On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal
<frederic.marchal@wowtechnology.com > wrote:
> On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote:
> > According to:
> >
> > https://security-tracker.debian.org/tracker/CVE-2016- 5696
> >
> > Wheezy and Jessie are still vulnerable. The attack in question is
> > kind of bad (it allows blind injection of arbitrary data into
> > things like http downloads) and has been known for a few weeks
> > now to the general public.
>
> I don't think the issue is that bad.
>
> It allows an attacker to find out if you are connected to a
> particular web site and makes it easier to interrupt the transfer
> by sending a RST or SYN packet or inject junk data to corrupt the
> flow. It's simple denial of service.
You are completely wrong. This attack allows you to inject
*meaningful* things into the data flow. It isn't denial of service,
it is one of the most flexible data injection attacks in years.
At the security conference where the attack was presented, as a show
of force, the presenters demonstrated that they could hijack arbitrary
http: connections from several US newspapers and inject whatever
traffic they like using this.
Indeed, as a bit of comedy, they used this to do their presentation!
They had a web browser to go to a newspaper's site and injected their
slides for the talk into the newspaper's web page return and
presented their talk that way! You will be able watch the video
yourself online when Usenix posts it soon.
This means, for example, that you can inject _javascript_ into the pages
coming off of (say) a newspaper's unencrypted web site, and this
lets you do untold mischief. With this attack, you could, for
example, have weaponized the attacks described against iOS yesterday
(resulting in an iOS emergency update) without getting a user to
click on a malicious page, simply by injecting malicious _javascript_
into a real page of a site hosted on a debian server. (I link to the
report of that particular incident below, to give one a taste of the
modern threat environment.)
This is a horribly bad attack. Thinking this is nothing but denial of
service could not be more incorrect.
> But to achieve that, you must be downloading something from a web
> site the attacker is actually targeting. The attacker must know you
> are doing so or find out by sheer luck.
"Sheer luck" isn't hard at all. There are a half dozen good ways
understood to people in the field where you can figure out what
sites someone is looking at regularly if you are targeting them
without needing to listen in on their connection directly.
> The download must be long
> enough (more than one minute) for the attacker to discover the set
> of parameters that will make the attack successful.
You've forgotten how the modern web works. People have http:
connections live for very long periods of time, with dynamic content
flittering back and forth over the channel. It isn't like 1996 any
more where someone downloaded some static HTML and closed the TCP
connection until the next page was downloaded when they clicked
again. It hasn't been like that in a very long time.
> That's unlikely to succeed on a massive scale if you ask me!
You clearly didn't watch the presentation of people
doing this attack successfully against real web pages while people
were using them. This isn't theoretical. You should also remember
that we're no longer in the "but who would do *that*" world. If you
want to understand the threat model people live under now, read
https://citizenlab.org/2016/08/million-dollar-dissident- iphone-zero-day-nso-group-uae/
> Beside, the attacker can't possibly know what you are downloading
> and how much data has already been downloaded. There is no way he
> can inject anything useful into the downloaded data.
Watch the real world demos. As I said, the videos are online. What
you say is wrong.