Evilgrade Toolkit helping with fake updates

Evilgrade icon From the word compound of evil and grade, you see there will be something evil about this piece of software and upgrades. It is a modular framework for supplying clients with fake updates that can contain a wide scale of payloads. The problem of poorly implemented actualization routines has been well know for quite some time now, but it seems it has been greatly overlooked. In the time of creation Evilgrade (summer 2008), very popular software has been vulnerable to this kind of exploit such as

Java plug-in, Winzip, Winamp, OpenOffices, iTunes, Linkedin Toolbar, DAP [Download Accelerator], notepad++, speedbit, and even Mac OS. The payload of the update could be almost anything ranging from proxy for access to internal network, key-logger or type of a root-kit. One more possibility is downgrading to a even more vulnerable version of software where version number is forgeable.

The upgrade process

No matter how automated the upgrade process is, if at all, it usually works by the application checking an update info file (such as http://update.example.com/update.xml) in which latest version number and updater location can be found.

The problem in this is that the file transfer is happening unencrypted (not over https) and is not secured with any other method (signed with certificate, for example) – the software cannot be certain the update as been issued by trusted authority.
All it knows is that it has requested a update info file from a certain domain and that it should run an updater that’s specified there if current version number is lower. When you say it like this, it sounds pretty damn stupid

(Note that doing fake update with its version number highly above the current released version (lets say 200.0.0) causes the update to a real version impossible since the 200.0.0 will be aways higher.)

Join the discussion in our forums!

Here we discover the buggy DNS again (as we’re looking forward to the IPv6). Now it doesn’t matter whether we use DNS cache poisoning, rogue DNS server, ARP Poison Routing in a subnet or other fun things, it is certain the software wanted http://update.example.com/info.xml, but it cannot be sure is the xml files is from the authorized or fake server.

Evilgrade supplies you with a framework for use of update server faking. Already mentioned modules are included, but many vulnerable applications have been fixed (I know Mac OS and Winamp have, for sure).

The application is open-source and written in Perl (Perl modules needed: Data::Dump, Digest::MD5, Time::HiRes) so it is available for Linux Windows and others.

To wrap it up, the faked update process works like this:
1 – software or a user initializes the update process..
2 – it ask the DNS for the IP of update.example.com where the update info file is
3 – right now, the victim has to get the attackers IP for the resolution where Evilgrade is running
4 – the application downloads and check the info o file http://attackers_IP/update.xml
5 – the application finds out that an update is available, downloads the updater (agent) and runs it

It is controlled in a CLI (command line interface) very similar to Cisco IOS. It may be for some cumbersome at the beginning, but it is easy to get used to.

evilgrade>help

configure – Configure – no help available

exit – exits the program
help – prints this screen, or help on ‘command’
reload – Reload to update all the modules – no help available
restart – Restart webserver – no help available
set – Configure variables – no help available
show – Display information of <object>.
start – Start webserver – no help available
status – Get webserver status – no help available
stop – Stop webserver – no help available
version – Display framework version. – no help available

Thank you Franncisco Amato. Check out his homesite. Here you cand find a screen captue demo and here youo can see the readme if you want to see more.