Unbiased Review of Trusteer Rapport - 44Con 2011

[x942]

Quote:

Originally Posted by Hungry Man

It's something I've talked about a lot. You have Trusteer adding attack surface and if you were to exploit it you would
1) Bypass its protection
2) Potentially gain access to the 27million using it (going by their downloads.)

So far it i Haven't managed to drop a payload. Trusteer crashes before i have a chance. I've found some other interesting things though. If I do find something I will be sure to post it publicly to force their hand in fixing it.

I stopped using it for this exact reason: It's useless. It doesn't do anything to help you and if your browser is hit by an exploit (say flash) the malware will still be able to key log you.

[Hungry Man]

Well, I'd suggest giving them a warning (and sending information on the exploit) so that there's a reasonable disclosure time. And after a few days you can throw it up on metasploit.

[x942]

Quote:

Originally Posted by Hungry Man

Well, I'd suggest giving them a warning (and sending information on the exploit) so that there's a reasonable disclosure time. And after a few days you can throw it up on metasploit.

That's what I mean :p Yes I will give them the standard 30 days. I won't sign any NDA's though.

[Hungry Man]

Good lol just want to make sure you don't end up with some lawyers on your ass. I'd imagine that if they're willing to throw so much behind marketing they're also willing to throw it behind a legal team.

Since Trusteer is so useless I wonder if it's so simple to bypass something like Keyscrambler. There seem to be fundamental flaws like the inability to verify that encryption has taken place.

I would think that key-encryption would take either hardware support or kernel support.

[moontan]

wow!
to think that i trusted this thing almost with blind faith.

eye opener indeed.

[x942]

How about bypassing with no code? I did some digging and watched everything trusteer did from install to initial run and found some interesting things:

Step 1: Disable Trusteer Raport's service (RapportMgmtService.exe):

Code:

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_RAPPORTMGMTSERVICE\0000]
"CSConfigFlags"=dword:00000001

You could probably use Services.msc as well.

Step 2: Reboot - This is needed to disable the kernel driver (RapportPG.sys).

Step 3: You now have access to Trusteer's folders. Open Command Prompt and Navigate over:

Code:

 cd \"Program Files"

Step 4: Rename Trusteer (The folder) to anything else.

Code:

rename Trusteer [New_Name_here]

Step5: Launch the browser and you are no longer protected. I have wrote a batch script that automates this. Someone more talented than me with code could probably find a way around the reboot in step #2. (Crash the service some how; Maybe a buffer overflow/memory corruption.)

Step 6:

Step 7: Profit?

To undo the changes just reset the value here:

Code:

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_RAPPORTMGMTSERVICE\0000]
"CSConfigFlags"=dword:00000000

and rename the Trusteer folder back to "Trusteer"

Code:

rename [New_Name_here] Trusteer

[x942]

I also find this disturbing:

Quote:

Phishing
A phishing attack is when the attacker builds a website that looks exactly like a website you know and trust (for example your bank's website). The attacker then convinces you to visit this website (for example by sending you a fraudulent email). When you arrive at the fraudulent website you mistakenly believe that this is the real website. As soon as you try to sign into this fraudulent website the attacker grabs your sign-in credentials and can now use them to sign into the genuine website on your behalf.
To protect you against phishing attacks Rapport learns the password (and sometimes even the username) you use with protected websites. Rapport then warns you each time you use the password or the username on a different website. Using this warning you can immediately understand that you are on the wrong website and prevent the password from being submitted.

Source

Apparently they are stored in encrypted javascript files. Wait. Full stop. I hope they aren't using javascript's (insecure) pseudo-random number generator for keys...

[TheWindBringeth]

Conceptually, I love the idea of something preventing you from using the same password at multiple secure sites. I don't, and my pattern wouldn't allow me to, but still. It seems to me that such a utility doesn't have to, and just as a matter of general safe philosphy no one would ever want it to, separately store a password. All it needs to do is store extremely long hashes of the passwords and do so extremely securely, right?

[x942]

Quote:

Originally Posted by TheWindBringeth

Conceptually, I love the idea of something preventing you from using the same password at multiple secure sites. I don't, and my pattern wouldn't allow me to, but still. It seems to me that such a utility doesn't have to, and just as a matter of general safe philosphy no one would ever want it to, separately store a password. All it needs to do is store extremely long hashes of the passwords and do so extremely securely, right?

Yes long hashes (SHA256 I would hope) would work. But the passwords are in some form ( I assume) in those encrypted files. Which leads me to think one of three things:

1) The passwords are not hashed and only stored in those files. (Which means a key is stored somewhere and could be compromised by malware which in turn compromises any passwords).

2) The passwords are hashed AND stored in those files. (Prevents the attack above from working as all they would have is a (hopefully strong) hash and not plain text).

3) Passwords are hashed AND stored on their servers. (I don't see this happening from my wireshark logs).

Number 2 is the most secure as those files are encrypted and the password is just a hash. I have a feeling it's number 1 though. I also have a feeling the encryption key is either hard-coded or generated based on that registration key you enter on initial install.

[TheWindBringeth]

I'm all for the "assume they screwed something up and dig for it" type approach when it comes to important software. Is your assumption about stored passwords just in keeping with that or is there some reason for Trusteer to store passwords that I'm not realizing?

[x942]

Quote:

Originally Posted by TheWindBringeth

I'm all for the "assume they screwed something up and dig for it" type approach when it comes to important software. Is your assumption about stored passwords just in keeping with that or is there some reason for Trusteer to store passwords that I'm not realizing?

I assume they screwed up and store passwords (and not hashes) because of how easy it was to break Trusteer as shown in that video. A few lines of code - that's it. I hope I am wrong on this part but seeing their history, I'm not going to be surprised if it is done wrong. I've also found a way to crash Trusteer using a specially crafted (malformed) packet, leaving the browser unprotected completely.

[Dezaxa]

Another problem with Trusteer Rapport is that it is incompatible with Sandboxie. This gives me a difficulty because I like to run my browser sandboxed, but my bank has provided me with a free copy of Trusteer. I'm a little concerned that if I don't run it and there is some fraudulent activity on my account in future, my bank might claim that I'm partly responsible because I didn't install the security software they provided.

[mattfrog]

Wow, what a damning presentation. I thought it was strange I couldn't find many details regarding how it worked (at least from Trusteer).

UNINSTALLED.