Matousec Discloses Critical Vulnerability in ALL HIPS

Discussion in 'other firewalls' started by ace55, May 5, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    The story of bucks by DiabloNova aka EP_X0FF

    https://www.rootkit.com/blog.php?newsid=1021

    PDF in the RAR
     
  2. Andy S

    Andy S Registered Member

    Joined:
    May 7, 2010
    Posts:
    10
    Location:
    St. Petersburg, Russia
    Last edited: May 12, 2010
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From New attack bypasses virtually all AV protection:
     
  4. wrongway67

    wrongway67 Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    45
    They didn't know... :rolleyes:
    http://www.matousec.com/info/articl...ws-desktop-security-software.php#related-work
     
  5. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    I think I have enough with this joke. From the one part we have Matousec that brings nothing new really...I don't know how they can lie that way specially when the say that they have never heard before about "race conditions". Even me that I develop (mainly for fun) things for the web, for example using php and Ajax, I have learned to pay attention about that special cases that some "race conditions" may appear. So it's hard to believe how the C guys don't have the ++ or the #-ness to understand, care or just already know the theory about "race conditions" and the rest of the things discussed here.
    Really strange indeed.

    From the other part we have security experts that say...oh yes we already knew this stuff...but unfortunately for their genius, all these years have produced crap that fails on things that I call basic attention.

    This whole thing is really disappointing and sincerely makes stronger my opinion that we give these guys/products more credit/money than what they really deserve.

    One last thing, please stop call "papers" and "research" things that have nothing to do with papers and research. I had my days in that thing that some call "scientific community" ( not computer related though ) and in that community "papers" were something really important and always had something new to say. These "papers" I see from many computer experts make me recall some universities that spend huge amounts of money just to find out that fat women do better sex and similar futile things.

    I have more things to say about our security scientists but I'll stop for now. I'm sure there will be another occasion to talk about this huge "science" that studies how coders did their job bad.
     
    Last edited: May 10, 2010
  6. Andy S

    Andy S Registered Member

    Joined:
    May 7, 2010
    Posts:
    10
    Location:
    St. Petersburg, Russia
    Good quote must be continued:
    It is not a true of course. Here is a sample.
     
  7. Andy S

    Andy S Registered Member

    Joined:
    May 7, 2010
    Posts:
    10
    Location:
    St. Petersburg, Russia
    If researcher is a professional, he daily monitors a new researches in his area of interest. Also, when he found something, he tries to search a similar researches or any other information regarding this problem. It's a small describing of a common days of a "average" researcher. It doesn't important is he a chemistry guy or he in an information security. So, for professional there is no any possibility to reinvent something 7-14 years later...

    Here I wrote a reasons why this appears. Real protection of the people it is not an academic researches. And I understanding why some of the problems are not fixed, until they are really used in ITW form.

    I'm not accepting your opinion. A lot of "papers" and "researches" (as you called) are really researches with a strong mathematical apparatus.

    You can say ;)
     
  8. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Thanks for replying although you have avoided the substance of my post. In any case let's start from the obvious:

    You're right, no doubt there are of this kind too. All the papers brought in to this discussion have no strong mathematical apparatus and I was talking about the papers quoted or linked in this thread ( and specially the Matousec "paper" ). All the references in this thread are more about advanced logic, about coding errors and basic math. So we don't disagree here. I'm sure security experts in some occasions have to open their math books, although I can discuss what everyone considers strong mathematical "apparatus" and how extended use of such an apparatus we find in the coding of the security products.

    Well, this is a huge discussion. In the research sector there is hierarchy. There are researchers that are "soldiers" and have to get the job done and believe me these researchers after 14 hours or more in a lab cannot monitor all the related scientific publications and then there are the "heads" that produce ideas, listen to their "soldiers" about theoretical and practical issues, monitor the rest of the scientific community and adapt their protocols, ideas, care about budget and funding etc. So your are wrong when you say that things are the same about a chemistry guy or a security expert. Actually I think that you have in mind a single guy doing research from the things you've said. Well, in the real science this is almost impossible these days. The only sector individuals can produce results without important funding and an important team to stand behind them are scientists like in theoretical physics or those that face the scientific community having already in their bag a seriously unique idea, but this is not an every day fact.

