Re: Security implications of network timing

> The perf guy in me love it. The whitehat in me hates it.

Indeed. It provides precisely the tools necessary to build
sophisticated timing attacks against vulnerable intranet applications.
I expect these capabilities will be on-par with custom native code
attack tools. This addition greatly widens an existing hole in the
firewall. Granted, intranet applications should be secure enough to
deploy in a public facing environment, but they very rarely are. The
usual refrain is that the almighty firewall will save us, and making
them secure is too expensive.

Timing attacks are not as well known as they should be, and most
developers view them as a theoretical nuisance at worst. Adding this
feature will shift the balance in favor of the attackers. These are
not simple privacy attacks. Very often a successful timing attack
allow attackers to forge authentication tokens and can lead to remote
code execution.

I expect this addition to vastly improve the capabilities of BeEF.

Generally, this will provide the granularity necessary to pivot timing
attacks through the firewall using only the browser, where this was
not practical before.

Some resources related to the issue:

The part of me that builds exploits encourages you to add this feature
as soon as possible! The rest of me is very afraid.


Received on Thursday, 6 October 2011 00:09:34 UTC