Risk

7/31/2009
03:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Defcon: New Hack Hijacks Application Updates Via WiFi

Researchers will release a tool that lets attackers replace application updates with malware

DEFCON 17 -- LAS VEGAS, NV -- Researchers here tomorrow will demonstrate a way to hijack the application update process via WiFi and replace the updates with malware.

Itzik Kotler, security operation center team leader for Radware and Tomer Bitton, security researcher for Radware, say that the hack can be used against most of today's client application updates. The researchers, who will present their research at the Defcon17 hacker confab, also will release a tool they developed for the targeted attack that can inject a phony but realistic-looking update alert or hijack an ongoing update session, and lure the user to download malware instead.

"Most applications do simple HTTP transactions that download a file with the newer version ... We can hijack the session and respond ourselves with an 'application update' and it takes place on our malicious Website," Kotler says. "They are then going to download an update, and voila: it's malware."

The so-called Ippon tool, which is Japanese for "game over," can also generate an attack where a victimized user's machine can attack other machines in its proximity on the WiFi network. "You can take it to a self-propagation method and have it do the same to another victim," he says.

Kotler won't reveal the names of the around 100 applications that are vulnerable to the attack, but said they are the "everyday apps" people use, including CD burners, video players, and other popular apps. Microsoft apps are immune to the attack because Microsoft digitally signs its application updates, Kotler says. "If [an application developer] distributes a public key and signs every binary with their own private key, it's safe" from the attack, he says.

The tool can also be used to attack legitimate applications and Websites. "I can do damage and convince it that this application or Website is malicious," he says.

The attack takes advantage of unsecured WiFi as well as the way these apps run their update processes unsecurely, he says. Users running VPN sessions over WiFi are safe from the attack. "If we're in range [on WiFi], we monitor HTTP requests," he says. "The victim either has to be updating, or you can fake them into thinking there's" an update, he says.

Kotler says the attack basically shuts out the real server and "puts it on mute."

"I don't have to supply a binary -- all I have to do is inject a packet for HTTP redirection," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVE-2019-3858
PUBLISHED: 2019-03-21
An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.