Discussion:
Evilgrade 2.0 - the update explotation framework is back
(too old to reply)
[ISR] - Infobyte Security Research
2010-10-29 10:25:10 UTC
Permalink
[ISR] - Infobyte Security Research
ISR-evilgrade | www.infobytesec.com

Infobyte Security Research is pleased to announce the release of evilgrade 2.0
with a lot of new modules and a bunch of squashed bugs.

[-] RELEASE DETAILS

BRIEF OVERVIEW

Evilgrade is a modular framework that allows the user to take
advantage of poor upgrade implementations by injecting fake updates.

This framework comes into play when the attacker is able to make
traffic redirection, and such thing can be done in several ways
such as: DNS tampering, DNS Cache Poisoning, ARP spoofing
Wi-Fi Access Point impersonation, DHCP hijacking with your
favorite tools.

This way you can easy take control of a fully patched machine
during a penetration test in a clean and easy way. The main idea
behind the is to show the amount of trivial errors in the update
process of mainstream applications.


.:: [NEW MODULES] ::.
There's a new amount of 63 modules to play with! :
- Safari
- iTunes
- Quicktime
- APT
- Cygwin
- Cpan
- Java
- iTunes
- Mirc
- Adium
- Notepadplus
- Opera
- Bsplayer
- Winamp
- Trillian
- Teamviewer
- Virtualbox
- Vmware
- Winscp
- Winupdate
.. and many more (check out the documentation for complete list)


..:: [ONLINE DEMO] ::.
Watch the framework in action, Java signed certificate bypass +
javapayload = pwnage
http://www.infobytesec.com/demo/java_win7.htm

.:: [AUTHOR] ::.

Francisco Amato
famato+at+infobytesec+dot+com

.:: [DOWNLOAD] ::.
Get the last version over here:
http://www.infobytesec.com/developments.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Jacky Jack
2010-10-29 20:43:14 UTC
Permalink
It's now a time for vendors to re-consider their updating scheme.



On Fri, Oct 29, 2010 at 6:25 PM, [ISR] - Infobyte Security Research
Post by [ISR] - Infobyte Security Research
[ISR] - Infobyte Security Research
ISR-evilgrade | www.infobytesec.com
Infobyte Security Research is pleased to announce the release of evilgrade 2.0
with a lot of new modules and a bunch of squashed bugs.
[-] RELEASE DETAILS
BRIEF OVERVIEW
Evilgrade is a modular framework that allows the user to take
advantage of poor upgrade implementations by injecting fake updates.
This framework comes into play when the attacker is able to make
traffic redirection, and such thing can be done in several ways
such as: DNS tampering, DNS Cache Poisoning, ARP spoofing
Wi-Fi Access Point impersonation, DHCP hijacking with your
favorite tools.
This way you can easy take control of a fully patched machine
during a penetration test in a clean and easy way. The main idea
behind the is to show the amount of trivial errors in the update
process of mainstream applications.
.:: [NEW MODULES] ::.
- Safari
- iTunes
- Quicktime
- APT
- Cygwin
- Cpan
- Java
- iTunes
- Mirc
- Adium
- Notepadplus
- Opera
- Bsplayer
- Winamp
- Trillian
- Teamviewer
- Virtualbox
- Vmware
- Winscp
- Winupdate
.. and many more (check out the documentation for complete list)
..:: [ONLINE DEMO] ::.
Watch the framework in action, Java signed certificate bypass +
javapayload = pwnage
http://www.infobytesec.com/demo/java_win7.htm
.:: [AUTHOR] ::.
Francisco Amato
famato+at+infobytesec+dot+com
.:: [DOWNLOAD] ::.
http://www.infobytesec.com/developments.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Benji
2010-10-29 21:21:33 UTC
Permalink
Actually, that time probably would've been a v1, but I'm fine with it being
left as it is.
Post by Jacky Jack
It's now a time for vendors to re-consider their updating scheme.
On Fri, Oct 29, 2010 at 6:25 PM, [ISR] - Infobyte Security Research
Post by [ISR] - Infobyte Security Research
[ISR] - Infobyte Security Research
ISR-evilgrade | www.infobytesec.com
Infobyte Security Research is pleased to announce the release of
evilgrade 2.0
Post by [ISR] - Infobyte Security Research
with a lot of new modules and a bunch of squashed bugs.
[-] RELEASE DETAILS
BRIEF OVERVIEW
Evilgrade is a modular framework that allows the user to take
advantage of poor upgrade implementations by injecting fake updates.
This framework comes into play when the attacker is able to make
traffic redirection, and such thing can be done in several ways
such as: DNS tampering, DNS Cache Poisoning, ARP spoofing
Wi-Fi Access Point impersonation, DHCP hijacking with your
favorite tools.
This way you can easy take control of a fully patched machine
during a penetration test in a clean and easy way. The main idea
behind the is to show the amount of trivial errors in the update
process of mainstream applications.
.:: [NEW MODULES] ::.
- Safari
- iTunes
- Quicktime
- APT
- Cygwin
- Cpan
- Java
- iTunes
- Mirc
- Adium
- Notepadplus
- Opera
- Bsplayer
- Winamp
- Trillian
- Teamviewer
- Virtualbox
- Vmware
- Winscp
- Winupdate
.. and many more (check out the documentation for complete list)
..:: [ONLINE DEMO] ::.
Watch the framework in action, Java signed certificate bypass +
javapayload = pwnage
http://www.infobytesec.com/demo/java_win7.htm
.:: [AUTHOR] ::.
Francisco Amato
famato+at+infobytesec+dot+com
.:: [DOWNLOAD] ::.
http://www.infobytesec.com/developments.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Jacky Jack
2010-10-31 19:32:45 UTC
Permalink
Post by Jacky Jack
It's now a time for vendors to re-consider their updating scheme.
Post by V***@vt.edu
And do what differently, exactly?
To name a few, developers can do code signing, ssl certificates
verification like our favorite Firefox and methods used by AV vendors.
There have been cheap/free SSL certificate vendors like startssl.
This task should/would not be a huge pain. It's that simple.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

