[24236] in bugtraq
Re: Infecting the KaZaA network?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Mon Feb 11 14:18:08 2002
Message-ID: <3C6613DF.18906424@algroup.co.uk>
Date: Sun, 10 Feb 2002 06:31:59 +0000
From: Ben Laurie <ben@algroup.co.uk>
MIME-Version: 1.0
To: GertJan de Leeuw <dataholic@punkass.com>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
GertJan de Leeuw wrote:
>
> I had the same thought about this subject a long time
> ago, but I discovered there are 2 major problems why
> a attacker cannot successfully infect the distribution
> of a new kazaa client:
>
> 1.The installation MUST have the same size as the
> orginal distribution package, since kazaa will look on
> its network for the filename with the exact filesize (for
> multiple downloads at one time from different clients)
> Because you need to 'inject' your evil code the
> filesize will be bigger. Ofcourse you could pack it with
> a pe packer like upx and add bytes till the exact
> filesize is there , but then we have problem 2:
>
> 2.As we all know, KazaA downloads from multiple
> users, so IF you have success with step 1, you will
> fail at this point, because you will have an invalid exe
> (a evil version merged with the orginal distro).
>
> So the only way somebody can infect the network is ,
> injecting the first compiled version of a new
> distibution (but that is hardly impossible)
Hardly true - localise the code change, then anyone who downloads that
section from you is infected. Of course if they do secure checksums its
game over.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
