Next Page >>
man/in/the/middle
SUMMARY
This advisory addresses the renegotiation related vulnerability
disclosed recently in Transport Layer Security protocol [1][2]. This
vulnerability may allow a Man-in-the-Middle (MITM) attacker to inject
arbitrary data into the beginning of the application protocol stream
protected by TLS.
The only ArubaOS component that seems affected by this issue is the
HTTPS WebUI administration interface. If a client browser (victim) is
Vendor: Jscape, http://www.jscape.com/
Affected Products: Jscape Secure FTP Applet
http://www.jscape.com/sftpapplet/index.html
Vulnerability: SSH Host key is not verified allowing
man-in-the-middle attacks
Risk: Medium
____________________________________________________________________________
____
=======
An industry-wide vulnerability exists in the Transport Layer Security
(TLS) protocol that could impact any Cisco product that uses any version
of TLS and SSL. The vulnerability exists in how the protocol handles
session renegotiation and exposes users to a potential man-in-the-middle
attack.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml.
A cURL is affected by the previously published "null prefix attack",
caused by incorrect handling of NULL characters in X.509
certificates. If an attacker is able to get a carefully-crafted
certificate signed by a trusted Certificate Authority, the attacker
could use the certificate during a man-in-the-middle attack and
potentially confuse cURL into accepting it by mistake.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-2417 to this issue
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.'
The intention of the RFC is clearly that you should not be able to use
wildcards with IP addresses (in order to avoid the ability to perform
man-in-the-middle attacks). Unfortunately our testing showed that this
rule is not adhered to by some browsers.
We created a certificate with the CN '*.168.3.48' this meets the various
rules for wildcards in CNs, but should be treated as invalid since it is
not a hostname. We then observed the errors reported by browsers when
2. Abuse Opera in order to build a malicious cache entry.
We will demonstrate the second technique, targeting the domain m.ibm.com:
1. We will use a MiTM (man-in-the-middle) (e.g. Fiddler) so that we are able to
alter the information received from m.ibm.com
2. Ideally we want to find a cachable static script or HTML code. For instance,
m.ibm.com contains a reference to http://www.ibm.com/common/stats/stats.js.
Updates :
--------
- Added a simple s_client testcase
- Analysis of FTPS (vendors are encouraged to assess)
- HTTPS : Injecting arbritary _responses_ into the stream
- HTTPS : Downgrading HTTPS to HTTP and performing an active mitm
(Discovered by Frank Heidt but details witheld,
rediscovered by Thierry Zoller for this paper)
With this new information G-SEC encourages Vendors and customers
to reevaluate the impact of this vulnerability on their products.
Vendor: Jscape, http://www.jscape.com/
Affected Products: Jscape Secure FTP Applet
http://www.jscape.com/sftpapplet/index.html
Vulnerability: SSH Host key is not verified allowing for Man in the
Middle
attacks
Risk: High
____________________________________________________________________________
____
-----Original Message-----
From: xperience@interia.pl [mailto:xperience@interia.pl]
Sent: Tuesday, April 27, 2010 8:55 PM
To: bugtraq@securityfocus.com
Subject: STP mitm attack idea
As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
The IRC client component of UFO: Alien Invasion 2.2.1 contains multiple
security vulnerabilities that allow a malicious IRC server to remotely execute
arbitrary code on the client's system. There are numerous ways that an attacker
could cause a player to connect to a malicious server, for example:
- Perform a man-in-the-middle attack to inject IRC server responses into the
TCP stream.
- Use DNS poisoning to redirect the player's client from the real
irc.freenode.org server to the attacker's malicious server.
- Use the in-game "rcon" functionality against a server to remotely issue the
command "irc_connect <attacker's server>" (passwords for rcon can be
> > And because mail server name and email address does not need to be any
> > connection also checking of signature of certificate agaist CA does not
> > help much. It does not protect attack agaist MX records on DNS.
>
> true - so in an ideal world, we would need DNSSec everywhere and strict
> certificate checking to significantly reduce the possibility of MiTM
> attacks. In a not so ideal world, every little bit helps, so if we can
> get mail servers to routinely use encryption between each other, that's
> a nice first step and using valid certificates that can actually be
> verified is a second one. Both will help significantly already.
Problem Description:
Security issues were identified and fixed in mozilla firefox and
thunderbird:
Google Chrome user alibo encountered an active man in the middle (MITM)
attack on secure SSL connections to Google servers. The fraudulent
certificate was mis-issued by DigiNotar, a Dutch Certificate
Authority. DigiNotar has reported evidence that other fraudulent
certificates were issued and in active use but the full extent of
the compromise is not known.
Synopsis
========
An error in the X.509 certificate handling of cURL might enable remote
attackers to conduct man-in-the-middle attacks.
Background
==========
cURL is a command line tool for transferring files with URL syntax,
Details follow:
Richard Moore discovered that NSS would sometimes incorrectly match an SSL
certificate which had a Common Name that used a wildcard followed by a partial
IP address. While it is very unlikely that a Certificate Authority would issue
such a certificate, if an attacker were able to perform a man-in-the-middle
attack, this flaw could be exploited to view sensitive information.
