On Fri, Aug 26, 2016 at 9:11 PM, Perry E. Metzger <pe...@piermont.com> wrote:
> On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal > <frederic.marc...@wowtechnology.com> wrote: > > On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote: > > > According to: > > > > > > https://security-tracker.debian.org/tracker/CVE-2016-5696 > > > > > > Wheezy and Jessie are still vulnerable. The attack in question is > > > kind of bad (it allows blind injection of arbitrary data into > > > things like http downloads) and has been known for a few weeks > > > now to the general public. > > > > I don't think the issue is that bad. > > > > It allows an attacker to find out if you are connected to a > > particular web site and makes it easier to interrupt the transfer > > by sending a RST or SYN packet or inject junk data to corrupt the > > flow. It's simple denial of service. > > You are completely wrong. This attack allows you to inject > *meaningful* things into the data flow. It isn't denial of service, > it is one of the most flexible data injection attacks in years. > > At the security conference where the attack was presented, as a show > of force, the presenters demonstrated that they could hijack arbitrary > http: connections from several US newspapers and inject whatever > traffic they like using this. > > Indeed, as a bit of comedy, they used this to do their presentation! > They had a web browser to go to a newspaper's site and injected their > slides for the talk into the newspaper's web page return and > presented their talk that way! You will be able watch the video > yourself online when Usenix posts it soon. > > This means, for example, that you can inject javascript into the pages > coming off of (say) a newspaper's unencrypted web site, and this > lets you do untold mischief. With this attack, you could, for > example, have weaponized the attacks described against iOS yesterday > (resulting in an iOS emergency update) without getting a user to > click on a malicious page, simply by injecting malicious javascript > into a real page of a site hosted on a debian server. (I link to the > report of that particular incident below, to give one a taste of the > modern threat environment.) > > This is a horribly bad attack. Thinking this is nothing but denial of > service could not be more incorrect. > > > But to achieve that, you must be downloading something from a web > > site the attacker is actually targeting. The attacker must know you > > are doing so or find out by sheer luck. > > "Sheer luck" isn't hard at all. There are a half dozen good ways > understood to people in the field where you can figure out what > sites someone is looking at regularly if you are targeting them > without needing to listen in on their connection directly. > > Having read several texts on internet security, I'd be interested in what you are referring to. You mean compromise the physical machine they are on to view their browser history? Break into their home? Packet sniffing? > > The download must be long > > enough (more than one minute) for the attacker to discover the set > > of parameters that will make the attack successful. > > You've forgotten how the modern web works. People have http: > connections live for very long periods of time, with dynamic content > flittering back and forth over the channel. It isn't like 1996 any > more where someone downloaded some static HTML and closed the TCP > connection until the next page was downloaded when they clicked > again. It hasn't been like that in a very long time. > > So you are referring to the "netstat" output from the system itself? So physically redraw the page they are on even if they haven't refreshed the page? > > That's unlikely to succeed on a massive scale if you ask me! > > You clearly didn't watch the presentation of people > doing this attack successfully against real web pages while people > were using them. This isn't theoretical. You should also remember > that we're no longer in the "but who would do *that*" world. If you > want to understand the threat model people live under now, read > > https://citizenlab.org/2016/08/million-dollar-dissident- > iphone-zero-day-nso-group-uae/ > > Seems to be the NSA from reading about that. > > Beside, the attacker can't possibly know what you are downloading > > and how much data has already been downloaded. There is no way he > > can inject anything useful into the downloaded data. > > Watch the real world demos. As I said, the videos are online. What > you say is wrong. > > Perry > -- > Perry E. Metzger pe...@piermont.com > > I'd love to see that as well. I don't keep up with many conferences that I don't personally attend. Is there a cost? -- "The death of one man is a tragedy, the death of 10 million is a statistic" -- Joseph Stalin "Omnia mutantur, nihil interit" (Translation: Everything changes, nothing is lost.) -- Ovid, _Metamorphoses_
