Mistruth in FAQ - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: General (/forumdisplay.php?fid=11)
+---- Forum: Forum & Website (/forumdisplay.php?fid=13)
+----- Thread: Mistruth in FAQ (/showthread.php?tid=86113)
Mistruth in FAQ by Burningmace on 09-23-2008 at 07:46 PM
On the site's FAQs page under the Privacy section (http://www.msgplus.net/help/faq/privacy/#open-port) the following is stated:
quote:
No, there is no way Messenger Plus! could have any security flaw that would let non-allowed software to connect on your computer. The reason is quite simple: Messenger Plus! does not directly open any network port on your machine, the only exception being the External Mail feature that connects to the mail server of your choice. Every other feature of Messenger Plus! that uses your internet connection goes through normal http requests sent by the Wininet library of Windows.
This is technically incorrect for several reasons:
1) Despite the developers' best efforts, there is no way to say 100% that the Messenger Plus! application contains no exploitable code (in the form of buffer overruns, etc). User input is accepted from a whole pile of sources that could be controlled by an attacker. What if someone uses an ARP/DNS spoof to man-in-the-middle your connection to the update service? Your box is owned. What if a vulnerability is found in the sound player code and someone sends a malformed audio sample that causes this vulnerability to be exploited in order to execute malicious code? Your box is owned.
2) There is no way to say that the Wininet library is 100% secure. Windows has had vulnerabilities before, and it still does.
3) Messenger Plus does directly open a network port! It may not open a port for listening, but if it's connecting to the update feature or talking to the messenger service it has an open connection that uses a local port. That means that the connection can be hijacked by an attacker and there is nothing you can do to stop it. On the one hand it is likely that they will not be able to do anything useful, but on the other it doesn't mean that the possibility is not there for an attacker to manipulate data and cause problems.
I propose that this section of the FAQ is re-written to more accurately represent reality. It doesn't have to be technical and wordy, but it should definitely represent the reality of software security. In fact this covers the developers - as the FAQ states that the software is 100% secure, if someone goes on to find a vulnerability and exploit it causing $10m of damage to a corporate network, then you're up a creek without a paddle in a court of law. In layman's terms: You get owned.
I'm not saying tell everyone that if they install your software they're gonna get hacked and people are going to steal their credit card numbers, but more warn them that as with all software, despite your best efforts there may be exploitable bugs that have not been identified and fixed. So while it is very very very unlikely that someone would hack them through Plus! it is still technically a possibility.
Discussion and positive criticism appreciated, flaming is not.
Cheers,
Burningmace
RE: Mistruth in FAQ by matty on 09-23-2008 at 08:09 PM
While ARP Poisoning is possible when doing HTTP Requests to Man in the Middle the section of the FAQ is refering to the fact that no ports are opened on your computer (with the exception of the email port) which would potentially open your computer to risks. All information between Plus! and the web server is http traffic therefore no additional ports are opened on your computer.
RE: Mistruth in FAQ by Burningmace on 09-23-2008 at 08:15 PM
That does not mean that exploits cannot and will not be found in the Wininit library or the code in Plus! that handles received data from this HTTP socket. Furthermore, the FAQ does not specify this - it states blanketed security due to the fact that NO ports are opened to the internet, which is not true.
RE: Mistruth in FAQ by matty on 09-23-2008 at 08:32 PM
How is it not true that not true?
quote:I guess in the overall picture a local port is opened in the sense for the 3 way handshake and communication with the server and closed thereafter. I agree with you in the sense that the wording should be changed however Plus! doesn't keep a port open, it closes it (as does many applications) when they are finished using them.
Originally posted by Burningmace
Messenger Plus! does not directly open any network port on your machine, the only exception being the External Mail feature that connects to the mail server of your choice.
And what can be stolen from ARP poising someone from Plus!? What sound they are sending? The information doesn't contain anything valuable and it is hard to hack VIA HTTP requests.
