 My name is Francisco Amato. I'm Federico Kirschhoff. We are from Argentina. It's a little bit south. And well, we will present the new version of Evil Great. How many of you know Evil Great? I see you have your hands, OK? Hola, OK. Well, we'll start. Topics, well, will be different types of implementation of fake updates. The idea of the framework is to inject binaries through a process of updates and get access to a computer. It's the idea. Basically, when we were working as penetration testers, we are looking for new ways to pound our clients. And while we were working, we saw that many update processes are vulnerable. I think many people over here know that. So basically, this tool helps you doing that. Well, a simple update process is quite all the same. The processes start, go to a website, check, get a file with information. This file depends on the application. Check if there is a new update. If there is a new update, the process don't load a binary and execute it. So what is the problem? So most of the people, at least my mom, trust in every single window that the computer gives you. So we are taking advantage of that, of that trust that gives to the user. I think many of you, when you're working with your machine, you get like, oh, there is a new application for Java. There is a new version for iTunes. So in here, we try to exploit that trust from the user and the application. Every grade was first coded by Francisco. And we released it in 2008 with 10 models. It's coded in Awesome Pearl for the fans. No, not too many, Pat Pearl levels, right? Yeah. It is an open source project. This new version, these new versions include ICSL, DNS server, well, we fix a lot of problems, and we add 52 new models. So basically, the model thing, each update process is quite custom, the payload is quite custom. So for every kind of framework, update framework, or application, we develop a model, a generic model, that it's quite easy to code and easy to implement. The only thing, little detail to every grade do, it's magic is handling DNS traffic. I know it's not really easy, but in places like DevCon, it is. Yeah. So this is interesting. Well, the attack is quite simple. You have to manipulate the DNS requests in the big team. So the idea is to change the process update to send the information to ours, send a vector. The panel, the implementation of the model, the application that you are trying to attack. The difference in scenarios to attack is, well, you can, in internal DNS, in internal scenarios, you can do R spoofing, DNS catch poisoning, you can create a fake wireless exploit. Well, also imagine how many DSL routers are out there without any kind of password or they are using the default password. So you have 52 reasons to make a little botnet in just, I don't know, a few hours of scanning. I think most of you, I think most of you know Carmine's exploit and show them the search engine. It has some prefix so you can find default passwords, routers with default passwords. Metasploit has a lot of ways to help you doing that and any packet mangling tool will do the trick. The framework is multi-platform. Only the model have to attack the process update, the application that you are going to attack. In this new version, the different operation system that you have are Apple, Linux, Microsoft. Some of the models can attack the process update of the applications and the system, operation system. So this is some of the models. We have Java, Cipan, Debian, APT, OpenOffice, iTunes. Well, this is like a... I think many of those applications are in your computers, at least on mine. That's why we investigate those. So we have a lot of models that can be used during the penetration test. And doing slides is quite boring, especially for us. So we are going to do some memos, not memos, demos. Okay. I will leave. Hi. Okay. Well, we start the framework. Basically, the framework is a slow web server and DNS because it's written in parallel. The main idea is not to be really fast, but it does it Java. Okay. As you can see, you can see the loaded models. We are going to review a few starting from Winni. Yeah. We'll start with the last version of Java. The ones that raised your hands before that new Everglade, you must knew that Java was on the first edition. This edition was after patch by Java, but they do it wrong. And so we are releasing today how to bypass the patch from Java. That's... So we execute the binary that check the updates. We can see over here the difference connection that the victim are sent to our framework. You can see over here the normal pop-ups saying, I have a new update. Every information that you see in that sign, it's on XML. So basically you can put whatever you like. And the main idea is to make some fear to the user because he has to click on the wizard, right? I had to left over here a listener waiting for a remote show. Basically, this is how we bypass it. Java only now accepts binaries signed by Java itself. So we cannot plant a meta-sploit payload. But what are we doing is giving Java binary, it's the web start, but we control the argument. So what he's going to do is give the Java web start with arguments that download a Java shell from the internet. So it's fixing this bone, this patch. We click install, we see over here, we are sending the Java web start, which is signed by Java. So we can bypass the protection. And because we modify the arguments in the execution, we can tell to the Java web start to download a char file from our server. Well, this sign, it's because we are cheap bachelors and we didn't pay 35 bucks for the certificate jar. If you're willing to pay, you can get rid of that. Awful message, I don't care. So it is execute. And now we have a shell on the last version of Java. So it is quite interesting because Java is everywhere. This version, it only applies to Windows and at least not in other frameworks. So we are going to do some more. Do you want to see some more demos? Yeah. Come on, come on. Give it up. Okay. That's it. Okay. We'll see iTunes, QuickTime, and Safari. All these applications work with an update process is in Windows with the same update process. This process checked that binary had to be signed by, by, oh, sorry. But