Tuesday August 05, 2008 Malte about some of his work at Sun Microsystems, Inc.
| Malte Timmermann's Blog Malte about some of his work at Sun Microsystems, Inc. |
|
|
Tuesday August 05, 2008 Evilgrade and OpenOffice.org - Online updates realy can be dangerous Many people are discussing Evilgrade today - a toolkit for exploiting products which perform online updates in an insecure fashion. The idea of the attack is well described on page 9+10 in this PDF document:
Step 4 is the real issue here. All security aware people know that they NEVER should install any software when they don't know the origin, and without verifying the integrity of the package. This can (and should!) be done by verifying hash sums with values you get from the project's download page. Signing the installation packages would make this step a little bit easier and nicer, but we don't have that right now. So when people should do that, applications of course also MUST do that - unfortunately many, including OOo, don't do it... I hope we will have signed packages for OOo soon: While people can work around the issue with verifying MD5, OOo shouldn't contact some server for getting MD5 values, because the server could be compromised. ( I must admit that this can also happen with the user visiting a fake server which looks identical to the original server... ) Signed update packages seems to be the only viable solution to me. Using HTTPS for contacting the update server would also be a good thing. But that alone wouldn't help, since, even if this is quite unlikely, the faked server could also have some valid certificate. As long as we don't have signed packages, it might be reasonable to use the update check in OOo only to check for updates, and maybe also for downloading them, but not to use the install feature without checking the MD5 sums manually. MD5 sums for OOo releases can be found here: http://download.openoffice.org/md5sums.html This was the technical stuff, so you see the problem is real. The open question is: How likely is it that someone really will be able to control your system's DNS resolution? In the inranet of a company it's very likely, but only the IT department should be able to do that (in theory). For people at home I don't think that the risk is sooo big, but maybe I underestimate that. For home users, it's more likely that they download and run some Trojan horse which does the DNS resolution manipulation locally by modifying the hosts file or running a local DNS server. But then, it's not the next update from some software you have to worry about - you system is already compromised since you did allow some malicious software to run on your system... Posted by Malte Timmermann ( Aug 05 2008, 05:58:26 PM CEST ) Permalink Comments [2]
Trackback URL: http://blogs.sun.com/malte/entry/evilgrade_and_openoffice_org
Post a Comment: |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Given the latest DNS vulnerabilities VU#800113, see http://www.kb.cert.org/vuls/id/800113 and Heise articles
http://www.heise.de/security/Massives-DNS-Sicherheitsproblem-gefaehrdet-das-Internet--/news/meldung/110641 and
http://www.heise.de/security/Exploits-fuer-DNS-Schwachstellen-veroeffentlicht--/news/meldung/113266 (German),
it isn't far fetched that even home users may access a poisoned DNS cache, be it via the internet provider still running an insecure DNS, or the home user's DSL router running a DNS caching software or dnsmasq that isn't updated, e.g. proprietary firmware or with OpenWrt, DD-WRT or Tomato. Updates are available for DD-WRT and Tomato (still not for OpenWrt it seems) but have to be installed..
Posted by Eike Rathke on August 05, 2008 at 11:05 PM CEST #
open question ? "How likely is it that someone really will be able to control your system's DNS resolution?" really?? did you miss all the dns news the last month? it is _VERY_ likely. there are ./hack tools released for this now, they're in metasploit. it takes anywhere from 1-10 seconds to do this, and from what I've read, people are exploiting the dns issue in the wild. The problem with he dns issue Kaminsky found (that's used in metasploit, which evilgrade uses) is that you're still kindof vulnerable after you've patched ... it'll just take a little bit longer to poison a dns server. instead of 10 seconds it'll now take a couple of hours, or maybe a day, and cause some noise. There is also a tool released to exploit the bug for the 'patched' dns servers. So to answer your open question, it is _VERY_ someone will be able to poison your isp's dns sever. The OO update system as it is right now is just weak and needs to be fixed !
Posted by ilja on August 06, 2008 at 12:33 AM CEST #