Dear Wilders Users,

I am a computer enthusiast and as such occasionally do some programming at home.

Today however, while writing a new program (completely unrelated to security), I have accidently discovered a critical security vulnerability that affects possibly several security applications.

I have tested this vulnerability against SSM 2.4.0.619 and it fails allowing the creation of autostart entries in HKLM\Run. The payload can be much worse however as SSM is totally bypassed...

My question is what should I do? Should I compile the source code and publish a "leak test" or should I contact the software company(s) affected?

I myself cant believe such a sophisticated HIPS can be bypassed completely. I believe many more security programs may be affected but this has not been confirmed.

Just a warning of possible zero-day attacks on zero-day protection software. Oh, the irony!

{QUOTE-> >My question is what should I do? Should I compile the source code and publish >a "leak test" or should I contact the software company(s) affected? <-QUOTE}I would do both.-

{QUOTE-> Dear Wilders Users,

I am a computer enthusiast and as such occasionally do some programming at home.

Today however, while writing a new program (completely unrelated to security), I have accidently discovered a critical security vulnerability that affects possibly several security applications.

I have tested this vulnerability against SSM 2.4.0.619 and it fails allowing the creation of autostart entries in HKLM\Run. The payload can be much worse however as SSM is totally bypassed...

My question is what should I do? Should I compile the source code and publish a "leak test" or should I contact the software company(s) affected?

I myself cant believe such a sophisticated HIPS can be bypassed completely. I believe many more security programs may be affected but this has not been confirmed.

Just a warning of possible zero-day attacks on zero-day protection software. Oh, the irony! <-QUOTE}

You should contact SSM, and not publish code.

{QUOTE-> Dear Wilders Users,

I myself cant believe such a sophisticated HIPS can be bypassed completely.
<-QUOTE}

I'm not surprised.

SSM is far from the most sophisticated HIPS, and even those get bypassed on occassion. No cause to jump in alarm.

Would the vulnerability involve registry hive files, by any chance?

{QUOTE-> Just a warning of possible zero-day attacks on zero-day protection software. Oh, the irony! <-QUOTE}Without publishing code, can you explain how this attack is launched?Malware installs and then is executed and bypasses protection?


By script embeded in a web site?

----
rich

{QUOTE-> Would the vulnerability involve registry hive files, by any chance? <-QUOTE}
Do you mean .reg files?

Solcroft, what HIPs do you feel is the most sophisticated?

I just wonder why you haven´t contacted the SSM team already? After it´s fixed you can always publish the POC. And all these HIPS can be bypassed, but the question is how many malware creators will actually take the time to try to bypass these tools which are used by only a minority. :)

{QUOTE-> Do you mean .reg files? <-QUOTE}
Nope. .reg files contain registry data, but hive files ARE the the registry itself, as far as I understand it. An attack was published some time ago demonstrating a method to attack the registry using .hiv files, which even EQSecure and ProSec failed to stop unless their data protection features were used to block the creation of the .hiv files in the first place.

Thanks solcroft :)

Thanks for all your replies.

{QUOTE-> Malware installs and then is executed and bypasses protection? <-QUOTE}
Yes thats how it is bypassed. Initially application execution must be allowed.

I will first contact SSM and several other companies affected then publish the leaktest after say a week.

This leaktest will have 3 "payloads" - an eicar test file execution, an outbound network connection test and a autostart registry test.

This is way you can test your AV, HIPS and FW. All 3 can be affected due to the generic nature of the test.

I'll keep you posted!

Just wondering if like Matousec, is there any money to be made from this? :-\

Edit: I suppose not...

{QUOTE-> Nope. .reg files contain registry data, but hive files ARE the the registry itself, as far as I understand it. An attack was published some time ago demonstrating a method to attack the registry using .hiv files, which even EQSecure and ProSec failed to stop unless their data protection features were used to block the creation of the .hiv files in the first place. <-QUOTE}
Me knows what your are talking about....I supposed SSM fixed this problem already.

{QUOTE-> Thanks for all your replies.


Yes thats how it is bypassed. Initially application execution must be allowed.

I will first contact SSM and several other companies affected then publish the leaktest after say a week.

This leaktest will have 3 "payloads" - an eicar test file execution, an outbound network connection test and a autostart registry test.

This is way you can test your AV, HIPS and FW. All 3 can be affected due to the generic nature of the test.

