Security researcher publishes exploit toolkit
An Argentinian security researcher has published a security exploit toolkit targeting the update mechanisms of Java, Mac OS X, OpenOffice.org and other software, and relying on man-in-the-middle techniques such as those made possible by the recently disclosed DNS security hole.
The toolkit, ISR-Evilgrade 1.0, was released by Francisco Amato, a researcher with Infobyte Security Research. The initial version includes modules targeting Java, WinZip, WinAmp, Mac OS X, OpenOffice.org, iTunes, LinkedIn Toolbar, the download accelerator DAP, Notepad++ and Speedbit. Amato says in the toolkit's Readme file that each module supplied with the toolkit implements structures emulating a false update of a specific application or operating system.
He has released a demonstration video in which the toolkit uses a DNS exploit, recently released by H.D. Moore of the Metasploit Project, to target the Java update mechanism and execute attack code on a fully patched Windows system. Amato notes "The framework is multi-platform, it only depends on having the right payload for the target platform to be exploited,". He says, attack vectors include internal DNS access, ARP spoofing, DNS cache poisoning and DHCP spoofing. He has also released a set of slides – PDF of slide set – detailing the system.
Last week several exploits were released taking advantage of the DNS security problems first revealed by Dan Kaminsky. One of the exploits can not only manipulate the resource records for a particular address, but it can also immediately substitute the complete entry for the nameserver responsible for a particular domain. This gives attackers the opportunity not only to redirect a particular address, such as www.example.com, to their server, but also all of the systems residing on the example.com domain. Both attacks are based on the "birthday-attack" and numerous transaction IDs, as well as adding additional information into replies. According to meticulously commented exploits, the code was successfully tested against BIND 9.4.1 and 9.4.2. Behind the exploits is Metasploit exploit framework author H.D. Moore, who told US media that the tool needed one-to-two minutes to poison a cache. Kaminski, who actually discovered the hole, thinks this can be done in a matter of seconds.