RE: Mistruth in FAQ by Burningmace on 09-23-2008 at 09:00 PM
I meant more in the way of an attacker could manipulate the packets in order to exploit a vulnerability in either the Wininit library or in Plus! itself. It does not matter that the connection closes at the end of the request, as a man in the middle attack using ARP/DNS spoofing allows the attacker to manipulate both sides of the connection (client end and server end) for the entire duration of the connection.
The sound reference was regarding hypothetical vulnerabilities in the sound library. If a vulnerability was found it would not be hard to send a malformed sample that exploited the vulnerability directly to the server, thus owning the client box.
Edit: Furthermore, there is no way to tell if someone has ARP spoofed your update connection in order to download malware to your machine. Even if you force people to download directly from your website (open their browser to the URL of the update page) an attacker can just spoof the DNS and host a fake page himself that contains a Plus! installer with malware attached.
RE: Mistruth in FAQ by ShawnZ on 09-23-2008 at 09:35 PM
matty: he didn't say it opened ports, he said it doesn't need to to be exploitable.
burningmace: who the hell says "your box is owned"?
RE: RE: Mistruth in FAQ by Burningmace on 09-23-2008 at 09:51 PM
quote:
Originally posted by ShawnZ
burningmace: who the hell says "your box is owned"?
Do you mean "who uses that phrase?" or "why does that mean your box is owned?"
To answer both:
Who uses that phrase? - I use that phrase, and so do a lot of people. In fact, Microsoft's own Steve Riley uses it liberally in his presentations at TechEd.
Why does that mean your box is owned? - You have to assume any machine that has had an exploit run on it is completely under the control of the attacker - it is completely and utterly compromised.
I would also like to state that I am not disputing the standard of security in Messenger Plus. I am simply being realistic. I write code every day and I'm 110% sure that somewhere along the line I've written something that can be exploited in some way. I accept that. Any software developer that doesn't accept the fact that somewhere along the line their software or the libraries that it relies on will contain an exploitable bug is, frankly, a moron. What I'm trying to say is despite the fact that at current their are no known vulnerabilities (with an exception - see note below) in Messenger Plus, there is no way to tell if there are unknown vulnerabilities and you need to cover yourself from and inform your users of such eventualities.
Note regarding vulns - The exception is the obvious, practically unavoidable DNS/ARP spoofing man-in-the-middle attacks on the update socket, that (as far as I am aware in the case of Messenger Plus) has never been performed.
RE: Mistruth in FAQ by riahc4 on 09-23-2008 at 10:02 PM
Are you some drugs?
Plus! doesnt communicate with the Messenger service at all. All of its communications are offline except the update feature (and if you ware paranoid you can turn it off and update manually) and the mail feature (which out of the box isnt used)
RE: Mistruth in FAQ by Voldemort on 09-23-2008 at 10:05 PM
quote:Not all, what about the sounds!??!?!
Originally posted by riahc4
Plus! doesnt communicate with the Messenger service at all. All of its communications are offline except the update feature (and if you ware paranoid you can turn it off and update manually) and the mail feature (which out of the box isnt used)
RE: RE: Mistruth in FAQ by Burningmace on 09-23-2008 at 10:11 PM
quote:
Originally posted by riahc4
Are you some drugs?
Plus! doesnt communicate with the Messenger service at all. All of its communications are offline except the update feature (and if you ware paranoid you can turn it off and update manually) and the mail feature (which out of the box isnt used)
I'm sorry if I mis-worded my original post - what I meant was as long as Plus! communicates with outside sources, it is vulnerable. I didn't mean that Plus! communicates with the messenger service, I simply stated it as an external source from which user input could come from. From what I can figure, the Plus! application parses other users' names for formatting tags (colours, bold, etc). This means that the parsing code is subject to user input and should be considered as a potential target for exploits. It is unlikely that the parsing algorithm contains any vulnerable code, but it is not impossible.
Furthermore, this doesn't change the fact that the update feature is enabled by default and your average layman wouldn't see any reason to turn it off. It could be exploited, but generally isn't.
