Matousec Discloses Critical Vulnerability in ALL HIPS

Discussion in 'other firewalls' started by ace55, May 5, 2010.

Thread Status:
Not open for further replies.
  1. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    And the guy behind GeSWall. :thumb:
     
  2. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Only? I've traced his "ideas" back to 1996 :D
     
  3. Andy S

    Andy S Registered Member

    Joined:
    May 7, 2010
    Posts:
    10
    Location:
    St. Petersburg, Russia
    Yes-yes, you are absolutely right! TOCTTOU problem came from *nix systems. And it were know a lot of years!

    I gave an information about 2003-year research - because it is a real adoptation to a NT-based systems, with sources and real sample of using. Just to be able to say that it is known not only for *nix systems or as a fundamental problem.
     
    Last edited: May 7, 2010
  4. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    A HIPS primarily looks for actions by processes that access computer areas where infections could be instituted. In that sense, ALL HIPS are primarily "behavior analysts".

    A FIC does not monitor behaviors by processes. All that a FIC does is to tell you (after the fact) if even the teeniest tiniest hash-change has been made to a file or registry item that is critical or vulnerable or sensitive or user-specified. Since a FIC reports after the fact, that is why a FIC is best used in partnership with imaging software or restore points.

    Many HIPS (such as Online Armor) do not closely monitor files & registry items for hash-changes. They mostly monitor ACTIVE processes such as during accesses, executions, etc. Even those HIPS that do monitor a broad spectrum of files (such as Malware Defender) either do not use hashes at all, or else use much weaker hashes than those used by FICs. One reason is that powerful hashes run slower & heavier than weak hashes. Since a HIPS operates in real-time, it will lose users if it takes the time needed to run powerful hashes on every file & registry item that passes in front of its periscope.

    Bottom Line- A FIC will definitely pick up some potentially critical file & registry changes that may not be detected by a HIPS. Further, since a HIPS hooks the kernel, it is subject to certain vulnerabilities that a FIC is not subject to, because a FIC doesn't hook.

    FICs have their own vulnerabilities, of course. A FIC's vulnerabilities differ from those of a HIPS. That's why layering is the way to go. ALL security apps are vulnerable somewhere. The main idea behind layering is to use apps with differing abilities AND differing vulnerabilities.
     
  5. falkor

    falkor Registered Member

    Joined:
    Sep 26, 2009
    Posts:
    205
    +20 and THANK YOU Andrew !!!:) :cool:
     
  6. Judge Dee

    Judge Dee Guest

    Yes indeed. Thank you Mr. Sporaw for coming to Wilders and passing on your knowledge. :thumb:
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Would Mr. Rabinovich, Mr. Sporaw, or anybody else kindly care to comment on the technical merit of this part of the paper?

     
    Last edited: May 7, 2010
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I don't use Tiny Watcher, but I would think that Tiny Watcher will miss some changes to \windows\system32 due to file redirection.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here is the approach I use(d) with respect to file integrity checking (FIC): I think of time spent on my computer as occupying two time periods: 1) Normal period - no software is installed, and the computer is used normally 2) installation period - the short period when I install programs, and do not do any risky behavior, such as browsing the web. The transition from one of the periods to the other triggers the use of FIC checker to check for changes in files. Any changes made during the transition from normal period to installation period should be examined closely, because by definition nothing was (or should have been anyway) installed during normal period. Changes made during the transition from installation period to normal period don't need to be looked at as closely, because the installation period is short and risky behavior is supposed to be avoided, unless you installed an untrustworthy program.

    On x86, for FIC I use NIS Filecheck. In the past I also used FingerPrint (from 2BrightSparks). One pro of NIS Filecheck is that it records file version numbers; FingerPrint does not. I'm not sure if NIS Filecheck is available online anymore though.

    On x64, I'm not sure if I'll continue to use FIC or not - partially because my FIC regimen takes too much time for my tastes, and also because I'm using a standard user account for normal tasks+UAC(highest level)+AppLocker+periodic permissions auditing with Windows Permission Identifier/AccessChk - i.e. in this setup any changes to executables very likely were made by installation programs or Windows itself.
     
    Last edited: May 7, 2010
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I forgot to mention that if Tiny Watcher can monitor changes to \windows\sysnative, then Tiny Watcher can overcome the issue that I mentioned with \windows\system32.
     
  11. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I am *kind of sure* that Tiny Watcher can be configured to monitor \windows\sysnative but I cannot test it because I do not use 64-bit.
    I used NIS FC back in 2002. The old NISFC forum is still in Wilders archive & has a couple of my earliest posts to these forums.

    I tried Albert Janssen's NISFC download site. It didn't return a 404, but it didn't load either.
     
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, such the attack is possible, but quite complex to implement in the real life. That's why it's not ITW yet.
     