V***@vt.edu
2010-10-30 15:02:32 UTC
Permalink
Post by Jacky Jack
It's now a time for vendors to re-consider their updating scheme.
And do what differently, exactly?

OK, so it's *possible* to fake out the iTunes update process. But which is easier
and more productive:

A) Laying in wait for some random to think "Wow, I should update iTunes" and
hijack the process.

B) Send out a few hundred thousand spam with a 'From:***@apple-itunes-support.com'
with a link to a site you control and feed the the sheep some malware.

Evilgrade looks like a nice tool to have if you're doing a pen test or a
targeted attack and can somehow get the victim to do an update (possibly social
engineering), but for any software vendor feeding software updates to Joe
Sixpack this threat model is *so* far down the list it isn't funny. Simply
compare the number of boxes pwned by (A) and (B) - how many people have gotten
pwned because somebody hijacked their update from Symantec or wherever,
compared to the number pwned because they got a popup that said "Your computer
is infected, click here to fix it"?

Remember - just because a new tool useful for an attacker shows up, does *not*
mean it's a game changer for the industry at large.
Dan Kaminsky
2010-10-30 21:23:31 UTC
Permalink
Post by V***@vt.edu
Post by Jacky Jack
It's now a time for vendors to re-consider their updating scheme.
And do what differently, exactly?
We really need autoupdate baked into the platform.

A) Laying in wait for some random to think "Wow, I should update iTunes" and
Post by V***@vt.edu
hijack the process.
B) Send out a few hundred thousand spam with a '
'
with a link to a site you control and feed the the sheep some malware.
Yeah, and C) I can take a rubber hose and choke you with it until you give
me the admin password. That C works does not obviate A or B.

There are...side effects to C.

What you're not understanding is that many autoupdaters operate with zero
user interaction. There is something to be said about silent ownage, simply
because you connected to a network.

Also, note that Evilgrade has been out for several years, and there are
still (many) vulnerable endpoints. This is the reality of design bugs --
they can survive the light of day, because they're such a miserable pain to
fix.
V***@vt.edu
2010-10-31 14:36:30 UTC
Permalink
Just signing the update packages prevents this attack, so it's not that hard
to fix.
Except if a signing key gets compromised, as happened to one Linux vendor
recently, causing a lot of kerfluffle... Setting up a proper signing system
involves a certain amount of actual cost and effort. And every organization
that produces code, be it for-profit proprietary code or free open-source code,
has to make resource tradeoffs.

Is there any actual *evidence* that hijacking "authorized" updates is a big
enough problem to be worth it? If each year, 5 of their customers get pwned
by the sort of attack that Evilgrade does, but 50,000 get pwned by "click here"
popups that code signing won't do squat to prevent, is it really worth their
time and effort? Sure, sucks to be one of the 5, but if they instead spend the
resources to do something *else* to make their customer's lives better that would
benefit thousands rather than the 5....
V***@vt.edu
2010-10-31 14:40:01 UTC
Permalink
In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector which
affects any system.
Amen to that.

A more subtle issue is the tradeoff issue: Any time they have a code engineer
spending time building and feeding that code-signing infrastructure is time that
code engineer *isn't* spending writing actual new features the users *want*.

Which user-requested feature are you going to heave over the side in order to
do code-signing instead? That question has to enter into the calculus as well.
[lesh] Ivan Nikolic
2010-10-31 16:07:06 UTC
Permalink
Hm, I'm new to this list. so I find this a bit strange.

Christian, Vladis, are you the same person?
what are your motives?
do you really believe the things you are saying?
you seem to be just generally negative, jumping from point to point and being very silly.

