This type of attack targets the communication between two components
(typically client and server). The attacker places himself in the
communication channel between the two components. Whenever one component
attempts to communicate with the other (data flow, authentication
challenges, etc.), the data first goes to the attacker, who has the
opportunity to observe or alter it, and it is then passed on to the other
component as if it was never intercepted. This interposition is transparent
leaving the two compromised components unaware of the potential corruption
or leakeage of their communications. The potential for Man-in-the-Middle
attacks yields an implicit lack of trust in communication or identify
between two components.
Attack Execution Flow
The attacker probes to determine the nature and
mechanism of communication between two components
looking for opportunities to exploit.
The attacker inserts himself into the
communication channel initially acting as a routing
proxy between the two targeted components. The
attacker may or may not have to use
cryptography.
The attacker observes, filters or alters passed
data of its choosing to gain access to sensitive
information or to manipulate the actions of the two
target components for his own purposes.
Attack Prerequisites
There are two components communicating with each other.
An attacker is able to identify the nature and mechanism of communication
between the two target components.
An attacker can eavesdrop on the communication between the target
components.
Strong mutual authentication is not used between the two target components
yielding opportunity for attacker interposition.
The communication occurs in clear (not encrypted) or with insufficient and
spoofable encryption.
Typical Likelihood of Exploit
Likelihood: Very High
Methods of Attack
Spoofing
Analysis
Modification of Resources
Examples-Instances
Description
Symantec Scan Engine 5.0.0.24, and possibly other versions before
5.1.0.7, uses the same private DSA key for each installation, which
allows remote attackers to conduct man-in-the-middle attacks and decrypt
communications.
Related Vulnerabilities
CVE-2006-0231
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
This attack can get sophisticated since the attack may use
cryptography.
Probing Techniques
Description
The attacker can try to get the public-keys of the victims.
Description
There are free software tool to perform man in the middle attack
(packet anlaysis, etc.)
Solutions and Mitigations
Get your Public Key signed by a Certificate Authority
Encrypt your communication using cryptography (SSL,...)
Use Strong mutual authentication to always fully authenticate both ends of
any communications channel.
Exchange public keys using a secure channel
Attack Motivation-Consequences
Scope
Technical Impact
Note
Integrity
Modify application
data
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Confidentiality
Read application
data
Injection Vector
The captured or modified data in transit
Payload
The new value of the data or the replay of the same data (e.g.
credential)
Activation Zone
The messages exchanged between the two target hosts.
Payload Activation Impact
Description
Privilege escalation. modification of resource, information leakage,
etc.
Description
