HD Moore mentioned this link (thanks!): ISR-Evilgrade v.1.0.0. So what is it and what does it do?
So misusing update mechanisms of certain software packages by spoofing DHCP, ARP or DNS and the sorts. Oh wait. Did you say DNS Cache poisoning? Wasn't that just made easy?..:: DESCRIPTION
ISR-evilgrade: is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates.
* How does it work?
It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems.
Evilgrade needs the manipulation of the victim dns traffic.
Attack vectors:
--------------
Internal scenary:
- Internal DNS access
- ARP spoofing
- DNS Cache Poisoning
- DHCP spoofing
External scenary:
- Internal DNS access
- DNS Cache Poisoning
* What are the supported OS?
The framework is multiplaform, it only depends of having the right payload for the target platform to be exploited.
Implemented modules:
-------------------
- Java plugin
- Winzip
- Winamp
- MacOS
- OpenOffices
- iTunes
- Linkedin Toolbar
- DAP [Download Accelerator]
- notepad++
- Speedbit
Well, they have a video demonstrating the combination of these tools. Just watch it and see how easily they got a reverse shell on a PC requesting a Java update check. Gives another view on security and using (trusting) update functions.
Possible countermeasures?
- Avoid those tools if possible
- Use secure/patched DNS servers
- Make sure you are using a secure LAN (use port security, 802.1x etc...) and/or restrict physical access.
- Use static arp entries for gateways if possible
- Using software deployment platforms to distribute/update software packages
- ....
(Photo under Creative Commons from Lasse Havelund's Photostream)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment