Infobyte has released a tool that targets insecure online updates. This is a case where I'm not sure that an automated testing tool is actually a good thing -- I'm sure that the problem with many of the exploitable applications is the process itself rather than a bit of insecure code that can be patched or disabled. In that situation, I'm not sure how constructive this tool would be for a pentester or analyst.
On the other hand, if it is used widely enough for illicit purposes, it may put enough pressure on vendors to fix flawed processes. I'm sure the repercussions of this tool will be felt for a long time to come.
From the Metasploit blog:
Francisco Amato of Infobyte Security Research just announced ISR-evilgrade v1.0.0, a toolkit for exploiting products which perform online updates in an insecure fashion. This tool works in conjunction with man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video uses the CAU/Metasploit DNS exploit in conjunction with the Sun Java update mechanism to execute code on a fully patched Windows machine. For more information, see the README and slide deck. The first release includes exploits for Sun Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit [From Metasploit: Evilgrade Will Destroy Us All]
Leave a comment