    I understand that a single guy in the security sector may produce important and useful results even with a single pc in his home, but this is far away from the research I know. For sure I give huge credit to him and my full respect but that's all. What you are talking about is more like studying things, finding new ways, solving issues, get informed etc. It's more like a professional outside the scientific community, who is in the market and just wants to become better and do his job better. Yes, sometimes happens that these guys discover new important things, but then a serious research has to be made to make the things more "scientific". And this research requires personnel, money and above all ( unfortunately ) approval by some "heads".

    Actually you've said it better here:
    But real protection of the people should be a concern of the so called "security science" and the "security scientists/experts". What you describe is against my whole theory about science. You are more describing the principles of a corporation and not the principles of a scientist. Corporations do things when they see a margin of profit on things happening around them...not the scientists. Scientists formulate hypothesis often about things that don't even concern the common human and do research to provide proof and data. This is how things have evolved and science moved on. You are describing what pharmaceutical corporations do ( for example )...that produce a vaccine or a medicinal only when they see important profits. Yes then they push and provide loads of money for research. In the meantime they have left thousands or millions of people die the years before. This is not science, this is business. The same way, you are saying that the so called security science has to see an attack to spread in order to really elaborate things, produce anti-measures and then start the marketing thing about the whole new protection methods. I repeat this is not science, this is business thinking.

    I already know this science is mainly about how to fix things that some incapable persons produced the past decades and how to evolve things that some brilliant minds produced.

    Oh yes, I have ton of words to write about the so called security scientists/researchers it's just that I have huge respect for the mysql size of this forum, but I'll find the occasions.

    note: it's obvious that I'm not talking about you here, I don't know your work and your history. I'm talking in general about the security scientists/experts.
     
    Last edited: May 10, 2010
  9. Okay, I'm rereading the original article and I've got a question...

    The article says the attack can come from a limited account. As I understand it from previous posts, it seems the attack plays a shell-game in memory, swapping an evil payload for something innocuous just in time for the AV/HIPS to miss it. So even if the attack is carried out as a limited user, it will still bypass the AV/HIPS.

    But if you are running as a limited user, won't the payload still have to execute as limited? Which could really put the kibosh on this thing - the exploit might bypass the HIPS/AV in the first place, but it also wouldn't work unless it was something designed to work as a limited user (say a keylogger) - which eventually would attract attention, seeing as the exploit doesn't succeed every time and takes up resources.

    Maybe I'm misunderstanding this completely. But it looks to me like, even though the attack works fine from a limited account, running limited is still a pretty good defense, barring use of another exploit for privilege elevation. Amiright?

    (And I'm talking about just a limited account, not LUA + whitelisting which would keep the darn thing from executing in the first place.)

    Edit: ... aaand yes I seem to be right according to some more knowledgeable folks, it seems that the payload is executed with the attacker's privilege level. So if you're running as limited user you're pretty safe against this stuff, seeing as most malware won't install properly from a limited account. And let's not even talk about sandboxing software.

    Yeah, it's looking like my initial panic attack was not warranted.
     
    Last edited by a moderator: May 10, 2010
  10. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    To NoIos. I don't want to do flame, but I don't like your dissertation and lesson about what science and research are. May be you are not the only one who knows it....and chiefly, the scientific methodology and the scientific work are more dynamic, unpredictable, open mind, creative, than your authoritarian and hierarchical description of the scientific research. :) The " the "heads" that produce ideas " .....:rolleyes: Sorry.
     
  11. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen

    I again don't understand this point, but some posts here that minimize the real danger of the issue seem to to prove me right.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    They have come forward and offered an explanation.

    I think it's quite feesable for Matousec to have independently discovered these flaws. There are plenty of incidences throughout history of duality in all areas of science/tech/engineering etc etc.

    Also, shouldn't they be given credit for this ?

    http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php

    To accuse them of lying/stealing Without proof, is crossing the line, not good or nice.
     
  13. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    No problem, everyone has its opinion. I had no intension to give lessons and I don't care or need to do so. From your saying I understand that you did not or do not have real experience in this sector.

    Have you often seen professors by passed by young scientists in the research in the universities.

