[iwar] FW: [NEWS] Gnutella Self-Replication and other attacks
From: Robert W. Miller
From: snooker@iex.net
To: iwar@egroups.com
Fri, 19 May 2000 08:09:51 -0600
fc Fri May 19 07:11:16 2000
Received: from 207.222.214.225
by localhost with POP3 (fetchmail-5.1.0)
for fc@localhost (single-drop); Fri, 19 May 2000 07:11:16 -0700 (PDT)
Received: by multi33.netcomi.com for fc
(with Netcom Interactive pop3d (v1.21.1 1998/05/07) Fri May 19 14:08:24 2000)
X-From_: sentto-279987-370-958745407-fc=all.net@returns.onelist.com Fri May 19 09:07:18 2000
Received: from ej.egroups.com (ej.egroups.com [208.50.144.75]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id JAA07813 for ; Fri, 19 May 2000 09:07:18 -0500
X-eGroups-Return: sentto-279987-370-958745407-fc=all.net@returns.onelist.com
Received: from [10.1.10.38] by ej.egroups.com with NNFMP; 19 May 2000 14:10:08 -0000
Received: (qmail 29513 invoked from network); 19 May 2000 14:10:06 -0000
Received: from unknown (10.1.10.27) by m4.onelist.org with QMQP; 19 May 2000 14:10:06 -0000
Received: from unknown (HELO mail.iex.net) (192.156.196.5) by mta2 with SMTP; 19 May 2000 14:10:06 -0000
Received: from oemcomputer (p4-s8.cos1-ras.iex.net [209.151.65.100]) by mail.iex.net (8.9.1/8.9.1) with SMTP id HAA19812 for ; Fri, 19 May 2000 07:59:47 -0600 (MDT)
To:
Message-ID:
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Importance: Normal
From: "Robert W. Miller"
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Fri, 19 May 2000 08:09:51 -0600
Reply-To: iwar@egroups.com
Subject: [iwar] FW: [NEWS] Gnutella Self-Replication and other attacks
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
The following security advisory is sent to the securiteam mailing
list, and can be found at the SecuriTeam web site:
http://www.securiteam.com
Gnutella Self-Replication and other attacks
-------------------------------------------
SUMMARY
Gnutella is a protocol recently re-released after a brief period with
no
official home. Now at a new domain and back under official
development,
Gnutella is poised to revolutionize media distribution. Along with its
new
method of media distribution it provides some interesting routes for
abuse. In light of the recent "ILOVEYOU" worm, and general rekindling
of
public interest in worm design, here is another potential vector that
may
soon be used by to distribute malicious content.
DETAILS
Protocol Overview:
Alice: A user searching for a file.
Bob: A user who has the file Alice wants.
Carl: A user who has the file Alice wants (behind firewall).
Mallory: A malicious user.
The key component of Gnutella is a piece of software dubbed a
"servant" by
the designers. This servant accepts and sends Gnutella messages. When
a
user wants to join the network, she picks a few known hosts from a
seed
list provided by the Gnutella web site and connects. The user could
also
create a private Gnutella network with no exterior connections (since
there's no centralization). All that is needed for this subset to
become
a part of the larger public GnutellaNet is a single connection:
A --> (GnutellaNet) <-- B <-- | Firewall | <-- C <-- (Other Servants)
Each servant has a unique 128-bit identifier that is used to determine
which packets should be forwarded. Discovery of hosts is done both
actively and passively. Passive discovery occurs when Alice recovers
hosts from the packets she is routing. Active discovery occurs when
Alice
sends out a "ping" packet. This ping elicits a "pong" containing the
IP
address and port of every servant that receives it. Searching for
content
is conducted as follows:
(1) Alice generates a "query" packet and forwards to all her
connections.
(2) Each recipient searches its local database, decrements TTL and
forwards to each of its connection.
(3) Bob receives the packet, and replies with a "query-reply"
containing
his IP address and port.
(4) These packets are forwarded back along the search path eventually
returning to Alice.
(5) On receipt of the response, Alice attempts to initiate a direct
connection with Bob and transfer the file.
(6) In the event that she cannot connect for some reason (perhaps Carl
has
the file instead of Bob) Alice sends a "push-request" containing her
IP
address and port.
(7) On receipt of this packet, Carl will attempt to create an outbound
connection to Alice to transfer the file, circumventing the firewall.
For further information on the protocol see the
Gnutella homepage, but this should be
sufficient to understand the following attacks.
Attacks:
Self Replicating Servants
The most significant problem is that there is no way to verify the
source
or contents of a message. A particularly nasty attack is for Mallory
(a
servant attached to GnutellaNet in an arbitrary location) to simply
respond to all query packets. This results spoofing attack is a known
issue covered in the
Knowbuddy FAQ and is conducted as follows:
(1) Alice generates a query packet and forwards.
(2) Mallory receives one of these packets and responds with a
query-reply.
(3) If Alice decides to pick the reply provided by Mallory she will
receive potentially malicious content.
