
Evilgrade is like Firesheep for Software Updates - r11t
http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt
======
gfodor
Firesheep is firesheep because it's easy enough for random college freshmen to
use. This is a commandline tool so it is no Firesheep.

------
gojomo
Are the latest versions of Skype, VMWare, and others listed there at risk of
software-update hijacking, with no cryptographic verification of update
payloads?

~~~
dinedal
VMWare is in the compatibility list, so that's a yes there.

~~~
gojomo
I see it on the EvilGrade page; I'm asking here for independent confirmation.

~~~
dguido
Yeah, Virtual Infrastructure and VSphere clients download updates over HTTP
from a URL that looks like:
[http://www.vmware.com/vmware<%RND1%>.exe](http://www.vmware.com/vmware<%RND1%>.exe)

------
makuro
Seems like something metasploit would do. If you're a budding security nut and
you haven't tried some 'sploitin, you should definitely give it a go.

~~~
dguido
true that. But AFAIK metasploit doesn't have exactly this kind of
functionality. It would be nice if someone would port it though...

------
dguido
Here's the list of supported apps:

* Freerip 3.30

* Jet photo 4.7.2

* Teamviewer 5.1.9385

* ISOpen 4.5.0

* Istat

* Gom 2.1.25.5015

* Atube catcher 1.0.300

* Vidbox 7.5

* Ccleaner 2.30.1130

* Fcleaner 1.2.9.409

* Allmynotes 1.26

* Notepad++ 5.8.2

* Java 1.6.0_22 winxp/win7

* aMSN 0.98.3

* Appleupdate <= 2.1.1.116 ( Safari 5.0.2 7533.18.5, <= Itunes 10.0.1.22, <= Quicktime 7.6.8 1675)

* Mirc 7.14

* Windows update (ie6 lastversion, ie7 7.0.5730.13, ie8 8.0.60001.18702, Microsoft works)

* Dap 9.5.0.3

* Winscp 4.2.9

* AutoIt Script 3.3.6.1

* Clamwin 0.96.0.1

* AppTapp Installer 3.11 (Iphone/Itunes)

* getjar (facebook.com)

* Google Analytics Javascript injection

* Speedbit Optimizer 3.0 / Video Acceleration 2.2.1.8

* Winamp 5.581

* TechTracker (cnet) 1.3.1 (Build 55)

* Nokiasoftware firmware update 2.4.8es * (Windows software)

* Nokia firmware v20.2.011

* BSplayer 2.53.1034

* Apt ( < Ubuntu 10.04 LTS)

* Ubertwitter 4.6 (0.971)

* Blackberry Facebook 1.7.0.22 | Twitter 1.0.0.45

* Cpan 1.9402

* VirtualBox (3.2.8 )

* Express talk

* Filezilla

* Flashget

* Miranda

* Orbit

* Photoscape

* Panda Antirootkit

* Skype.

* Sunbelt

* Superantispyware

* Trillian <= 5.0.0.26

* Adium 1.3.10 (Sparkle Framework)

* VMware

* more...

------
mustpax
Firesheep only requires that you sniff unencrypted traffic but this requires
that you make DNS requests resolve to an address of your choice. The latter is
much harder to do. You either need to control the wireless router or break the
DNS server some way.

~~~
tomjen3
True but not that much - it wouldn't be difficult to inject a reply on an
unencrypted wireless network, you just have to sniff the trafic and then reply
faster than the wireless network and then blast the reply out with a higher
signal.

Since everything is cached locally for your, replying faster shouldn't be an
issue, and you can sit closer to your intented victim than the wireless
router, which should give you a better signal.

------
vasi
It says it supports Adium (Sparkle) updates, but Adium definitely uses digital
signatures, see /Applications/Adium.app/Contents/Resources/dsa_pub.pem .
So...is there something I'm missing? Has anybody tested this?

~~~
dguido
Adium definitely gets its update list over HTTP, so maybe it just prompts the
user if the signatures don't match and lets them install anyway?

The relevant module in evilgrade is sparkle.pm if you want to check it out.

------
al_james
Can anyone outline how a software package would protect against this?

~~~
jgrahamc
Use SSL for the connection to the update server.

~~~
swolchok
A secondary method for authenticating updates would also be wise. When Moxie
Marlinspike's null-prefix SSL bug landed, people with vulnerable versions of
Firefox were somewhat screwed: Firefox used only SSL to ensure the
authenticity and integrity of updates, but SSL was broken, so the update
fixing SSL security couldn't be authenticated!

------
olalonde
I you don't get it I recommend watching the screencast
<http://www.infobytesec.com/demo/evilgrade.htm>

------
olalonde
What's "Internal DNS access"? Host file access?

