Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System
From: Patrick Hof <release () redteam-pentesting de>
Date: Tue, 24 Nov 2009 15:47:56 +0100

Sorry list if this arrives twice, I got stuck in the moderation queue because I
used the wrong email address.

Hi Thierry,

Thierry Zoller <Thierry () Zoller lu> wrote:

MITM  is  used  rather  vaguely  in  this  paper.  Are  the proposed
techniques  working in an MITM situation - where an attacker is in the
middle of a network stream ? Say on a network over arp cache poisening?

The  paper  afaik  applies  to  systems  that  are  already compromised
by an attacker, i.e where malware has been installed.

Exactly, the paper states that 

"The assumption is made that the users’ computers are infected with a
specialised malware ('Trojan'), which is able to read and manipulate all data

If this is the case what rights (Account acl) does the malware require
in order to perform the mentioned attacks ?

What we did in a demonstration for German TV was to exploit the victim's PC with
a malicious PDF (JBIG2Decode exploit), install our own root CAs in IE for the
banks and set our own IP in C:\windows\system32\drivers\etc\hosts for the
banking sites. This was of course only a PoC and required administrative

You can of course also do a "real" MitM attack if the user does not verify the
SSL certificate or rather does not check for SSL at all. If you're in the middle
of the network stream, you could use something like sslstrip[0] for example. We
are always making the assumption that SSL is used, because I don't know of any
bank letting customers do online banking over a plaintext connection.

However, most of the attacks today focus on installing malware on the user's
system (e.g. those against iTAN) I think. When we showed the PoC, we wanted to
make sure people understand that a lock in the upper corner of their browser and
a certificate for mybankingsite.com does not mean they're secure. If you write a
malicious Firefox extension or IE browser helper object, verifying the SSL
certificate doesn't help anyway, because I can access the plaintext data and
don't need to worry about using my own certificate. This would also only need
user privileges, as far as I know.

This  brings  me  to  an  interesting more general discussion,
can one define malware infected workstations  and the attacks they
perform locally as MITM ? Technically they inject themselves between
the client and the server, however they need to be installed prior to
be able to do so. Furthermore they have  access  to  a  lot  more
information  and possibilities then an attacker that is, say in the
middle of a network connection.

For  sake  of  allowing  proper risk  assessment by technically less
trained persons - one should coin a better term than classical mitm -
but maybe I am mistaken? what about MITMa (man in the machine)

I agree that the terminology is rather vague, maybe we should have explained
that a bit more in the paper. We chose the term MitM because you can still do
the attack if you have not compromised the bank customer's host, you just can't
show a "valid" certificate to the user.



[0] http://www.thoughtcrime.org/software/sslstrip/

RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen                    http://www.redteam-pentesting.de/
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]