[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20091124141837.GD17663@otis.atalante.redteam-pentesting.de>
Date: Tue, 24 Nov 2009 15:18:38 +0100
From: Patrick Hof <patrick.hof@...team-pentesting.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: New Paper: MitM Attacks against the
chipTAN comfort Online Banking System
Hi Thierry,
Thierry Zoller <Thierry@...ler.lu> wrote:
> MITM is used rather vaguely in this paper. Are the proposed
> techniques working in an MITM situation - where an attacker is in the
> middle of a network stream ? Say on a network over arp cache poisening?
>
> The paper afaik applies to systems that are already compromised
> by an attacker, i.e where malware has been installed.
Exactly, the paper states that
"The assumption is made that the users’ computers are infected with a
specialised malware ('Trojan'), which is able to read and manipulate all data
communications."
> If this is the case what rights (Account acl) does the malware require
> in order to perform the mentioned attacks ?
What we did in a demonstration for German TV was to exploit the victim's PC with
a malicious PDF (JBIG2Decode exploit), install our own root CAs in IE for the
banks and set our own IP in C:\windows\system32\drivers\etc\hosts for the
banking sites. This was of course only a PoC and required administrative
privileges.
You can of course also do a "real" MitM attack if the user does not verify the
SSL certificate or rather does not check for SSL at all. If you're in the middle
of the network stream, you could use something like sslstrip[0] for example. We
are always making the assumption that SSL is used, because I don't know of any
bank letting customers do online banking over a plaintext connection.
However, most of the attacks today focus on installing malware on the user's
system (e.g. those against iTAN) I think. When we showed the PoC, we wanted to
make sure people understand that a lock in the upper corner of their browser and
a certificate for mybankingsite.com does not mean they're secure. If you write a
malicious Firefox extension or IE browser helper object, verifying the SSL
certificate doesn't help anyway, because I can access the plaintext data and
don't need to worry about using my own certificate. This would also only need
user privileges, as far as I know.
> This brings me to an interesting more general discussion,
> can one define malware infected workstations and the attacks they
> perform locally as MITM ? Technically they inject themselves between
> the client and the server, however they need to be installed prior to
> be able to do so. Furthermore they have access to a lot more
> information and possibilities then an attacker that is, say in the
> middle of a network connection.
>
> For sake of allowing proper risk assessment by technically less
> trained persons - one should coin a better term than classical mitm -
> but maybe I am mistaken? what about MITMa (man in the machine)
I agree that the terminology is rather vague, maybe we should have explained
that a bit more in the paper. We chose the term MitM because you can still do
the attack if you have not compromised the bank customer's host, you just can't
show a "valid" certificate to the user.
Regards,
Patrick
[0] http://www.thoughtcrime.org/software/sslstrip/
--
RedTeam Pentesting GmbH Tel.: +49 241 963-1300
Dennewartstr. 25-27 Fax : +49 241 963-1304
52068 Aachen http://www.redteam-pentesting.de/
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists