January 18, 2012

BezeqInt cache poisoning demonstration


Update 3, 15/2/2012: Demo is closed.

Update 2, 29/1/2012: What i though was a fix is not. It looks like BezeqInt is trying to block my demo instead of fixing the problem. I can't be sure though. So i made another demo. You need to be in 109.65.*.* range now and fetch http://i.imgur.com/hggke.jpg
Original MD5: be902241dc59f19950cf4f14f6a4f33e
Poisoned MD5: 7b0e031ba89106b8cd2a988aadfedb8b

Update, 29/1/2012: Demo doesn't work anymore. Apparently BezeqInt finally fixed it, 29 days after it has been notified. I'll be checking it more thoroughly later.

As a continuation to my sneaky proxy series of post i've prepared a little demonstration of cache poisoning. I uploaded a png image to imgur.com and poisoned BezeqInt's proxy cache with a bit different file. While my proof of concept is with png image it is as easy to do it with .exe or any other type of a file.

In order to get the poisoned file from the cache you need to be in 79.18?.*.* range. Go to whatismyip.org and check if your IP starts with 79.18?... If not reboot your router until you get to this range. Next download this image http://i.imgur.com/beUai.png and check MD5 checksum.
If you are a linux/macos user run:

> md5sum beUai.png

Otherwise you can use this service to calculate the checksum by uploading the file.

md5 of the original file at imgur.com:
4a1d744319af6d598f836da5d0e3e979  beUai.png

md5 of my "poisoned" file that i forced proxy to cache:
ab5192e9077074029b35d5d15de6cf05  beUai.png

If you want to download the original file you need to be in some other range or better use a proxy abroad.
Write to me what you get.

2 comments:

Anonymous said...

What exactly did you do to poison their cache? I mean, did you first upload the "poisoned" version, then download it via bezeqInt so it gets cached, then delete it from imgur and upload the other version of the file? have I followed correctly?

Unknown said...

It's actually simpler than that. I'll be posting the details of the process soon.