The entire point of this topic was NOT to discuss possible security flaws in the application's communications model but to alter the FAQ to more accurately reflect the realities of software security.
quote:
Originally posted by Voldemort
Not all, what about the sounds!??!?!
Unless I am mistaken, only the Plus! server receives these, and it then forwards them to the target client. It is simply another avenue that is a possible target for exploits.
quote:
Originally posted by Voldemort
OH SHAWNZ YOU FOUND ANOTHER MICROSOFT FANBOY!
Firstly, comments like this are counter-productive and somewhat childish. Secondly, the last time I checked referencing a person's mannerisms wasn't considered a reason to be labelled a 'fanboy'. Yes, I primarily use Windows, along with most home computer users in the world. Anyway, I'm not getting into a flame-war with you. Either contribute something useful or leave this thread alone.
RE: Mistruth in FAQ by ShawnZ on 09-23-2008 at 10:22 PM
quote:
Originally posted by Burningmace
Who uses that phrase? - I use that phrase, and so do a lot of people. In fact, Microsoft's own Steve Riley uses it liberally in his presentations at TechEd.
well then i pose the same question to him
quote:
Originally posted by riahc4
Plus! doesnt communicate with the Messenger service at all.
where did he say the messenger service ¬¬
he was talking about it's attack surface in general...
RE: RE: Mistruth in FAQ by Burningmace on 09-23-2008 at 10:27 PM
quote:
Originally posted by ShawnZ
where did he say the messenger service
I did in fact reference it in the original post, but I worded it poorly. This is explained in my second to last post.
And yes, you are correct, I am talking about the theoretical vulnerabilities of the system as a whole. However, I am not talking about them in a specific context (i.e. a specific vulnerability) but rather the possibility that exploitable interfaces (TCP/UDP sockets, direct user input, etc) and sections of code exist within the system.
I feel that at current the FAQ does not accurately represent the reality of software security, and that it needs to be changed to that end.
RE: Mistruth in FAQ by foaly on 09-23-2008 at 10:44 PM
I think you are misinterpretating the FAQ.
The question to that answer is:
Is it possible messenger plus! opens ports for virii to exploit (I had to translate, my FAQ is in Dutch)
The answer to that question is simple NO, because plus! doesn't open ports. If you exploit plus to open a port, plus didn't open a port.
The exploit does.
The answer answers the question... Nothing wrong with that...
RE: Mistruth in FAQ by Burningmace on 09-23-2008 at 11:01 PM
That is not my point. While Messenger Plus! does not open ports for listening, it does connect via the network to other computers on the internet (the update service for one) and these connections are made in the following manner:
1) Resolve the IP address for msgpluslive-update.net
2) Make a connection to this IP address
3) See if there is an update, if there is then download it.
Step 1 is exploitable using DNS spoofing. Step 2 is exploitable (in some cases) using ARP spoofing. Step 3 is exploitable (fake update response sending malware instead of patch) once either step 1 or 2 have been exploited.
In order to determine the update protocol I could simply inject myself between the client and server as a transparent proxy using DNS/ARP spoofing in a classic man-in-the-middle attack, then monitor all network traffic on that connection. I could then follow the messages sent and received and use the information gathered to create my own application that simulates the update server's behaviour.
Other than using an SSL certificate to fully authenticate the server and encrypt network traffic, I am unaware of any feasible method of preventing man-in-the-middle attacks from succeeding.
RE: Mistruth in FAQ by Link_of_Hyrule on 09-23-2008 at 11:09 PM
This may all be true but seriously who is going to spend the time to hack someone thru msg plus when they can do it many many other ways and the fact of the matter is unless your making people mad that have these skills its unlikely anything is going to happen to you. I've been using msg plus ever since it was released and have absolutely no problems I would consider my self an advanced computer user and with the except of the occasional virus or trojan I have had no problems with supposive "exploits" in software that people make such a big deal about.
RE: Mistruth in FAQ by ShawnZ on 09-23-2008 at 11:24 PM
quote:
Originally posted by Link_of_Hyrule
when they can do it many many other ways
maybe they can't do it any other way?