I'll keep you posted! <-QUOTE}

Can you elaborate on which other company's product is also affected besides SSM?

{QUOTE-> Can you elaborate on which other company's product is also affected besides SSM? <-QUOTE}

Not at this moment, however most software firewalls are not affected.

{QUOTE-> Yes thats how it is bypassed. Initially application execution must be allowed. <-QUOTE}
Hi demenace, ok just to make sure I understand, as a user of SSM....Malware gets on your computer, and you have to initially permit it to execute, then SSM is in trouble....yes.

{QUOTE-> Not at this moment, however most software firewalls are not affected. <-QUOTE}
So we are looking at a firewall problem rather than a HIPS problem here? ??? I am confused:o

{QUOTE-> Hi demenace, ok just to make sure I understand, as a user of SSM....Malware gets on your computer, and you have to initially permit it to execute, then SSM is in trouble....yes. <-QUOTE}\

Yes you are correct, You must allow the application to start then SSM will be in trouble.

{QUOTE-> So we are looking at a firewall problem rather than a HIPS problem here? I am confused <-QUOTE}

We are looking at a HIPS problem that could affect some other security software like firewalls and antivirus.

There is however no cause for alarm. I will first contact the vendors and then later publish a leaktest. This is not a traditional leaktest as it is not designed to test only a firewall but also HIPS and AV.

dmenace, what are the results with my DefenseWall HIPS? Have you testes your sample code with it?

{QUOTE-> Yes you are correct, You must allow the application to start then SSM will be in trouble. <-QUOTE}
Thanx dmenace, appreciate the warning.

I've done some more testing:

DefenseWall HIPS is safe, the test fails when run as untrusted.
Nod32 is also safe, Eicar file access is denied.
The only vulnerable program I know is System Safety Monitor.

I am not doing anymore tests - you can do these yourself when leaktest released later.

I am bit busy so this leaktest development and contacting SSM has been put on hold but will be done in a week.

Till then, cya.:-*

No specifics have been provided. No offense but -- until such details are revealed -- it's simply an allegation/FUD in my opinion.

{QUOTE-> Nope. .reg files contain registry data, but hive files ARE the the registry itself, as far as I understand it. An attack was published some time ago demonstrating a method to attack the registry using .hiv files, which even EQSecure and ProSec failed to stop unless their data protection features were used to block the creation of the .hiv files in the first place. <-QUOTE}

Hi solcroft.

If you wouldn't mind could you post some links concerning the .hiv risks. I simply like to go over those details for record, and thanks for making mention of it.

Likewise i would be interested in just what this vulnerability is that bypasses SSM.

{QUOTE->

I am bit busy so this leaktest development and contacting SSM has been put on hold but will be done in a week.

<-QUOTE}

You seem to have enough time to post here. You don't have enough time to drop SSM an e-mail? Just curious???

...screamer

I think no need to be so emotional. Let,s wait and see for a week or so when dmenace will publish the leaktest.

{QUOTE-> I have tested this vulnerability against SSM 2.4.0.619 and it fails allowing the creation of autostart entries in HKLM\Run. The payload can be much worse however as SSM is totally bypassed... <-QUOTE}Certainly an interesting finding.

{QUOTE-> My question is what should I do? Should I compile the source code and publish a "leak test" or should I contact the software company(s) affected? <-QUOTE}I personally would question the Vendor. Give them time to reply. If no reply, or no protection of this, then it would be open to question againts the Vendor.
I would of course like some verification. If no responce from SSM (which I doubt), could you possibly forward this code/instuctions to me? (either by PM, or I can give you my e-mail via PM) I would then contact SSM if verified, then report here.

Hello,

You should see the difference between a bug exploit, and a leaktest. Leaktests (in the firewall meaning) do not exploit bugs, they are generic and if the tested firewall has no protection against the method used, then it's bypassed. For instance a leaktest can run IE to pass it parameters, there is no bug exploitation, and can theoretically work against any firewall. Also, "leaktest" is originally related to firewalls, not HIPS, although the term meaning can change over years (such as hacker/cracker).

However a bug affects one specific software only (generally) and won't affect any other software. If what you found is a SSM's bug, then your test demo should be called a POC (Proof Of Concept) as it exploits a specific software vulnerability, not a leaktest.

I'm also interested to test myself what you described. I have many HIPS at hand to check if you found a vulnerability in SSM or a generic leaktest. You can PM me if you want.

Regards,
gkweb.