  13. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    Why does so many people Bash Matousec ?

    I give Matousec Praise. End result is Matousec is making our security products better by revealing holes which Vendors end up fixing.
     
  14. Andy S

    Andy S Registered Member

    Joined:
    May 7, 2010
    Posts:
    10
    Location:
    St. Petersburg, Russia
    OK, here is some of the answers (more information is available here):

    Two years he spammed vendors to get some $$$, when this advisory were published (with real sample in source and binary) many years ago by other guy.

    etc.

    I'm viewing on this only as scientific security researcher. This behavior is totally unprofessional. It seems like to say today "I invented the radio!!!", "I will not publish the schemes, but you can buy them", and also publish article about this in Science magazine. Ah, forgot: 2 years before this event, it is required to spam all companies in tries to sell the "new scheme of a new invention - radio".
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you for answering, Mr. Rabinovich :).

    That a successful attack is perhaps possible from a limited user account is an interesting aspect that I think would surprise some people.
     
    Last edited: May 8, 2010
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I have the NIS Filecheck installer, but I'm not 100% sure that it's the same as the original zip file. The author states in readme.txt that
     
    Last edited: May 8, 2010
  17. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    I ve red this thread with passion :)

    I have some questions (normal user ones i m no expert or such) :

    1.If the exploit is old (2003 ?! ,ouch) why nobody in the industry fixed it ?
    2.If the exploit is new did anyone lost money on the exploit black market ?
    3.It would have been better for Matousec to try and sell his thing on the black market or to the vendors or showing it he helped practically ?
    4.If security software from 3-rd partyes have such weakneses why should i continue pay or install 3-rd party security software instead of simply using W7 with all its goodies ,the included 2 way firewall and it s nice free antivirus ?
    Is now the "Alow/Block software" category a failure ,i mean if everything can be bypassed at the root by a slick malware ,why do we still need to keep clicking Block -Block -Alow -Block ,eventually on OUR own money ?
    5.Can we say that from now on sandboxed protection it s more safer than the anoying HIPS thingy and that this is the future?
     
  18. Andy S

    Andy S Registered Member

    Joined:
    May 7, 2010
    Posts:
    10
    Location:
    St. Petersburg, Russia
    1. A lot of companies does not know anything about this issue. (Even after matousec publications).
    2. No any malware using this way to try to exploit a system. No any real 2. threat.
    3. Who cares? There are many other issues and features that must be implemented/fixed.
    4. It is really difficult to use this "vuln" to compromise a system. I mean a real environment, not a laboratory tests. (Most, but not all, of the protection apps will catch a malware before it even tried to use this technics)
    5. Do not know how to fix it. And it is really a problem, for example, handles-part. (I'm sure, Matousec's solution is not perfect).
    6. Lazy.
    7 [...] a lot of other reasons [...]
    8. Who cares?

    There is no "exploit".
    There is nothing about this topic on "black market". Today. What will be tomorrow - time will show.

    Ask Matousec.

    Yes, you should to continue to pay if you want to have your system really protected. I do not want to explain what is the difference between 3-rd party Antivirus/HIPS/Firewall/Sandbox/etc and internal MS anti-malware (WD, MSE) and firewall.

    Because you do not need to be in panic, like Matousec want. See below about catching malware and so on.

    Moreover, because of the re-publishing as 'mass-media', some malware authors now probably will try to use this way to exploit system. And some vendors will fix this issue.

    No.
    Publically available sandboxes mostly unsecure.
     
  19. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
  20. BrendanK.

    BrendanK. Guest

    Sandboxes, H.I.P.S', anti-viruses and anti-spyware all have their flaws. To say any one would give you absolute protection would be incorrect advice. Everything has it's own weakness.
     
    Last edited by a moderator: May 9, 2010
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    TOCTOU with NT System Service Hooking Bug Demo


    .

    .

    http://www.securesize.com/Resources/index.shtml

    So it appears that single CPU processors are the way to go :D
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Andrey Sporaw

    Thanks fo rthe info, I can understand your are pissed about it. I have an off topic question: are you still involved with GeSWall development?

    Regards Kees
     
  23. wrongway67

    wrongway67 Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    45
    Kees, the guy behind GeSWall is the one who published that article: Andrey Kolishak, not Sporaw.
     
  24. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    and none more than us users but I'm curious about seemingly blanket statement that all publicly available sandboxes are mostly insecure. Some clarity is always good
     
  25. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    one more thing i like to add is that the all test are done are on by local exploits means for example you get a software bundled conflecker in it you install it manually then how can you blame a company for that .....................they are not done remotely which is very difficult

    download Matousec test files in KIS sandbox trojan alert give me by my computer antivirus stop the file at once didn't download at all.......blocked in the way in browser sandbox ................all. tests pass why i need further more test :D
     
    Last edited: May 9, 2010
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.