(CVE-2010-3170)
Nelson Bolyard discovered a weakness in the Diffie-Hellman Ephemeral mode
(DHE) key exchange implementation which allowed servers to use a too small
NEXTPAGE = J21_REBOOT,
PASSWORD = 2wire
4. IMPACTS AND ADVISORY
A successful attack is unlikely to be noticed by the end-user with the lack of warning that comes with a CSRF attack, especially when performed through XMLHttpRequest. A likely exploitation would involve the alteration of the victim router’s Domain Name System (DNS) records, enabling a Man-in-the-Middle (MITM) attack vector. This allows for severe Advanced Persistent Threats (APT) to the victim.
Hence, it is advised for SingTel and 2Wire to push the updated firmware to its subscribers as soon as possible.
While the issue is pending resolution, SingTel Internet service customers with firmware major version 5 (and below) are advised to:
Problem Description:
A number of security vulnerabilities have been discovered in Mozilla
Thunderbird:
Security issues in thunderbird could lead to a man-in-the-middle
attack via a spoofed X.509 certificate (CVE-2009-2408).
A vulnerability was found in xmltok_impl.c (expat) that with
specially crafted XML could be exploited and lead to a denial of
service attack. Related to CVE-2009-2625.
Synopsis
========
Multiple vulnerabilities were found in GnuTLS, allowing for easier
man-in-the-middle attacks.
Background
==========
GnuTLS is an Open Source implementation of the TLS 1.2 and SSL 3.0
Synopsis
========
An error in the X.509 certificate handling of Wget might enable remote
attackers to conduct man-in-the-middle attacks.
Background
==========
GNU Wget is a free software package for retrieving files using HTTP,
new master. By replaying both of the unmodified master advertisements,
all CARP nodes assume the backup role. At this point, a Denial of
Service (DoS) condition has been introduced as no device answers ARP
requests for the Virtual IP (VIP). The attacker can now decide whether
to start answering ARP for the VIP therefore performing a Man in the
Middle (MitM) attack.
[1] http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.h?rev=1.28
[2] http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?rev=1.179
================
identifies the following problems:
CVE-2007-5162
It was discovered that the Ruby HTTP(S) module performs insufficient
validation of SSL certificates, which may lead to man-in-the-middle
attacks.
CVE-2007-5770
It was discovered that the Ruby modules for FTP, Telnet, IMAP, POP
> it does not - yet. This is actually what I'm working on at the moment.
> However, since most MTAs at the moment don't do this kind of check, it
> is not very useful. So the tool currently only checks for encryption
> capabilities, it does *not* check for protection against MiTM attacks.
> The next, enhanced version of the tool will have an optional check for
> this and also the supported ciphers.
Too bad.
Hi!
> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
>
> Vulnerable: All versions.
Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.
Impact
======
A remote attacker might entice a user to connect to a malicious IRC
server, use a man-in-the-middle attack to redirect a user to such a
server or use ircop rights to send a specially crafted WALLOPS message,
which might result in the execution of arbitrary code with the
privileges of the user running irssi.
Workaround
_______________________________________________________________________
Problem Description:
Security issues in nss prior to 3.12.3 could lead to a
man-in-the-middle attack via a spoofed X.509 certificate
(CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
cause a denial-of-service and possible code execution via a long
domain name in X.509 certificate (CVE-2009-2404).
This update provides the latest versions of NSS and NSPR libraries
If someone 0wns your pipe between you and the Terminal Server(s) then
you got bigger problems then the existing MITM attack. Whether the
attack sets it up via ARP spoofing, or other trickery.
If you are really worried about this, encrypt your communications via
IPSEC.
Z
Edward E. Ziots
cookies via a crafted HTML document. (MFSA 2009-26)
CVE-2009-1836
Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang reported a potential
man-in-the-middle attack, when using a proxy due to insufficient checks
on a certain proxy response. (MFSA 2009-27)
CVE-2009-1837
Jakob Balle and Carsten Eiram reported a race condition in the
Problem Description:
A number of security vulnerabilities have been discovered in Mozilla
Thunderbird:
Security issues in thunderbird could lead to a man-in-the-middle
attack via a spoofed X.509 certificate (CVE-2009-2408).
A vulnerability was found in xmltok_impl.c (expat) that with
specially crafted XML could be exploited and lead to a denial of
service attack. Related to CVE-2009-2625 (CVE-2009-3720).
Vulnerability Overview
- ----------------------
On December 2nd, VSR identified a SSH service authentication weakness
vulnerability in the TANDBERG's Video Communication Server. This issue would
allow an attacker with privileged network access to conduct server impersonation
and man-in-the-middle attacks on administrator SSH sessions. Successful attacks
could yield shell access to vulnerable appliances.
Product Background
- ------------------
(MFSA 2009-24)
CVE-2009-1836
Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang reported a potential
man-in-the-middle attack, when using a proxy due to insufficient checks
on a certain proxy response. (MFSA 2009-27)
CVE-2009-1838
moz_bug_r_a4 discovered that it is possible to execute arbitrary
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
Description:
Previous versions of httpd are vulnerable to a man-in-the-middle attack
during TLS session renegotiation, sometimes referred to as the "Project
Mogul" issue. This vulnerability has been addressed in this update.
Additionally, two denial of service vulnerabilities and an access
restriction bypass in mod_proxy_ftp are resolved in this update.
Next Page>>
|
