Full Disclosure mailing list archives

Re: HTTP AUTH BASIC monowall.


From: gboyce <gboyce () badbelly com>
Date: Wed, 15 Mar 2006 12:21:07 -0500 (EST)

Ok, so what's your alternative?

You're already assuming that the user of the firewall is already misusing SSL. They need to blindly accept unsigned SSL certificates, and changes to the certificates. Just about any security restrictions you can apply can be done away with if the user is incompetant enough.

Some form of challenge response? If you can already perform a man in the middle attack, than challenge response is just as vulnerable. Just connect to the server when the client hits you, and pass them the challenge you recieved. Use the credential yourself, and pass them a failure. When they try again, connect them to the server.

I suppose client certificates would work, but do you honestly believe there are many firewall admins who would go through the pain and effort to setup a server that deals with client certificates properly, but wouldn't notice SSL server certificate changes?

On Wed, 15 Mar 2006, Simon Smith wrote:

Ok,
   As suspected... so I am correct; and it is a security threat. I can
compromise a network, arp poison it, MiTM, access the firewall,
distributed metastasis, presto... owned...


Michael Holstein wrote:
which brings up a question... what are the odds that someone could
forcefully redirect traffic to their proxy after having compromised a
network? Could this be done with arp poisoning? I haven't toyed with
that in a while so I can't say yes or no...

If it's Ethernet, and you're on the same broadcast network, yes. Check
out arpspoof (part of dsniff). You also need to setup a userspace
router to forward the packets -- easiest way is fragrouter.

FYI : this also works quite well on wireless.

~Mike.


--


Regards,
        Adriel T. Desautels
        Harvard Security Group
        http://www.harvardsecuritygroup.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Current thread: