very short pulses (5-10ns) at high power. The discharges happen at a rate of 1-2KHz or so.  Warning: Don’t make this at home, it’s quite dangerous!

We were able to record the impact of this EMP device on an unshielded, but also non-faulty Ethernet cable, as seen in the figure below. The blue and yellow are the induced voltage in 2 wires of an Ethernet twisted pair, 10m long. Purple is the differential signal. Despite the use of a twisted pair, the strength and variance this pulse creates causes a significant voltage change on the differential signal, which leads to the introduction of bit errors.

Zero-Click Proximity Attack Scenario

As described above, creating a zero-click attack scenario in which benign packets pass through a target network’s perimeter security defenses (firewall/NAT) is possible if the attacker is able to spoof a DNS reply from the IP address of a target’s DNS resolver. However, detecting that his attempt was successful requires a side channel — the solution for this problem is to combine a physical proximity element in the attack:

The steps to perform this attack are as follows:

1. The attacker listens in Wi-Fi monitor mode and collects the plaintext MACs of potential target wireless devices and their closest router.
2. The attacker sends the spoofed DNS response packets from the Internet to the external Internet IP address of the target network, iterating through all possible 16-bit source ports. In parallel, he looks at the lengths of the encrypted Wi-Fi frames in the air, and uses this side-channel to discover the correct source port that passes through the NAT, and is sent to a target device over Wi-Fi (more on this in the technical whitepaper).
3. At this point, the attacker can now send benign UDP packets, with controlled payloads, to a device behind the Wi-Fi AP. These packets will contain the packet-in-packet payload at high throughput, from the Internet.
4. In parallel, the attacker powers on the EMP device, and waits for bit flips to occur on the unshielded cable. The EMP is continuously sending out pulses at a high rate. Once the correct bit flip occurs, the packet-in-packet condition is achieved, and a fully controlled packet is injected!

Lastly, once an attacker is able to inject a fully controlled Ethernet packet inside the network, he can carry out any of the single-packet attacks detailed earlier in this blog — either reaching RCE on a vulnerable device, by using a vulnerability that may be triggered with a single broadcast packet (such as URGENT/11, CDPwn, or others), or gain MiTM position on DNS and HTTP traffic by abusing certain broadcast IPv6 packets.

A successful demo of this attack was conducted in our lab:

Technical Whitepaper

In addition to this detailed blog, we are also releasing a whitepaper that dives deeper into the many technical aspects of this research.

DOWNLOAD WHITE PAPER