cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl+sftp+man-in-the-middle-attck.

From: san d <sandks14_at_gmail.com>
Date: Fri, 14 Mar 2014 22:10:25 +0530

No. I have no intention of blaming someone. Specially, not a library which
is helping us a lot in achieving our requirement. Pardon me if my post
reflected my curiosity in a wrong way.

Now coming back to my requirement:

I have the following code:

curl_easy_setopt(curl, CURLOPT_SSH_AUTH_TYPES, CURLSSH_AUTH_ANY);
curl_easy_setopt(curl, CURLOPT_USERNAME, userName);
curl_easy_setopt(curl, CURLOPT_PASSWORD, Passwd);
curl_easy_setopt(curl, CURLOPT_KEYPASSWD, Passwd);

Followed by some other stuff for setting fileSize, filePtr, Creation of
missing directory in the stfp destination, targetUrl.

Then a call to curl_easy_perform(curl) followed by curl_easy_cleanup(curl).

I repeatedly do the above for all the files. Now if we write a Firewall
rule to redirect the sftp traffic destined to the legitimate SFTP server to
be forwarded to an Attacker SFTP server, the subsequent files would reach
Attacker SFTP server( Consider we have the same credential; somehow we got
hold of it).

Now if we keep checking the remote-server-host-key for every such
curl_easy_perform(), we probably could avoid this problem. May be do not
proceed if the new remote-host-key is different from we already have in
known_hosts file. Please correct me if my understanding of SFTP is wrong.

In this regard i wanted to know whether curl provides the following:

---A way to access the remote-host-key of the newly established connection.
---A way to pass the already available remote-host-key of the SFTP
destination.
---Any other way that curl might already have.

Does the connection establishment/negotiation happen every call to
> curl_easy_perform()?
>

Unless it can re-use an existing connection, yes.
---> You meant if curl handle was not cleaned up.

On Fri, Mar 14, 2014 at 6:25 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Fri, 14 Mar 2014, san d wrote:
>
> sftp is vulnerable to man-in-the-middle attack.
>>>
>> At least if there is way to retrieve the remote host key.
>>
>
> So you're top-posting on a reply to yourself about a fictious attack that
> you don't describe?
>
> Are you saying that SFTP in itself allows a MITM attack somehow? Please be
> more specicific of where you say libcurl has a such problem. Also, bear in
> mind that we try to keep security related problems non-public to keep users
> safe until we fix and disclose them: http://curl.haxx.se/dev/security.html
>
>
> Does the connection establishment/negotiation happen every call to
>> curl_easy_perform()?
>>
>
> Unless it can re-use an existing connection, yes.
>
> --
>
> / daniel.haxx.se
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-14