Evilgrade is a framework created by infobytesec that you can download and use to exploit various programs that use online automatic updating insecurely. Essentially what happens is when a program you’re attacking goes to look for an update, you intercept it and send it your own update instead. This could obviously be used to send malicious updates, Evilgrade provides the framework for making your own updates for various programs.
There are over 60 different modules that you can play around with including:
For each module, there is the proper framework needed to imitate an update from that program.
The reason this works is because many programs don’t bother to use crypted keys for updates that only their program should be accessing. To prevent this, there needs to be proper authentication and validation within the update system. Because these programs don’t have that, they are prime targets for exploitation.
The best guidelines I found for creating a secure updater are from security researcher, Dan Kaminsky. According to him, for an update to succeed, the update package must be:
– Signed by you.
– Signed by you, using the right EKU (Extended Key Usage)
– Signed from an unrevoked signature
– Be the same product
– Be a new version
An updater utilizing all of those security guidelines would be much more secure. Unfortunately, today there are still many security gaps in the programs that we use all the time. So next time your computer asks you is you want to update a program, see if your application updates require some authentication and verification. If they don’t, then be careful.
A video showing exactly how Evilgrade works can be found here.