Evilgrade Will Destroy Us All
Francisco Amato of Infobyte Security Research just announced ISR-evilgrade v1.0.0, a toolkit for exploiting products which perform online updates in an insecure fashion. This tool works in conjunction with man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video uses the CAU/Metasploit DNS exploit in conjunction with the Sun Java update mechanism to execute code on a fully patched Windows machine. For more information, see the README and slide deck. The first release includes exploits for Sun Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit
posted by hdm at 9:03 AM
9 Comments:
Has anyone published a set of guidelines for writing a secure updater?
We're all doomed! This is neat stuff that everyone knew was coming but hoped would wait just a little while longer to appear.
Re: approach to secure updates. Sign them and embed the public key in your executable. Just beware crypto flaws like not checking RSA padding -- get your design reviewed!
Digitally signing updates should solve most of issues imho.
Very nice, as always the update procedure should use https.
This is a great tool for security demonstration.
Colin:
These papers do a pretty good job of outlining the risks and proper protections.
Note that it's a much harder problem then you might think..
nate: embedding the public key in a signed executable only prevents the executable from being modified. An attacker could simply supply a different executable with his own key embedded in it.
Just using HTTPS/SSL isn't enough--there needs to be proper certificate verification. SECOBJADV-001 is an example of a vulnerability in an updater that uses HTTPS. In this case, it was Lenovo's SystemUpdate which comes installed by default on their laptops.
i think we should define a new standard for update services based on more reliable cryptographic methods. using a distibuted PKI including all Software vendors is not enough but a little step in the right direction.
kroakadil
I think Dan Kaminsky has a good set of guidelines:
* To succeed, your update package must be:
o Signed.
o Signed by you.
o Signed by you, using the right EKU (Extended Key Usage)
o Signed from an unrevoked signature
o Be the same product
o Be a new version
Source: www.doxpara.com/DMK_BO2K8.ppt
Post a Comment
Links to this post:
Create a Link
<< Home