RE: Infecting the KaZaA network? (moving here thread from 'traq)

From: Benjamin P. Grubin (bgrubinat_private)
Date: Wed Feb 13 2002 - 16:52:33 PST

Next message: Ehud Tenenbaum: "slocate bug."

Previous message: Hank Leininger: "[fixed] SQL injection vuln in BEA developer site"
In reply to: Valdis.Kletnieksat_private: "Re: Infecting the KaZaA network? (moving here thread from 'traq)"
Next in thread: Valdis.Kletnieksat_private: "Re: Infecting the KaZaA network? (moving here thread from 'traq)"
Reply: Valdis.Kletnieksat_private: "Re: Infecting the KaZaA network? (moving here thread from 'traq)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Correct me if I'm wrong, but isn't it the *client* that verifies the
final MD5 of the assembled file?

In order for a MITM attack to be successful, the initial download of the
stub from kazaa must be trojaned.  This is done from the kazaa website
(or CNET download.com).  Later on, once Kazaa is fully installed, and
you are downloading executables, then it's a different story.

While this may in fact be possible (as the cited post about the FBI and
Magic Lantern suggests), this is no longer a Kazaa-specific
vulnerability, but instead the same generic issue we face with any
downloaded executable.  This was obviously brought to the forefront by
the imporperly issued Microsoft code signing key that issued in error
some time ago.

Trusting downloaded software is a difficult proposition.  The MS code
signing key debacle showed that even a trusted third party has "oops"es
and undoubtedly is vulnerable to arm-twisting by <insert three-letter
agency here>.  

Cheers,
Ben

> -----Original Message-----
> From: Valdis.Kletnieksat_private [mailto:Valdis.Kletnieksat_private] 
> Sent: Wednesday, February 13, 2002 11:30 AM
> To: vuln-devat_private
> Subject: Re: Infecting the KaZaA network? (moving here thread 
> from 'traq) 
> 
> 
> On Tue, 12 Feb 2002 17:48:13 EST, Shoten <shotenat_private>  said:
> 
> > Not to mention that in this case, the file with the same checksum 
> > would have to be EXACTLY the same size as the KaZaA 
> executable, AND be 
> > a functional virus on top of that.  And even if you got all that, 
> > you'd have to worry about it getting mixed with a valid 
> client during 
> > download from multiple sources.  For those who think this 
> is possible, 
> > go ahead and try...good luck
> 
> This is all assuming, of course, that you have reason to 
> trust the original size and checksum, and that you have 
> reasonable assurance that you *are* in fact downloading from 
> multiple sources, at least one of which is not in collusion.
> 
> How do you know that you aren't the victim of a 
> man-in-the-middle attack on your download?  Before you say 
> "That can't be", go read this:
> 
http://www.securityfocus.com/archive/1/245693

Hint: That's why the PGP documentation suggests key signing parties and
verifying the footprint *over the phone*.
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

Next message: Ehud Tenenbaum: "slocate bug."
Previous message: Hank Leininger: "[fixed] SQL injection vuln in BEA developer site"
In reply to: Valdis.Kletnieksat_private: "Re: Infecting the KaZaA network? (moving here thread from 'traq)"
Next in thread: Valdis.Kletnieksat_private: "Re: Infecting the KaZaA network? (moving here thread from 'traq)"
Reply: Valdis.Kletnieksat_private: "Re: Infecting the KaZaA network? (moving here thread from 'traq)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 20:27:07 PST