Vulnerability Development mailing list archives
RE: Infecting the KaZaA network? (moving here thread from 'traq)
From: "Benjamin P. Grubin" <bgrubin () pobox com>
Date: Wed, 13 Feb 2002 19:52:33 -0500
Correct me if I'm wrong, but isn't it the *client* that verifies the final MD5 of the assembled file? In order for a MITM attack to be successful, the initial download of the stub from kazaa must be trojaned. This is done from the kazaa website (or CNET download.com). Later on, once Kazaa is fully installed, and you are downloading executables, then it's a different story. While this may in fact be possible (as the cited post about the FBI and Magic Lantern suggests), this is no longer a Kazaa-specific vulnerability, but instead the same generic issue we face with any downloaded executable. This was obviously brought to the forefront by the imporperly issued Microsoft code signing key that issued in error some time ago. Trusting downloaded software is a difficult proposition. The MS code signing key debacle showed that even a trusted third party has "oops"es and undoubtedly is vulnerable to arm-twisting by <insert three-letter agency here>. Cheers, Ben
-----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Wednesday, February 13, 2002 11:30 AM To: vuln-dev () securityfocus com Subject: Re: Infecting the KaZaA network? (moving here thread from 'traq) On Tue, 12 Feb 2002 17:48:13 EST, Shoten <shoten () starpower net> said:Not to mention that in this case, the file with the same checksum would have to be EXACTLY the same size as the KaZaAexecutable, AND bea functional virus on top of that. And even if you got all that, you'd have to worry about it getting mixed with a validclient duringdownload from multiple sources. For those who think thisis possible,go ahead and try...good luckThis is all assuming, of course, that you have reason to trust the original size and checksum, and that you have reasonable assurance that you *are* in fact downloading from multiple sources, at least one of which is not in collusion. How do you know that you aren't the victim of a man-in-the-middle attack on your download? Before you say "That can't be", go read this:
http://www.securityfocus.com/archive/1/245693 Hint: That's why the PGP documentation suggests key signing parties and verifying the footprint *over the phone*. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Current thread:
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Raistlin (Feb 08)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) John Hall (Feb 10)
- <Possible follow-ups>
- Re: Infecting the KaZaA network? (moving here thread from 'traq) nestler (Feb 12)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Shoten (Feb 12)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Valdis . Kletnieks (Feb 13)
- RE: Infecting the KaZaA network? (moving here thread from 'traq) Benjamin P. Grubin (Feb 13)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Valdis . Kletnieks (Feb 14)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Shoten (Feb 12)
- RE: Infecting the KaZaA network? (moving here thread from 'traq) Benjamin P. Grubin (Feb 16)