"Just signing the update packages prevents this attack, so it's not that hard to fix."
In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector which
affects any system.
there is a REAL attack vector that needs to be fixed, and you are saying that it shouldn't be fixed as every
line of code creates a POTENTIAL attack vector?
Only thing, there's the danger of someone using stolen certificates.
a signing key might be stolen, so we shouldn't use it?
do you use passwords chris? why? they might be stolen?
you can't possibly believe that?
Amen to that.
A more subtle issue is the tradeoff issue: Any time they have a code engineer
spending time building and feeding that code-signing infrastructure is time that
code engineer *isn't* spending writing actual new features the users *want*.
code-signing infrastructure? ofcourse, code for those things is well known, packed in libraries,
and trivial to use. ofcourse. and...
and bla.
I could go on, but probbably the whole list is aware of those things.

I'm wondering what's going on?
are you payed list-posters from an evil rival company? this is the only idea I have.
In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector which
affects any system.
Amen to that.
A more subtle issue is the tradeoff issue: Any time they have a code engineer
spending time building and feeding that code-signing infrastructure is time that
code engineer *isn't* spending writing actual new features the users *want*.
Which user-requested feature are you going to heave over the side in order to
do code-signing instead? That question has to enter into the calculus as well.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
PGP 0x96085C00 http://lesh.sysphere.org
Christian Sciberras
2010-10-31 18:44:49 UTC
Permalink
Post by [lesh] Ivan Nikolic
Christian, Vladis, are you the same person?
[sarcasm] Yes we are, it's a personality disorder issue. ;-) [/sarcasm]
Post by [lesh] Ivan Nikolic
what are your motives?
What would one's be a motive to a discussion?
Post by [lesh] Ivan Nikolic
do you really believe the things you are saying?
[sarcasm] No, I was just trying to sound cool going against most FD readers
out there. [/sarcasm]
Post by [lesh] Ivan Nikolic
you seem to be just generally negative, jumping from point to point and being very silly.
Negative? Is asking a change in the "standards saves us" religion, being
negative?
What seems silly to you might be sane and true to the rest of the world.
Oh and, maybe you're overly meditative to see several points in my
post....let me confess something....
there was only ONE point.
Post by [lesh] Ivan Nikolic
there is a REAL attack vector that needs to be fixed, and you are saying
that it shouldn't be fixed as every
Post by [lesh] Ivan Nikolic
line of code creates a POTENTIAL attack vector?
Remember stuxnet? and it's use of stolen certificates?
Post by [lesh] Ivan Nikolic
a signing key might be stolen, so we shouldn't use it?
I've never said it's not.
Post by [lesh] Ivan Nikolic
do you use passwords chris? why? they might be stolen?
Yes, I do. Ever heard of hacking/stealing an account?
Post by [lesh] Ivan Nikolic
you can't possibly believe that?
Uhm, yes I do.
Post by [lesh] Ivan Nikolic
I'm wondering what's going on?
are you payed list-posters from an evil rival company? this is the only idea I have.
Wow, so daft. Is someone on this damned list entitled to an opinion or a
fair discussion?
As to your theory, one question, which rival company (to those companies)?



I think that you're mostly confused as to what the point is. There are
places where code
should be signed and there are places where it shouldn't.
Evilgrade did reveal that some of these places aren't as they should, but
this does not
mean any and all sorts of updates should be signed.

The trade-of Valdis mentioned is one of my main deterrents to create such an
updating
system; why would I hand out the money for code signing when the ROI doesn't
even cover it??

One thing, you ought to think on; why aren't user-based sites ask for a PGP
signature?
Why do they use a simple password mechanism (if at all)?


PS: Keep up with the conspiracy theories, got to love 'em.


Cheers,
Chris.
Post by [lesh] Ivan Nikolic
Hm, I'm new to this list. so I find this a bit strange.
Christian, Vladis, are you the same person?
what are your motives?
do you really believe the things you are saying?
you seem to be just generally negative, jumping from point to point and being very silly.
"Just signing the update packages prevents this attack, so it's not that hard to fix."
In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector
which
affects any system.
there is a REAL attack vector that needs to be fixed, and you are saying
that it shouldn't be fixed as every
line of code creates a POTENTIAL attack vector?
Only thing, there's the danger of someone using stolen certificates.
a signing key might be stolen, so we shouldn't use it?
do you use passwords chris? why? they might be stolen?
you can't possibly believe that?
Amen to that.
A more subtle issue is the tradeoff issue: Any time they have a code
engineer
spending time building and feeding that code-signing infrastructure is
time that
code engineer *isn't* spending writing actual new features the users
*want*.
code-signing infrastructure? ofcourse, code for those things is well known,
packed in libraries,
and trivial to use. ofcourse. and...
and bla.
I could go on, but probbably the whole list is aware of those things.
I'm wondering what's going on?
are you payed list-posters from an evil rival company? this is the only idea I have.
In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector
which
affects any system.
Amen to that.
A more subtle issue is the tradeoff issue: Any time they have a code
engineer
spending time building and feeding that code-signing infrastructure is
time that
code engineer *isn't* spending writing actual new features the users
*want*.
Which user-requested feature are you going to heave over the side in
order to
do code-signing instead? That question has to enter into the calculus as
well.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
PGP 0x96085C00 http://lesh.sysphere.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Loading...