Tuesday August 05, 2008

Evilgrade and OpenOffice.org - Online updates realy can be dangerous

Many people are discussing Evilgrade today - a toolkit for exploiting products which perform online updates in an insecure fashion.

The idea of the attack is well described on page 9+10 in this PDF document:

1. An Application is checking some update server for updates, using some domain name
2. The attacker has control over the DNS resolution and returns an IP from a server he controls
3. The application downloads something which should be an update, but in reality is some back door software or other kind of Trojan horse
4. The application executes or deploys the binaries it received
   

Step 4 is the real issue here.

All security aware people know that they NEVER should install any software when they don't know the origin, and without verifying the integrity of the package. This can (and should!) be done by verifying hash sums with values you get from the project's download page. Signing the installation packages would make this step a little bit easier and nicer, but we don't have that right now.

So when people should do that, applications of course also MUST do that - unfortunately many, including OOo, don't do it...

I hope we will have signed packages for OOo soon: While people can work around the issue with verifying MD5, OOo shouldn't contact some server for getting MD5 values, because the server could be compromised. ( I must admit that this can also happen with the user visiting a fake server which looks identical to the original server... )

Signed update packages seems to be the only viable solution to me. Using HTTPS for contacting the update server would also be a good thing. But that alone wouldn't help, since, even if this is quite unlikely, the faked server could also have some valid certificate.

As long as we don't have signed packages, it might be reasonable to use the update check in OOo only to check for updates, and maybe also for downloading them, but not to use the install feature without checking the MD5 sums manually.

MD5 sums for OOo releases can be found here: http://download.openoffice.org/md5sums.html

This was the technical stuff, so you see the problem is real.

The open question is: How likely is it that someone really will be able to control your system's DNS resolution?

In the inranet of a company it's very likely, but only the IT department should be able to do that (in theory).

For people at home I don't think that the risk is sooo big, but maybe I underestimate that. For home users, it's more likely that they download and run some Trojan horse which does the DNS resolution manipulation locally by modifying the hosts file or running a local DNS server. But then, it's not the next update from some software you have to worry about - you system is already compromised since you did allow some malicious software to run on your system...

Posted by Malte Timmermann ( Aug 05 2008, 05:58:26 PM CEST ) Permalink Comments [2]