Getting In The Middle
Un-patched and out-of-date software is a common attack vector for penetration testers and attackers alike. Applications such as Adobe Reader and Microsoft Office are popular targets due to their widespread use on Windows systems and user’s willingness to click on just about anything. They both have the ability to perform self-updates, similar to the operating system, but limited to one particular software package. However, what happens when the software update process itself is insecure? Enter a program called "evilgrade", which exploits this process to install software of an attacker's choosing. For this attack to succeed, the victim machine must be the victim of a Man-In-The-Middle (MITM) attack.
MITM attacks are becoming more popular as recent research and tools have been released to make the attack easier, including:
- DNS cache poisoning - The infamous "Dan Kaminsky DNS attack", documented in a really nice Linux Journal Article, allows attackers to add entries to the DNS server of their choice using a combination of flaws in the query ID (QID) and bailiwick features of DNS. Once an attacker controls DNS, they can perform MITM attacks for selected domains. This can be detected with Nessus plugin ID 33447, Multiple Vendor DNS Query ID Field Prediction Cache Poisoning.
- WPAD - Microsoft Windows networks can be vulnerable to this attack if an attacker is able to register the "WPAD" hostname. Successful registration of this hostname allows the attacker to send browser configuration settings to each client that subsequently opens Internet Explorer. Microsoft just released a "Patch" for this vulnerability, but this has been controversial as it does not address all of the attack vectors. Nessus includes a plugin to check for the existence of this patch, plugin ID 35824, MS09-008: Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238).
- Wireless MITM Attacks - My two favorites in this category are Airpwn, which allows you to inject HTML into a user's browser via wireless packet injection, and HTTP response manipulation. HTTP response manipulation is an interesting attack vector covered by Josh Wright in The Pen Test Perfect Storm – Part 1, which details an unreleased program that will respond back to HTTP requests on the wireless network and inject HTML. These attacks are much harder to detect and protect against, and accomplish the same goal of putting the attacker in a position to perform MITM.
Intercepting Software Updates
Using any of the above methods, we can intercept and manipulate traffic between a client and server.. Most client software that performs updates does so over HTTP without authentication or digital signature verification of downloaded software. This allows an attacker to pretend to be the update site and install vulnerable versions of the software, or send down and install new software of their choosing. While evilgrade comes with many scripts for Windows software using insecure update mechanisms (Such as Java and iTunes), I selected several OS X applications and decided to see just how they were doing their updates, and if they were potentially vulnerable to the same attack vector. I chose common software that someone may run, such as:
- A Blog client
- A RSS News Reader
- An Audio Capture Program
All of the above software appears to exhibit the following behavior:
Step 1 - Check for software updates over HTTP using an RSS feed (each entry in the RSS feed represented a version with an enclosure tag containing the corresponding version of the software).
Step 2 - If an update is available, connect to the web server and read the RSS feed, then download the latest software over HTTP.
Detecting Insecure Software Updates
Notice that in the above process there is no SSL encryption, authentication process or digital signature verification of downloaded content. This means that someone could quite easily write a plugin for evilgrade that would send down malware to vulnerable systems. In fact, there is already a plugin in evilgrade that takes advantage of the iTunes updater included with the Windows version of this product. It appears to update in the very same way as described above. To help detect this activity in your environment I worked with John Lampe of the Tenable research team and wrote a PVS plugin that will detect vulnerable applications downloading .dmg files:
id=9001 description=The remote client was running software on OS X which performed an insecure software update over HTTP. The file which was retrieved was: %L name=POLICY - OS X insecure software update transfer family=Generic risk=MEDIUM clientissue
# Sample packet contents:
# GET /feeder/downloads/Feeder_1.5.10.dmg HTTP/1.1
# User-Agent: Feeder763 CFNetwork/422.15.2 Darwin/9.6.0 (i386) (MacBookPro4%2C1)
regex=GET /.*\.dmg HTTP/1\.
The above plugin will find the GET request from the client containing the .dmg file used for the update. It will match the transaction based on the User-Agent string used by the application to make the HTTP connection. The above plugin produced the following alert:
192.168.1.66|0/tcp|9001|INFO|The remote client was running software on OS X which performed an insecure software update over HTTP. The file which was retrieved was: GET /feeder/downloads/Feeder_1.5.10.dmg HTTP/1
This rule can easily be extended to detect software updates on both Windows and OS X by matching the downloaded files and associated User-Agent strings (or other identifying characteristics of the transaction). This provides some insight into which applications in your environment are using an insecure method of software update.
Protecting Software Updates
There are two separate fixes for this problem: to build in authentication to the software update process and to use HTTPS. Wrapping the transaction in HTTPS is only part of the solution, as recent research has shown that this process can be subverted (See Moxie Marlinspike's presentation and the SSL Strip tool here).
Tenable's product software updates either performed manually by the end user. This means that someone could still perform a MITM attack, so be certain that you are downloading new software from a network that has not been compromised. For the Nessus and PVS plugin updates, they are all performed over HTTPS and use a signing mechanism for further validation.