From Security Weekly Wiki
Jump to navigationJump to search
4,526 bytes added ,  19:46, 21 August 2008
no edit summary
Kevin is always looking for feedback, tool suggestions and feature requests, so feel free to download, USE it, and offer kevin some feedback. His contact info can be found at the project site
= Tech Segment: Software Update Security with derek Callaway =
- Intro -
Derek Callaway is a security consultant with Security Objectives Corporation. His company is currently developing a dynamic binary analysis debugger. More information and demos are available at
Typical advice for keeping a system secure includes keeping your software up-to-date; however, updating software
actually has the potential to make your system less secure. Derek has published a number of advisories
through his company (Security Objectives) pertaining to software update vulnerabilities of various vendors
including Lenovo, PartyGaming, and Cygwin.
evilgrade is a tool for exploiting software update vulnerabilities that was first presented (but not released)
at EkoParty 2007, an Argentinian security conference. evilgrade was released by Francisco Amato of InfoByte
Security Research in late July, 2008. This event seems to have officially brought software update security to the
attention of the vulnerability research community. evilgrade is particularly useful with when used in conjuction
with KARMetaSploit and/or Dan Kaminsky's DNS Cache Poisoning attack although other Man-in-the-Middle techniques
such as ARP redirection are sufficient. There is talk of integrating evilgrade into the Metasploit project.
ISR-evilgrade is currently at version 1.0. Currently it has exploit modules for: Java, WinZip, Winzmp, MacOS, OpenOffice, iTunes, LinkedIn Toolbar, DAP (Download Accelerator), Notepad++, and Speedbit. Look for a new version of evilgrade with more exploit modules in the not too distant future.
- History -
Before updates were delivered over the network, they were usually delivered on tape by private courier. At one of the HOPE conference's social engineering panels, Kevin Mitnick spoke about an analog man-in-the-middle attack where he dressed up as a UPS delivery guy and delivered a trojanned tape himself. In 1983, Digital Equipment Corporation (DEC) created the first remote delivery of software updates at their Colorado Springs facility for their OpenVMS operating system. Once the Internet became ubiquitous software starting allowing the user to update their software over the Internet.
- Attacks -
Different types of software updating:
Automatic (software automatically downloaded and installed)
Semi-Automatic (software notifies user update is available, but must take action to intsall)
Manual (user must take action to determine if an update is available)
Clearly, the fully automatic type is impacted the most when it comes to updater vulnerabilities. Most updaters use HTTP(S) so it's just a matter of creating a web server that looks like the real update server but pushes out trojans with the updates. Some updaters will download the patch from within the program, others will open up a browser window with a URL to the vendor's site which usually isn't HTTP(S).
Just because SSL is in use, doesn't mean the updater is secure. The update client must properly verify the server's certificate. An example of improper certificate verification in a software Updater is the Lenovo advisory Derek published (CVE-2008-3249.)
Creating digital signatures for packages does not always prevent attacks either, especially if the integrity of the update server itself is not validated. An old package's hash is valid because it was signed with the real vendor's key. A rogue update server could cause a downgrade to an old vulnerable version and then exploit it.
These attacks can also affect entire operating systems. Take for example Linux distributions that have mirrored servers for their package systems. On August 14, the Fedora project leader told users to not update their software as a precaution because of a mysterious Fedora Project server outage.
- Prevention -
Cryptographically verify the update server with PKI (Public Key Infrastructure.)
- References -
Security Objectives Advisories
Updating the Updater: System of Systems (Security Objectives' Blog)
ISR-evilgrade, InfoByte Security Research
Thinkvantage SystemUpdate Missing SSL Certificate Chain Verification
Mystery Fedora Disruption Prompts Security Fears
= Stories For Discussion =


Navigation menu