RE: Mistruth in FAQ by Burningmace on 09-23-2008 at 11:31 PM
quote:
Originally posted by Link_of_Hyrule
This may all be true but seriously who is going to spend the time to hack someone thru msg plus when they can do it many many other ways and the fact of the matter is unless your making people mad that have these skills its unlikely anything is going to happen to you. I've been using msg plus ever since it was released and have absolutely no problems I would consider my self an advanced computer user and with the except of the occasional virus or trojan I have had no problems with supposive "exploits" in software that people make such a big deal about.
Again, you're misinterpreting the reason for this thread.
This thread is NOT here to address specific security concerns in the application! I think that the FAQ should be changed to more accurately represent the possibility of software and service exploitation, mainly in order to keep the developers asses covered, but also to inform and educate users about this possibility.
I would also like to point out that some of the most devastating worms in the history of computing (Blaster, Code Red, ILOVEYOU, SQL Slammer, etc) relied on exploiting other software in order to spread across networks. I've been working with computers since I was 6 (that's not a typo) and I've had plenty of viruses to deal with, very few of which were as a result of something I've downloaded. If you get a virus without running the virus executable yourself, you got exploited.
quote:
Originally posted by ShawnZ
quote:
Originally posted by Link_of_Hyrule
when they can do it many many other ways
maybe they can't do it any other way?
Again we're off-topic, but nonetheless you are correct. Who cares if they can do it another way? They CAN do it this way and if they wanted to they COULD. If every software company and computer security organisation went around saying "this vulnerability doesn't matter, they'll just find another way in anyway" the computing world would be completely insecure.
RE: RE: Mistruth in FAQ by segosa on 09-23-2008 at 11:41 PM
quote:
Originally posted by Burningmace
That is not my point. While Messenger Plus! does not open ports for listening, it does connect via the network to other computers on the internet (the update service for one) and these connections are made in the following manner:
1) Resolve the IP address for msgpluslive-update.net
2) Make a connection to this IP address
3) See if there is an update, if there is then download it.
Step 1 is exploitable using DNS spoofing. Step 2 is exploitable (in some cases) using ARP spoofing. Step 3 is exploitable (fake update response sending malware instead of patch) once either step 1 or 2 have been exploited.
GREAT.
No, seriously, that's wonderful. Now let's make sure that we don't use our computers to make any sorts of requests, HTTP or otherwise, because there might be someone performing a man-in-the-middle attack.
RE: Mistruth in FAQ by Burningmace on 09-23-2008 at 11:58 PM
Technically you have a point - trillions of HTTP requests are made every day and very few are ever exploited. However, there are some key differences:
1) In most cases, an attacker would not bother to filter through the vast amount of junk that a victim browses.
2) Even if an attacker discovered that their victim downloaded files regularly from a single site, the task of creating a believable replica of the site in order to fool them is often infeasible with the time frame involved.
3) In most cases the exploiter must be on your network in order to DNS/ARP spoof. If you're home alone you're relatively safe. If you're on your laptop connected to your work's network, you're not.
4) MSN is a system that is user-to-user based - is it really that hard to envision a situation where one user doesn't like another and so decides to attack them?
5) The user wouldn't think twice about updating Plus! when the "New Version Available" dialog box appears. Attackers look to control a system where the user would be infected quickly and easily, without having to convince them in an elaborate way that the data that they are receiving is not malware.
But most people do not understand a few basic principles of network security:
If you send packets over a network that are unencrypted you must consider the data in those packets to be in the public domain - anyone on your network can read them.
If the client does not authenticate the server, anyone on your network can perform a man-in-the-middle attack in order to manipulate traffic.
In a security-sensitive environment, if you do not both encrypt traffic and authenticate the server you must consider your client to be compromised.
