The update check is performed over plaintext HTTP and a HTTP GET request is send: http://logmx.com/check_update.php?ver=v7.0.0&java=1.8.0_172&arch=amd64&os=win
The response is a message that contains the latest version-number of the latest release and a change-log.
If a newer version is available, then a second HTTP GET request is performed: http://logmx.com/download_file.php?id=4&from=app
This second request will fetch the new file over an unsecured channel.
Then the user is prompted with the change-log and the question if he wants to install this new update.
The update downloaded is a tgz file that contains the whole folder structure and that can be backdoor-ed since the download is performed over plaintext HTTP and there is no integrity and/or authenticity verification mechanism in place. Furthermore, under advanced options, the option to check for updates each week is activated by default.
The tar file needs to be decompressed:
tar -xzf LogMX_v7.3.0.tgz
This will create a folder named LogMX_v7.3.0_eval that contains all files and folders related to the application.
The subfolder jar contains only one file logmx.jar. A jar-file is actually a zip file and when renamed to zip this file can be extracted. We can replace the LogMXUpdater.class with a malicious one since this file will be executed during the update.
To do so, you can use the attached file 'LogMXUpdater.java', of course you must change the LHOST and LPORT to match yours.
And compile this file to obtain a LogMXUpdater.class file:
Replace the original LogMXUpdater.class file from the extracted jar file with our freshly compiled on and re-zip the files back into a logmx.zip file. Rename this file back to logmx.jar.
Recreate the tar file:
tar -czf LogMX_update_v7.3.0.tgz LogMX_v7.1.0_eval/
Ideally the malicious update should be delivered via a MITM-position such as ARP-poisoning or by a proxy. To simulate the behavior it is possible to replace the downloaded file on the machine before clicking on the Update LogMX-button. The downloaded tar-file is located at %APPDATA%\..\Local\Temp\LogMX_Update and this file can be replaced to easily simulate the tampering with the file download.