What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » General » Forum & Website » Mistruth in FAQ

Pages: (3): « First « 1 2 [ 3 ] Last »
Mistruth in FAQ
Author: Message:
Burningmace
Junior Member
**


Posts: 20
Joined: Sep 2008
O.P. RE: Mistruth in FAQ
Ok, point taken. I still think that saying that it is completely secure is a blatant lie though. Nonetheless I'm reporting the ARP/DNS attack as a bug, along with a sample exploitable situation and a solution. If it is ignored, I'll post it on SecurityFocus and a few other sites and let those guys mull it over. By that time if they don't want to spend time fixing it somebody will exploit it and you can go from there.
09-24-2008 12:20 AM
Profile E-Mail PM Find Quote Report
segosa
Community's Choice
*****


Posts: 1407
Reputation: 92
Joined: Feb 2003
RE: RE: Mistruth in FAQ
quote:
Originally posted by Burningmace

2) Even if an attacker discovered that their victim downloaded files regularly from a single site, the task of creating a believable replica of the site in order to fool them is often infeasible with the time frame involved.


Using your precious little ARP/DNS spoofing and hijacking all HTTP requests: when you see HTTP response headers from a server that signify a download (Content-Disposition: attachment; etc), block the content of the download and send your own viral code.
The previous sentence is false. The following sentence is true.
09-24-2008 12:21 AM
Profile PM Find Quote Report
WDZ
Former Admin
*****

Avatar

Posts: 7106
Reputation: 107
– / Male / Flag
Joined: Mar 2002
RE: Mistruth in FAQ
Thread moved to Forum & Website since it's regarding a change to the FAQ.

In response to your concerns about getting malware via the auto-update system:

quote:
Originally posted by Patchou
As for binaries being downloaded, you may be happy to knwo that I'm not completely stupid and that no exe file downloaded by the auto-update system of Messenger Plus! will be executed if it's not digitally signed by myself.
(That was posted in a private forum, so I can't link to it)
09-24-2008 12:35 AM
Profile PM Web Find Quote Report
Burningmace
Junior Member
**


Posts: 20
Joined: Sep 2008
O.P. RE: Mistruth in FAQ
That is unlikely to fool anyone. The file size will be completely wrong, the download isn't that easy to catch (content-disposition isn't always set and some sites will have blablabla.exe as their request but will return a content-type of text/plain) and the network load would double (one packet from the user to the attacker, another packet from the attacker to the server), thus slowing down the traffic and alerting the user to a problem.

quote:
Originally posted by WDZ
Thread moved to Forum & Website since it's regarding a change to the FAQ.

In response to your concerns about getting malware via the auto-update system:

quote:
Originally posted by Patchou
As for binaries being downloaded, you may be happy to knwo that I'm not completely stupid and that no exe file downloaded by the auto-update system of Messenger Plus! will be executed if it's not digitally signed by myself.
(That was posted in a private forum, so I can't link to it)


Huzzah! In fact now I feel a little stupid for not thinking of that myself.

Nonetheless I still stick by my point that the FAQ is not accurate - there is not 100% guarantee that some exploit (no matter what it is, where it comes from or what medium it uses to get to the client) will not be found. There is no such thing as complete security on a networked system.

This post was edited on 09-24-2008 at 12:42 AM by Burningmace.
09-24-2008 12:37 AM
Profile E-Mail PM Find Quote Report
Lou
Veteran Member
*****

Avatar

Posts: 2475
Reputation: 43
– / Male / Flag
Joined: Aug 2004
RE: Mistruth in FAQ
quote:
Originally posted by Burningmace
No, there is no way Messenger Plus! could have any security flaw that would let non-allowed software to connect on your computer.
quote:
Originally posted by Burningmace
no matter what it is, where it comes from or what medium it uses to get to the client
Plus! won't have a flaw itself that will allow this to happen because it doesn't let those exe's be run if they are not digitally signed. He can't account for any other method of these things coming in, like the http connection. If something comes in that way, it's not a Plus! flaw, but a flaw in whatever it is Plus! is using to connect elsewhere, is it not?
[Image: msghelp.net.png]
The future holds bright things in it\\\'s path, but only time will tell what they are and where they come from.
Messenger Stuff Forums
09-24-2008 01:10 AM
Profile PM Web Find Quote Report
segosa
Community's Choice
*****


Posts: 1407
Reputation: 92
Joined: Feb 2003
RE: RE: Mistruth in FAQ
quote:
Originally posted by Burningmace
That is unlikely to fool anyone. The file size will be completely wrong.

So modify the Content-Length header too?! (or pad out your virus's executable)

quote:
Originally posted by Burningmace
the download isn't that easy to catch (content-disposition isn't always set and some sites will have blablabla.exe as their request but will return a content-type of text/plain)

... no.

