Share
A new tool developed by Francisco Amato of Infobyte Security Research takes advantage of automatic updates to spread just about any type of Malware an attacker would want. The tool is designed to be used by penetration testers to exploit common auto-update features found in software like OS X, Sun Micro’s Java, and iTunes. Dubbed "Evilgrade", the tool is one of the first to take advantage of the recently exposed DNS vulnerability, thanks to well-engineered exploit code released for Metasploit.
Kaminsky DNS flaw used as an example in testing of Evilgrade. (IMG:J.Anderson)
It is fast-becoming a long week for IT administrators and security engineers. By now, there have been meetings and memos, e-mails and phone calls, all related to the vulnerability. Most of the upper management who have seen the news of the recent DNS issues are all likely asking, “...are we safe?”
The truth is, if you have applied the patch, then yes, the simple answer is you are safe. However, real security experts know that while the patches helped, they did not remove the problem altogether (there is like a one-in-a-million chance the exploit will work on the DNS if patched, but the chance is there, and it is possible to make it work given some time).
Researcher Francisco Amato says that his Evilgrade tool takes advantage of the poor upgrade implementations by injecting fake updates. Platform independent, Evilgrade needs only the proper payload for the selected platform to work. For example: OS X exploits for OS X or Windows-based payloads using Winamp upgrades. The attack vector for the tool is a simple Man-in-the-Middle attack using any of the normal avenues such as ARP spoofing, DNS Cache Poisoning, DHCP Spoofing, or Internal DNS access.
Evilgrade is modular as well. Each of the modules will emulate the proper structure needed to target any framework selected. The list of modules so far includes, Sun Microsystems Java, WinZip, Winamp, Apple’s OS X, OpenOffice, iTunes, LinkedIn Toolbar, DAP, Notepad++, and speedbit.
The demonstration video for Evilgrade uses Sun’s Java auto-update process. Using the DNS flaws located by Dan Kaminsky, the video shows Metasploit being used to poison the DNS Cache for java.sun.com, after which the victim is prompted with an update alert from Java’s auto-update feature. The only problem is that the update was triggered and sent from the attacker. The attacker can set the level of severity for the update, such as critical, and even name the update to gain attention ("Hello Dan Kaminsky" was the update name used in the example).
The problem is, the update alert, the method Java used to initiate the update, and the update alert feature, all worked exactly how Sun intended. Only, in this case, the attacker actually caused the victim to install a reverse shell, allowing remote access to their machine.
Mitigation for this level of attack is difficult. Once the DNS is cached and poisoned, there is little a victim can do to prevent exploitation. The fact that the recent DNS vulnerability was used in the example only serves to point out why it is silly to have so many unpatched servers online.
Several ISPs, including Comcast, Sprint, Level3, Adelphia, Bell South, and AT&T, all show 'POOR' or 'FAIR' on the DNS tests. The rating of 'GOOD' is what you need, anything less is risky. Another interesting, if not odd, missing patch is Apple’s implementation of BIND; ISC released a patched version of BIND to address Kaminsky’s discovery, yet Apple has not pushed it to the OS X Server.
The appearance of Evilgrade will only complicate things once non-professionals -- read script kiddies -- get their hands on it. The best defense is a good offence, but since this tool takes advantage of the update systems already in place, it is hard to recommend mitigation until the companies, most notably Sun, address how their update platforms work.
As for the DNS issues, if you have not patched, or if you use one of the ISPs mentioned for business needs, then you need to make the proper upgrades in-house and call your ISP and ride it until it patch its own systems.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story