#1
|
|||
|
|||
JD2 updates are sent over plain HTTP, easy to MITM and exploit
Guys,
Are there any plans of switching to HTTP+TLS connections for updates anytime soon? Just looking at the wire, I see that JD2 still uses HTTP which is trivial to intercept and send malicious code to. Code:
17:36:00 http://update.appwork.org/jcgi/pkg?rt=SO&jn=JDownloader.jar&pv=1&uid=[uid]&pkh=[pkh]&app=JD&os=MAC&arch=X86&os64=1&jvm64=1&urev=4731&ct=Normal&dst=-1&rev=4723&awfcxz=1&eid=translator%2Cscheduler%2Cchat%2Cfolderwatch&eir=&eip=&lng=en&chlg=0&jdiff=1&1420756559855 GET 17:36:07 http://update.appwork.org/jcgi/pkg?rt=SO&jn=JDownloader.jar HEAD 17:36:08 http://update.appwork.org/jcgi/pkg?rt=SO&jn=JDownloader.jar GET Unless you're running JD2 inside of a VM, I'd be careful about hitting that Update button or having updates turned on automatically. |
#2
|
|||
|
|||
Another security issue with JD2 is that NONE of the jar files are signed.
I checked a bunch of them and not even the core.jar is signed. Code:
Core.jar jar is unsigned. (signatures missing or not parable) JDownloader.jar jar is unsigned. (signatures missing or not parsable) Suggestions: 1) start signing JAR files. start signing updates and install them only when they've been verified. 2) serve updates over TLS and pin a cert within the app itself and only accept updates from servers that match signatures. Right now, there is absolutely no way to tell whether the JD2 has been compromised or not. |
#3
|
||||
|
||||
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#4
|
|||
|
|||
Quote:
Sent! best, mike |
#5
|
||||
|
||||
Jiaz did answer via email, but the gist is...
- protocol type has very little to do with been secure with this update system. - updates are signed by the update system and checks are in place. At worse when goes to install and the signs do not match, updates will not install. It can't be high jacked along the lines of OP posts.
__________________
raztoki @ jDownloader reporter/developer http://svn.jdownloader.org/users/170 Don't fight the system, use it to your advantage. :] Last edited by raztoki; 09.01.2015 at 14:03. |
#6
|
|||
|
|||
Quote:
FAIL1: **External links are only visible to Support Staff** **External links are only visible to Support Staff** Result: No https connection (no secure connection) FAIL2: **External links are only visible to Support Staff****External links are only visible to Support Staff** Result: No https connection (no secure connection) FAIL3: **External links are only visible to Support Staff****External links are only visible to Support Staff** Result: No https connection (no secure connection) Any question? No? Okay! I replace all jar files in the http connection with my evil jar files. Please use ALL ways to secure the updates and websites, THANKS! |
#7
|
||||
|
||||
Please contact jiaz via EMail support@jdownloader.org
Then wait for his answer.
__________________
» Setup JD2 / Instalador de JD2 «
Spoiler:
Installer for Windows XP/Vista/Seven/Eight || JD2 x86 - x64 (Beta) || Installer for Mac || JD2 (Beta) || Installers for Linux || JD2 (Beta) x86 || <---> || JD2 (Beta) x64 || How to Create a Log -» Click Here «- ¿Cómo crear un registro? -» Click Aquí «- Support Chat / Chat de Soporte -» Click Here / Click Aquí «- |
#8
|
||||
|
||||
How exactly are you going to replace jars without already having the client side compromised or the update server compromised?
or are you referring to installers themselves? Either way you would need to be control of transit (which could include your ISP) todo so such damage, unless I'm mistaken?.
__________________
raztoki @ jDownloader reporter/developer http://svn.jdownloader.org/users/170 Don't fight the system, use it to your advantage. :] |
#9
|
|||
|
|||
@mikebell
Why the hell are you posting this in public ? Everybody can read in here. You don´t even have to be registered. My opinion: Mike isn´t wrong. HTTP isn´t the way to go. Evil people will find a way. |
#10
|
||||
|
||||
@aeneon
As you can see until now he was not able to really tell us something we'd have to be afraid of - also our devs know about the "issue". GreeZ psp
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#11
|
|||
|
|||
Quote:
Got a quick email from Jiaz. I won't go into too many details (to give bad guys even more clues but none of this is really advanced or intermediate... this stuff is basic as it comes) but your first assumption is wrong. Secure protocol is the #1 line of defense against an attack on any system. I did not see any cryptographically signed updates. None of the updates served are recognized by Java6/7/8 verification checks. Test it yourself: Code:
jarsigner -verify /Applications/jDownloader.app/Contents/java/app/JDownloader.jar Quote:
https://en.wikipedia.org/wiki/Man-in-the-middle_attack Anyway, hope the changes in the future fix these two issues. Until then, I recommend people run JD/JD2 only within a VM since there are always java 0-days for privilege escalation available on black markets. You simply don't know if an update one day will include it as a payload. And JD2 update conveniently includes the OS, arch type, Java version etc so proper payload targeting is trivial. Last edited by mikebell; 10.01.2015 at 23:48. |
#12
|
|||
|
|||
Solution: HTTPS and let JD/JD 2 validate that the TLS web server is authentic. (Certificate)
Sadly it costs money and JD 2 is freeware. I don´t know if appwork earns enough money with JD to pay for a CA and more. Maybe we (the JD community) could donate somehow. Fundme ? I would donate a few bucks. |
#13
|
|||
|
|||
Quote:
You can get a cert for as little as $8/year. In JD2's case, they could use self-signed certs since they're not going to be exposed to browsers so whether the cert is recognized by browsers is irrelevant. However, CA-recognized cert is better for code signing. **External links are only visible to Support Staff****External links are only visible to Support Staff** App can easily check if the cert is valid, expired and whether it has been revoked. |
#14
|
||||
|
||||
Are you serious?