This content could be an executable containing a Trojan horse, such as
BO2K. A more sinister payload would be to
create a
Trojan that when executed attaches to the GnutellaNet. Once attached
to
the net, it would respond to all queries and provide itself as the
content. To increase the probability of Alice executing the file, it
would
be renamed to something containing the original query. For instance,
a
search for "crack" would elicit a reply of "crack.zip". Other
extensions
could also be used besides ".zip" and ".exe". A Winamp ".pls" file
exploiting an overflow in Winamp could be used for example. With
source
code available for both Windows and *nix servants, creating a
self-propagating servant is trivial. The worm could even update
itself
using GnutellaNet to distribute signed updates.
What is disturbing here is the combination of low accountability and
trust
of the individual servants. In a web, ftp, or email transaction if
malicious content is discovered on a server the administrator can be
notified. On Napster, if a user is
distributing malicious content, his account can be disabled. If
removal
was not possible, at the very least a warning could be posted
regarding a
particular site or Napster user. With Gnutella anyone can attach to
the
network and provide malicious content tailored to specific search
requests
with relatively small chance of detection. The IP address of each
transaction could be recorded, as
Zeropaid has done with their listing of people attempting to retrieve
child pornography. The official servant does not display IP addresses.
In
addition, Mallory only has to infect one host and the infection will
spread automatically. Once victims begin exec uting the content
the
The most obvious covert channel for controlling these rogue servants
is
already being used to allow chatting among Gnutella users:
(1) Alice and Bob both turn on their search monitors (which display
all
the queries passing through them.
(2) When Alice wants to talk she searches for the chat message ("Hi
Bob!").
(3) Bob will see this query appear in his monitor. He then searches
for
the reply ("Hi Alice").
Another stealthier channel is the 128-bit GUID. This would allow
relatively undetectable signaling between Mallory and her rouge
servants.
There are several other fields available but queries and GUIDs are the
most significant.
Man in the Middle Attacks
There are two flavors of man in the middle attacks. For these to work,
Mallory has to be in the path between Alice and Bob (or Carl). The
first
attack goes as follows:
(1) Alice generates a query packet and Bob responds.
(2) Mallory receives one of these query-reply packets and rewrites it
with
her IP address and port instead of Bob's.
(3) Alice receives Mallory's reply first.
(4) Alice decides to download the content but connects to Mallory
instead
of Bob.
(5) Mallory downloads the original content from Bob, infects it and
passes
it on to Alice.
The second attack relies on push-request interception:
(1) Alice generates a query packet and Carl responds.
(2) Alice attempts to connect but Carl is firewalled, so she generates
a
push-request.
(3) Mallory intercepts the push-request and resends with her IP
address
and port.
(4) Carl connects to Mallory and transfers his content.
(5) Mallory connects to Alice and provides the modified content.
Gnutella Port Scanner
If Mallory wants to check what ports on a given host are accessible
she
can perform the following steps:
(1) Alice sends a query and Bob responds with a query-reply.
(2) Mallory rewrites the query-reply passing through to point at the
IP
address and port to be scanned.
(3) Since most likely the port is not listening, Alice will generate a
push-request.
(4) If the port happens to be listening and is not running the
Gnutella
service, no push-request will be generated.
(5) Mallory repeats the process several times to make sure she has an
accurate determination of the port's state.
Using this procedure a network can be slowly scanned using servants.
This
process will generate a significant amount of noise, which can be used
to
decoy another attack. Another way to generate Gnutella noise is for
Mallory to send pong packets with the IP address of hosts she wants
others
to attempt to connect to. Each servant receiving her pong will add
these
to its table of potential hosts. As servants exhaust their host tables
these entries will be tried eventually resulting in spurious
connections
to a given network.
Conclusions:
Gnutella is gaining popularity quickly and has already been featured
in
several mass media outlets. As it stands now it provides an almost
ideal
environment for the spread of self-replicating malicious agents with
the
additional bonus of providing anonymous control. With full source
available, parties previously unable to craft a worm of their own now
have
a robust framework to build on.
ADDITIONAL INFORMATION
The information has been provided by:
Seth McGann.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email
to: list-subscribe@securiteam.com
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind.
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits
or special damages.
Det. Robert W. Miller
Colorado Internet Crimes Against
Children Task Force
Pueblo High Tech. Crime Unit
Pueblo County Sheriff's Office
320 S. Joe Martinez Blvd.
Pueblo West, CO. 81007
Tel (719)583-4736
FAX (719)583-4732
mailto:snooker@iex.net
mailto:cicactf@iex.net
http://www.co.pueblo.co.us/sheriff/
PGP key available at: http://pgpkeys.mit.edu:11371/
search on snooker@iex.net
------------------------------------------------------------------------
Up to 60% OFF food!
Buy Now and Shipping is Free.
http://click.egroups.com/1/4016/7/_/595019/_/958745407/
------------------------------------------------------------------------
------------------
http://all.net/