Evilgrade: Exploiting Automatic Updating

Evilgrade is a framework created by infobytesec that you can download and use to exploit various programs that use online automatic updating insecurely. Essentially what happens is when a program you’re attacking goes to look for an update, you intercept it and send it your own update instead. This could obviously be used to send malicious updates,  Evilgrade provides the framework for making your own updates for various programs.

There are over 60 different modules that you can play around with including:

– Safari
– iTunes
– Quicktime
– APT
– Java
– iTunes
– Mirc
– Adium
– Notepadplus
– Opera
– Bsplayer
– Winamp
– Trillian
– Teamviewer
– Virtualbox
– Vmware
– Winscp
– Winupdate

For each module, there is the proper framework needed to imitate an update from that program.

The reason this works is because many programs don’t bother to use crypted keys for updates that only their program should be accessing. To prevent this, there needs to be proper authentication and validation within the update system. Because these programs don’t have that, they are prime targets for exploitation.

The best guidelines I found for creating a secure updater are from security researcher, Dan Kaminsky. According to him, for an update to succeed, the update package must be:

– Signed.
– Signed by you.
– Signed by you, using the right EKU (Extended Key Usage)
– Signed from an unrevoked signature
– Be the same product
– Be a new version

An updater utilizing all of those security guidelines would be much more secure. Unfortunately, today there are still many security gaps in the programs that we use all the time. So next time your computer asks you is you want to update a program, see if your application updates require some authentication and verification. If they don’t, then be careful.

A video showing exactly how Evilgrade works can be found here.

Advertisements

4 thoughts on “Evilgrade: Exploiting Automatic Updating

  1. Are there any updaters that you know of or that you read about that you know are safe to use? Being as there are over 60 modules that are unsecure it would be good to know which ones are.

  2. Obviously it will become necessary to update software you have installed, because without updating you may be leaving yourself open to other security exploits. So how should you go about updating your software securely and safely?

    • Well if you’re using Evilgrade, the attacker needs two things: the target has to be running one of the programs listed above, and you need control over the network. So you should only install updates when you’re on a trusted network (or a network that you control yourself, like your home network). Unfortunately many programs have auto-updates, which means they could be updating when you’re on the go, and you may not even realize it.

      Turn off auto-update, only update from secure, trusted networks, and you should be more secure from this vulnerability.

Comments are closed.