    Even if a young researcher has an idea and does huge amount of the work the credits go to the "head". This is the truth. Usually you have to wait to get older and others to appreciate your efforts in order to get your own funds and do the research. You have to be lucky too. There are exceptions of course but its not the standard. Now if you're talking about research in corporate labs or offices then the things change. There it's a jungle and you understand the "ethical" values of the corporate environments. I don't like both but this is how things go.

    I also like your words about dynamic, unpredictable, open mind, creative etc. only that your words are really not the standard in the universities around the world. Exceptions exist and I welcome them.

    I have full knowledge about how most of the professors get their positions, how universities get funds, how the sons of certain families get their degrees, how athletes get their degrees and I have full knowledge about how things work in universities in the states and europe. I have no idea what happens in the asian countries but the other two regions are enough for me.

    I'm not the one who knows everything and for sure I don't give lessons.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @Andrey Sporaw

    Checked out your www and found various pages with some useful info and links etc :thumb:

    I also noticed LOTS of, what appear to be, dodgy/illegal stuff :eek: These are just a few examples.

    KEYFILE, PATCH-KEYGEN, KEYGEN, SERIAL, UNLOCKED,

    Passwords of known HASP dongles (dumps/software list)

    Is this correct ?
     
  15. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    So now what? Doesn't going to protect?
     
  16. Andy S

    Andy S Registered Member

    Joined:
    May 7, 2010
    Posts:
    10
    Location:
    St. Petersburg, Russia
    Yes, it's correct. Only one page with 'useful tools' have something you mentioned.

    P.S. NoIos, I will answer a bit later. Just a big message.
     
  17. Andy S

    Andy S Registered Member

    Joined:
    May 7, 2010
    Posts:
    10
    Location:
    St. Petersburg, Russia
    To rediscover this flaw -- it seems like rediscover buffer overflow or interger overflow problems tomorrow. If you are working in this area and your are professional, you must know all basis stuff for interests of your research. That's my opinion.

    (Incidents about you talking -- it's not like to reinvent after 7-15 years of already known. Moreover, a lot of them were in the years, when a "connection" between countries and scientists were very-very low, not "internet" time. And to publish on the same resource - it's too funny).
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @Andrey Sporaw

    And LOTS of cracks etc on others :eek: Well ~Phrase removed~ i have to say :D

    Re flaws etc.

    Yes i see, but even so nobody knows everything, ever will, can remember everything, or sometimes just miss stuff.

    I doubt if we'll ever really know what Matousec was or wasn't aware of previously. But they have highlighted something that a lot of people had forgotten about, overlooked, and not acted upon. Maybe now they will, in which case :thumb:
     
    Last edited by a moderator: May 10, 2010
  19. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen

    Right, NoIos, :thumb: , we say and we think the same. I believed you was describing your ideal of the scientific research, not the reality... Ya, university and research world go for most as you say. Exceptions are the ideal. :)
     
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Independent discovery of an issue 14 years after it's been originally described speaks about grand failure on part of such "scientist"...

    The original researchers? Yeah... that's not Matousec style though.

    There's been plenty of proof given on this thread and elsewhere that the Matousec's "research" is neither original nor anything new.
     
  21. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
  22. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
  23. *waves hands* "There is no problem."

    No seriously, what kind of response do we expect from AV companies?

    That being said:

    Matousec's ethics are looking more dubious by the minute.
     
  24. Andy S

    Andy S Registered Member

    Joined:
    May 7, 2010
    Posts:
    10
    Location:
    St. Petersburg, Russia
    It's a good blog article, thanks.

    But some important notes:
    1. About first quote. Demonstrated TOCTTOU problem is not a 'pure academic'. Please see here (here is placed a links for a sources/samples and a real "exploits", 2003).
    2. HANDLE-problem is a really headache. It is not a trivial problem that can be solved in easy way.
    3. So, regarding to p. 2, I'm sure that GDATA's fix is not a full fix for this problem (select one: slowly system, damage to the logic of system work, not a fundamental solution for all cases ;)).
    4. So I'm not sure that you can say easly "the problem is fixed" (BTW, how it can be "fixed" if it does not exist? :) see p. 1).
     
    Last edited: May 12, 2010
  25. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,058
    Location:
    United Surveillance States
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.