If the Content-Type is text/plain the browser will display the contents in the window and not download it unless the Content-Disposition exists, in which case it will ignore the Content-Type and download it.

http://gifpaste.org/test.php?x=1

code:
        header("Content-Type: text/plain");
        header("Content-Disposition: attachment; filename=test.bin");


Ignores the text/plain header and prompts the user to download test.bin.

http://gifpaste.org/test.php?x=2

code:
        header("Content-Type: application/x-msdownload");


Prompts the user to download it using a default filename, so in this rare case you could detect the specific Content-Types related to the downloading of executable files (application/x-msdownload in this case).

http://gifpaste.org/test.php?x=3

code:
        header("Content-Type: text/plain");


Displays the contents of the file in the browser. In this case you wouldn't hijack the request.

Every website that wants you to download a file will use Content-Disposition if they want the filename to be something that makes sense. This means that Content-Disposition will catch 99% of all HTTP file-download responses.

quote:
Originally posted by Burningmace

and the network load would double (one packet from the user to the attacker, another packet from the attacker to the server), thus slowing down the traffic and alerting the user to a problem.


Not only is this untrue (the hijacker/attacker modifies the received HTTP packets on the fly, then sends them on, and if they wanted to appear inconspicuous, could even download the original file the user requested) but no normal user would even notice more bandwidth being used.

From the server's perspective, someone is downloading the file requested.

From the user's perspective, they are downloading a file.

You could even take the Content-Length header if you didn't want to rewrite it, and pad out your viral executable with bytes that wouldn't affect its execution so that the browser would report the correct filesize.





This post was edited on 09-24-2008 at 09:39 AM by segosa.
The previous sentence is false. The following sentence is true.
09-24-2008 01:10 AM
Profile PM Find Quote Report
Burningmace
Junior Member
**


Posts: 20
Joined: Sep 2008
O.P. RE: RE: Mistruth in FAQ
quote:
Originally posted by .Lou
quote:
Originally posted by Burningmace
No, there is no way Messenger Plus! could have any security flaw that would let non-allowed software to connect on your computer.
quote:
Originally posted by Burningmace
no matter what it is, where it comes from or what medium it uses to get to the client
Plus! won't have a flaw itself that will allow this to happen because it doesn't let those exe's be run if they are not digitally signed. He can't account for any other method of these things coming in, like the http connection. If something comes in that way, it's not a Plus! flaw, but a flaw in whatever it is Plus! is using to connect elsewhere, is it not?

As I said, I am talking about exploits in a general way. Nothing specific. If xyz vulnerability is found in Plus! and that vulnerability is exploited, the FAQ states blanket security and that is not true. If some hacker uses the exploit to attack a corporate network, they'll look for someone to blame. If they find your FAQ and it says "No, there is no way for you to get hacked through Plus", they'll sue your asses until you're homeless.
09-24-2008 10:09 AM
Profile E-Mail PM Find Quote Report
Menthix
forum admin
*******

Avatar

Posts: 5537
Reputation: 102
40 / Male / Flag
Joined: Mar 2002
RE: Mistruth in FAQ
quote:
Originally posted by Burningmace
If they find your FAQ and it says "No, there is no way for you to get hacked through Plus", they'll sue your asses until you're homeless.
Except Patchou doesn't live in lets-just-sue-someone-because-we-cant-think-for-our-selves-land USA, and the FAQ isn't any form of legal document.

The piece of FAQ you quoted is correct. Don't forget this FAQ entry answers the question "Can Messenger Plus! Live open a back door for viruses and trojans?". The question is answered by explaining Messenger Plus! doesn't make any network connections directly (except for mail checking), and by doing so it doesn't add any extra risk on a network level.  You do have a point, but these are all general flaws, nothing specific to Messenger Plus! only.

quote:
Originally posted by Burningmace
If they find your FAQ and it says "No, there is no way for you to get hacked through Plus"
The FAQ actually doesn't say that anywhere.
Finish the problem
Menthix.net | Contact Me
09-24-2008 11:25 AM
Profile E-Mail PM Web Find Quote Report
Spunky
Former Super Mod
*****

Avatar

Posts: 3658
Reputation: 61
36 / Male / Flag
Joined: Aug 2006
RE: Mistruth in FAQ
Plus! only has the same "security flaws" as any other application which connects to the net whether it be Adobe, Office or a Torrent program for example. The fact is, that if someone has enough time to connect to someone's network, discover the programs and services they use, intercept incoming messages and replace it with their own code, they deserver to be able to send somebody a virus. All that work and what do they have to show for it? The AV software or Anti-Spyware will get rid of it almost instantly and nobody will be worse off. It's kinda like saying your plane is 100% going to be hi-jacked... It's actually a lot of work and very unlikely to happen :p
<Eljay> "Problems encountered: shit blew up" :zippy:
09-24-2008 01:38 PM
Profile PM Find Quote Report
Pages: (3): « First « 1 2 [ 3 ] Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On