RE: Infecting the KaZaA network? (moving here thread from 'traq)

["Benjamin P. Grubin" <bgrubin () pobox com>]

Understood.  Vlad already mostly validated my point.  It was that the
MD5 checksum for the Kazaa client is not downloaded from the network.
The MD5 checksum would have to be present in the stub download from
Kazaa/CNET themselves.  This precludes MITM attack for the initial
client download (though not necessarily later software downloads, but
those are a lot harder to predict and target).  

The only situation where an MITM is possible during the Kazaa client
installation is between you and CNET, by feeding you a bogus Kazaa stub,
in which case you've got the fruit of a poison tree problem.  Hence my
statement that it is not a Kazaa vulnerability, but a generic
downloading of executables issue--and one that cannot be solved by
focusing on Kazaa.

Cheers,
Ben

> -----Original Message-----
> From: Thierry Zoller [mailto:support () sniff-em com] 
> Sent: Thursday, February 14, 2002 7:32 AM
> To: bgrubin () pobox com
> Cc: vuln-dev () securityfocus com
> Subject: RE: Infecting the KaZaA network? (moving here thread 
> from 'traq) 
>
>
> > This is done from the kazaa website
> > (or CNET download.com).
> The issue was thatKazza uses there Cloud load (TM) 
> "Technology" to download the latest build, which means 
> nothing more than connecting to the kazaa network and 
> searching for the latest kazaa executable, then downloading 
> it *from the users*
>
> That's why the initial posting suggested a trojaned version 
> being deployed.
>
> Theirry