RE: Mistruth in FAQ by ShawnZ on 09-24-2008 at 12:10 AM
this isn't even an argument.
burningmace: you're right, but still an idiot. the problems you listed aren't application-specific. and if you feel like linking me to the FAQs of all the other programs on your computer saying that they're all 99% bug free except for dns/arp spoofing exploits, then we still don't care. nobody reads the faq and it's close enough.
RE: Mistruth in FAQ by Burningmace on 09-24-2008 at 12:20 AM
Ok, point taken. I still think that saying that it is completely secure is a blatant lie though. Nonetheless I'm reporting the ARP/DNS attack as a bug, along with a sample exploitable situation and a solution. If it is ignored, I'll post it on SecurityFocus and a few other sites and let those guys mull it over. By that time if they don't want to spend time fixing it somebody will exploit it and you can go from there.
RE: RE: Mistruth in FAQ by segosa on 09-24-2008 at 12:21 AM
quote:
Originally posted by Burningmace
2) Even if an attacker discovered that their victim downloaded files regularly from a single site, the task of creating a believable replica of the site in order to fool them is often infeasible with the time frame involved.
Using your precious little ARP/DNS spoofing and hijacking all HTTP requests: when you see HTTP response headers from a server that signify a download (Content-Disposition: attachment; etc), block the content of the download and send your own viral code.
RE: Mistruth in FAQ by WDZ on 09-24-2008 at 12:35 AM
Thread moved to Forum & Website since it's regarding a change to the FAQ.
In response to your concerns about getting malware via the auto-update system:
quote:(That was posted in a private forum, so I can't link to it)
Originally posted by Patchou
As for binaries being downloaded, you may be happy to knwo that I'm not completely stupid and that no exe file downloaded by the auto-update system of Messenger Plus! will be executed if it's not digitally signed by myself.
RE: Mistruth in FAQ by Burningmace on 09-24-2008 at 12:37 AM
That is unlikely to fool anyone. The file size will be completely wrong, the download isn't that easy to catch (content-disposition isn't always set and some sites will have blablabla.exe as their request but will return a content-type of text/plain) and the network load would double (one packet from the user to the attacker, another packet from the attacker to the server), thus slowing down the traffic and alerting the user to a problem.
quote:
Originally posted by WDZ
Thread moved to Forum & Website since it's regarding a change to the FAQ.
In response to your concerns about getting malware via the auto-update system:
quote:(That was posted in a private forum, so I can't link to it)
Originally posted by Patchou
As for binaries being downloaded, you may be happy to knwo that I'm not completely stupid and that no exe file downloaded by the auto-update system of Messenger Plus! will be executed if it's not digitally signed by myself.
Huzzah! In fact now I feel a little stupid for not thinking of that myself.
Nonetheless I still stick by my point that the FAQ is not accurate - there is not 100% guarantee that some exploit (no matter what it is, where it comes from or what medium it uses to get to the client) will not be found. There is no such thing as complete security on a networked system.
RE: Mistruth in FAQ by Lou on 09-24-2008 at 01:10 AM
quote:
Originally posted by Burningmace
No, there is no way Messenger Plus! could have any security flaw that would let non-allowed software to connect on your computer.
quote:Plus! won't have a flaw itself that will allow this to happen because it doesn't let those exe's be run if they are not digitally signed. He can't account for any other method of these things coming in, like the http connection. If something comes in that way, it's not a Plus! flaw, but a flaw in whatever it is Plus! is using to connect elsewhere, is it not?
Originally posted by Burningmace
no matter what it is, where it comes from or what medium it uses to get to the client
RE: RE: Mistruth in FAQ by segosa on 09-24-2008 at 01:10 AM
quote:
Originally posted by Burningmace
That is unlikely to fool anyone. The file size will be completely wrong.
So modify the Content-Length header too?! (or pad out your virus's executable)
quote:
Originally posted by Burningmace
the download isn't that easy to catch (content-disposition isn't always set and some sites will have blablabla.exe as their request but will return a content-type of text/plain)
... no.
