Understood. Vlad already mostly validated my point. It was that the MD5 checksum for the Kazaa client is not downloaded from the network. The MD5 checksum would have to be present in the stub download from Kazaa/CNET themselves. This precludes MITM attack for the initial client download (though not necessarily later software downloads, but those are a lot harder to predict and target). The only situation where an MITM is possible during the Kazaa client installation is between you and CNET, by feeding you a bogus Kazaa stub, in which case you've got the fruit of a poison tree problem. Hence my statement that it is not a Kazaa vulnerability, but a generic downloading of executables issue--and one that cannot be solved by focusing on Kazaa. Cheers, Ben > -----Original Message----- > From: Thierry Zoller [mailto:support@sniff-em.com] > Sent: Thursday, February 14, 2002 7:32 AM > To: bgrubinat_private > Cc: vuln-devat_private > Subject: RE: Infecting the KaZaA network? (moving here thread > from 'traq) > > > >This is done from the kazaa website > >(or CNET download.com). > The issue was thatKazza uses there Cloud load (TM) > "Technology" to download the latest build, which means > nothing more than connecting to the kazaa network and > searching for the latest kazaa executable, then downloading > it *from the users* > > That's why the initial posting suggested a trojaned version > being deployed. > > Theirry > > > > >
This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 09:09:39 PST