Dear gkweb,

I think it would qualify as a "leaktest" not a specific bug in SSM. Thus I am sorry for any misunderstanding. This test is generic and focuses on a "Windows design issue".

As such it was not top priority to contact SSM because this is not specifically for their product. If any software manufacture wants source code they will have to email me.

Dear screamer,

I understand, however the code was not finished yesterday. For leaktest it is important to check pass / fail and that was not implemented. Now however it is pretty much complete.

Just need to create a website to host the files. Any ideas? Geocities?

Hello,

If it affects any security software out there, and if the users security is your priority, you should send your tool to a list of security vendors, give them X days/weeks to fix it, then disclose the tool. That is what is called "responsible disclosure".

Of course you can do the "full disclosure" way, but I'm not advocating this way, unless the vendor does not respond (just my opinion).

As I said, you can contact me by PM. I can run a complete set of tests against your testing tool and find out how many softwares are concerned, and advise you how to proceed. However if you prefer to be on your own, I hope you'll do the right choice. The question is who do you want to help.

Regards,
gkweb.

EDIT : about webhosting, I can host your executable on my website, if of course it contains nothing malicious :)

{QUOTE->

If it affects any security software out there, and if the users security is your priority, you should send your tool to a list of security vendors, give them X days/weeks to fix it, then disclose the tool. That is what is called "responsible disclosure".

<-QUOTE}

How can I obtain such a list of vendors emails?

Also it doesn't affect some products but affects others. I don't have testing resources available. How do I know who to send to?

I'd also be interested in this SSM vulnerability. I've been a beta tester of SSM for a long time.

Regarding hosting the files, if all you're doing is sharing the files with a few companies and/or individuals, upload them to rapidshare and give the link to whoever you want to have it.
Rick

{QUOTE-> How can I obtain such a list of vendors emails?

Also it doesn't affect some products but affects others. I don't have testing resources available. How do I know who to send to? <-QUOTE}

Option 1 : You do not necessarily need to know which security software is affected and which not, if at least one is. You can make a generic email to send to a list of security vendor, and ask them to check if their software is vulnerable to this or not, and that you will release your tool in X weeks. Generaly sending an email to the support@brandname.com is enough to get an answer.

Option 2 : If you want to know beforehand, as I said I have the ressources to give you the answers. Then you can target specific security vendors. Of course it's not possible to test every existing security software, don't worry about that.

Option 3 : You trust me enough to let me test your tool, contact the concerned security vendors, give them 2 weeks, keeping you fully informed, and giving you of course the full credits (I would just be an intermediary).

Option 4 : You do not warn anyone, you release your tool (I'm personally not for it, just an option).

Regards,
gkweb.

Hi dmenace! Any updates on this issue?
U have been so quiet.
Thanks

Hello Aigle!

I have contacted a list of security software vendors by email with the details of the new leaktest and gave them 1 week to fix the problem.

So far, I've received a reply from DefenceWall and OnlineArmour who both claim they pass the leaktest. SSM has sent a reply saying they will "test it".

The leaktest will be released on the public on the 21/11/2007 at 9am GMT + 10:00. I will post a link to it on Wilders and give further information later. This is why I was quiet as it has not been released yet.

Dear Wilders Community,

As mentioned before I have discovered a simple design issue in Windows that can circumvent the protection of some security software today.

This security tool / leaktest is called System Shutdown Simulator (self-explanatory). It is available for download here:

http://www.geocities.com/zeroday_software/

This leaktest highlights a new vulnerability that exists when a user shuts down their computer and a program cancels the shutdown. For example, when installing new software, the installation program often asks the user to restart their computer to complete the installation. When the user allows the computer to be restarted, the installation program could potentially compromise the user's computer completely undetected by security software as these have already shutdown.

A selection of Security Vendors were notified on the 12/11/07 (list kindly supplied by gkweb of firewallleaktester.com). SySafety was contacted earlier however, on the 10/11/07.

A response has been received from SoftSphere Technologies (DefenseWall HIPS), SySafety (SSM) and Tall Emu (Online Armor).

If you have any issues please contact me at: zeroday_software@yahoo.com
The latest release is 1.0.20

mods maybe close this thread I've created a new one.

{QUOTE-> mods maybe close this thread I've created a new one. <-QUOTE}Newly created thread---> New Leaktest / Security Tool Released - System Shutdown Simulator (http://www.wilderssecurity.com/showthread.php?t=192099)