So all of the sudden this is a major security issue? I'll stay out of this conversation but please don't make our users paranoid. GreeZ psp
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#15
|
|||
|
|||
Quote:
Quote:
The CA and Cert-Solution would make it much harder to "compromise". I´m also out of this conversation. That´s all i had to say. Isch habe fertisch haha |
#16
|
||||
|
||||
Ok. Time to make this clear.
First of all: IF you find a security problem, contact the responsibles first in private, and give them a chance to fix it. If they don't do it, think about going public. If someone finds your door open, you'd probably prefer to get notified in private instead of reading about it in the newspaper. Anyway....there is no open door in the Update System, so we can continue to discuss this in public. 1) We do not use Jar signing, because this would not help us in any way. This would not improve security 2) How the Updates work. The Update System uses a private/public key pair. The private Key is secret, the public key is known by the update server and all clients. Here is the deploy process:
When a Client requests an Update.. this happens:
Think about this process, and you will see that this is MUCH stronger than any tls or ssl can ever be. Even of an attacker could control one of our update servers, he could - in the worst case - cut the users from getting updates. He could not distribute any data - the private key is missing. A Man-In-The-Middle could modify packages - if he knows the public key, but during installation, the signature validation would fail, and the update will get rejected. This is why, there is no reason for any additional man-in-the-middle protection.
__________________
Last edited by coalado; 14.01.2015 at 09:04. |
#17
|
|||
|
|||
Thanks for clearing this up. It sounds really secure. No offense coalado, but i don´t know if it´s a good idea to post the whole process in public.
Last edited by coalado; 14.01.2015 at 11:11. |
#18
|
||||
|
||||
Quote:
This System has to be secure by design, and not by obscurity. A public discussion can help us to make it even better.
__________________
|
#19
|
||||
|
||||
As I said earlier, its secure! Which I did allude too. Hopefully this helps those in this thread that thread think they know better, without knowing the facts. I was hoping that Jiaz cleared that up in email, but maybe not.
__________________
raztoki @ jDownloader reporter/developer http://svn.jdownloader.org/users/170 Don't fight the system, use it to your advantage. :] |
#20
|
|||
|
|||
Quote:
There are always people that will game the system and use it for their advantage. Never underestimate people und their abilities. And never overestimate your own system. Trust me. I know what i´m talking about. Especially in the IT-Field. |
#21
|
||||
|
||||
@aeneon
No one said it's 100% and anyone who'd have said this was wrong! If you have the knowledge, go on and "hack" it - as long as you tell coalado first its all fine. GreeZ psp
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#22
|
|||
|
|||
I´m not a hacker.
But..... your server seems pretty tight and secure. Nice work. Checked just a few small things in less than 2 minutes. Don´t worry. I don´t know if my information is correct. If you are still using nginx 1.5.6, i would update. If i would try to hack your server, i would probably try to exploit svnserve on port 3690 first. |
#23
|
|||
|
|||
good discussion ... and thanks for this great app jdownloader .
|
#24
|
||||
|
||||
@aeneon: you can contact me at support@jdownloader.org (in case you want to talk about this or find some security issue)
-nginx are all up2date (depends on used distro version) -lighttpd are all up2date (depends on used distro version) -svn is newest available version, so I hope not exploitable -many services run in their own vm -still working on server migration so many older distro will be gone soon
__________________
JD-Dev & Server-Admin |
#25
|
||||
|
||||
@aeneon
My statement wasn't directed at anyone in particular, just those that didn't believe that the update system wasn't designed with security in mind. I also never stated it was 100% secure, other than it was secure (to the best of our knowledge). Without any proof of concept or disclosure to prove otherwise, we still believe its safe. Hopefully now the users (many with worry/uncertainty) in this thread, now have some understanding of how the update system was designed/works (in the real world) without the need to make assumptions. I also have IT based background and I comprehend that even with the best intent, hardware and software can be used outside architects/programmers parameters. raztoki
__________________
raztoki @ jDownloader reporter/developer http://svn.jdownloader.org/users/170 Don't fight the system, use it to your advantage. :] |
#26
|
|||
|
|||
Quote:
Quote:
|
|
|