by them. So we find it in, I will see, I will show it over here. Okay. We run the application. So all of you that have an iPhone and have a Windows platform, I think you know that little thing over there. So it is in Spanish, it's not really, that's why maybe you don't understand it. The thing that says the screen, but it's quite the same structure. What we do here is we insert cross-site script team in over here. So we basically send the, we open an internet explorer with a binary and over here is a simple notepad. So because if we go to the next level in the implementation, we are fackered because they check in the binary that is signed by Apple. So I don't have, okay, it's executed. And we have a simple notepad. Let me see. Maybe we can do the devian. I think many people over here use APT, Ubuntu or whatever, okay. So let's do that, it's fun. So the only thing that many of you I think you are thinking, oh, but devian use GPG or it signs the packages. So how can you do it? So basically we insert us a source. So to this able to work, you must do an APT upgrade. Most of the people that I know, every time they do an update, they do an upgrade first because they won the last version. So we'll be installing the beam. We see over here the connection. Take a little to just include the package. Let's hope it work. We'll see over here. We add in to the beam, our binary. So we have this as a dependency. So we have this warning, but most of the administration will see yes. One of the main problems of the framework, it's slow sometimes, especially on presentations. They tend to do that. So some serious warnings, but after you know it, start it, I will cut the show. And you have a route. So for places like this and people who is, oh, I need that tool for breaking into, it can work. It will work. I think it works every time. So, would you know other application? We should see, how much are we in time? Oh, okay, we have time. We'll see C-Pan. How many of here coding in Perl? Why not? So, you know, yeah. Let's do the C-Pan. I have to kill, well, I had only to do what package I wanted to install. Maybe, I don't know, game bingo? Can be. This can work for any model that you install, because we intercept when it's requesting and we give games bingo, games bingo. I'm quite happy because the demos are working and during Black Hat, it didn't. But then, now it's working. Okay, I talked. Well, yeah, I talked. Let's see over here, the connection and the request. Well, they only check if the binary, the CRC. The CRC is not signature. So if I control the MD5 signature of the binary, it's, you're doomed. So don't put the MD5 like a secure stuff and the packages, please. So again, we have the shell, the root shell. So the good thing about installing stuff as root, because you are demanded, is you get a remote root again. A little love again. Let's see, the Argentinian there. Okay, let's kill. Let me see. Well, we are running virtual box. Let's check if we have a new update. We see over here, the connection and again. Yes, we have an update. Let's do it. Why not? You know, I want to feel secure at that point, you know. Somebody's going to hack me. So I should get the last version at least. How many time? Sorry, how many time do you have? Three. Okay, we're going to do it fast. Well, we have also, okay. We'll see over here. If you go to tools and Windows updates, it's not the best model, but we redirect, we create a fake web page. And I'm tell to the user to download the file. To download the file. Well, let's do another updates over here to. Okay. Since we are running out of time and we have 52, I'm going to do the Mac. We have Windows, we have Linux, let's do some Mac. Mom, I'm TV. It's working. I don't know. This stuff works by itself, it works. Kind of, right? Okay, it's a little big. So let's do this. So basically it's running the same framework as he. And for starters, I'm going to do idiom, it's a page in. Most of people use it, I do it. So basically when you start, if it works, you should ask something. You have started. I started. So since it's not calling, I'm going to force it. It checks every 24 hours or every time it starts. So I'm checking and it should check or not. I told you demos are damn, let's check another one while it's working. Well, for example, you have this one, it's a geeky application. It's I start so you can see the temperature in everything in your machine so you can be in control. And here you can see check for updates every 24 hours or on start. So we hit it on updates and it should ask something or not, or not. I told you, it might fail, it will fail. That's what, well, so you shut, you have to trust me. During in Apple and there is a big framework called Sparkle and most of the application open source applications use it. It is an awesome framework. It has every kind of security you would need. So I'm going to open that. So I'm going to tell you what do you need if you're coding a secure implementation. If you can get me in the hole, I can try to work all the demos, especially the human ones because I've been working a lot of them. So I'm kind of, fuck, okay. We were going good. Have a big nose, sorry. Fucking why? You should do it with a PDA. Yeah. I don't trust PDA. So, well, while he's searching the right slide, we're going to release it on Monday because we are too drunk to logging into any place during this weekend. We are in Vegas, we travel a lot from the South. If you ever want to visit Argentina and you need an excuse for your work, we do a conference in Buenos Aires. It's called Echo Party. It's one of the biggest in Latin America. If you're going to go to South, come and visit us. It's fun. Now, let's go back to the past. So the last approach of SecureUpdates is sign your package. Don't trust the automated packages. Do it manually if you can. Don't do updates at DEF CON. People are already doing this. So if you do, reinstall when you go home. And remember, CRC is not digital signing. So if you put an MD5 and I can change it, not. We have time to question? No. We are getting Q&A. Q&A on room number five. You can track on Twitter. We are really boring on Twitter. But if you do, follow us. And see you around. Thank you. La, la, la, la. La, la.