If the Content-Type is text/plain the browser will display the contents in the window and not download it unless the Content-Disposition exists, in which case it will ignore the Content-Type and download it.
http://gifpaste.org/test.php?x=1
code:
header("Content-Type: text/plain");
header("Content-Disposition: attachment; filename=test.bin");
Ignores the text/plain header and prompts the user to download test.bin.
http://gifpaste.org/test.php?x=2
code:
header("Content-Type: application/x-msdownload");
Prompts the user to download it using a default filename, so in this rare case you could detect the specific Content-Types related to the downloading of executable files (application/x-msdownload in this case).
http://gifpaste.org/test.php?x=3
code:
header("Content-Type: text/plain");
Displays the contents of the file in the browser. In this case you wouldn't hijack the request.
Every website that wants you to download a file will use Content-Disposition if they want the filename to be something that makes sense. This means that Content-Disposition will catch 99% of all HTTP file-download responses.
quote:
Originally posted by Burningmace
and the network load would double (one packet from the user to the attacker, another packet from the attacker to the server), thus slowing down the traffic and alerting the user to a problem.
Not only is this untrue (the hijacker/attacker modifies the received HTTP packets on the fly, then sends them on, and if they wanted to appear inconspicuous, could even download the original file the user requested) but no normal user would even notice more bandwidth being used.
From the server's perspective, someone is downloading the file requested.
From the user's perspective, they are downloading a file.
You could even take the Content-Length header if you didn't want to rewrite it, and pad out your viral executable with bytes that wouldn't affect its execution so that the browser would report the correct filesize.
RE: RE: Mistruth in FAQ by Burningmace on 09-24-2008 at 10:09 AM
quote:
Originally posted by .Lou
quote:
Originally posted by Burningmace
No, there is no way Messenger Plus! could have any security flaw that would let non-allowed software to connect on your computer.quote:Plus! won't have a flaw itself that will allow this to happen because it doesn't let those exe's be run if they are not digitally signed. He can't account for any other method of these things coming in, like the http connection. If something comes in that way, it's not a Plus! flaw, but a flaw in whatever it is Plus! is using to connect elsewhere, is it not?
Originally posted by Burningmace
no matter what it is, where it comes from or what medium it uses to get to the client
As I said, I am talking about exploits in a general way. Nothing specific. If xyz vulnerability is found in Plus! and that vulnerability is exploited, the FAQ states blanket security and that is not true. If some hacker uses the exploit to attack a corporate network, they'll look for someone to blame. If they find your FAQ and it says "No, there is no way for you to get hacked through Plus", they'll sue your asses until you're homeless.
RE: Mistruth in FAQ by Menthix on 09-24-2008 at 11:25 AM
quote:Except Patchou doesn't live in lets-just-sue-someone-because-we-cant-think-for-our-selves-land USA, and the FAQ isn't any form of legal document.
Originally posted by Burningmace
If they find your FAQ and it says "No, there is no way for you to get hacked through Plus", they'll sue your asses until you're homeless.
The piece of FAQ you quoted is correct. Don't forget this FAQ entry answers the question "Can Messenger Plus! Live open a back door for viruses and trojans?". The question is answered by explaining Messenger Plus! doesn't make any network connections directly (except for mail checking), and by doing so it doesn't add any extra risk on a network level. You do have a point, but these are all general flaws, nothing specific to Messenger Plus! only.
quote:The FAQ actually doesn't say that anywhere.
Originally posted by Burningmace
If they find your FAQ and it says "No, there is no way for you to get hacked through Plus"
RE: Mistruth in FAQ by Spunky on 09-24-2008 at 01:38 PM
Plus! only has the same "security flaws" as any other application which connects to the net whether it be Adobe, Office or a Torrent program for example. The fact is, that if someone has enough time to connect to someone's network, discover the programs and services they use, intercept incoming messages and replace it with their own code, they deserver to be able to send somebody a virus. All that work and what do they have to show for it? The AV software or Anti-Spyware will get rid of it almost instantly and nobody will be worse off. It's kinda like saying your plane is 100% going to be hi-jacked... It's actually a lot of work and very unlikely to happen