Unbiased Review of Trusteer Rapport - 44Con 2011

Discussion in 'other security issues & news' started by Hungry Man, Mar 18, 2012.

Thread Status:
Not open for further replies.
  1. x942

    x942 Guest

    So far it i Haven't managed to drop a payload. Trusteer crashes before i have a chance. I've found some other interesting things though. If I do find something I will be sure to post it publicly to force their hand in fixing it.

    I stopped using it for this exact reason: It's useless. It doesn't do anything to help you and if your browser is hit by an exploit (say flash) the malware will still be able to key log you.
  2. Hungry Man

    Hungry Man Registered Member

    Well, I'd suggest giving them a warning (and sending information on the exploit) so that there's a reasonable disclosure time. And after a few days you can throw it up on metasploit.
  3. x942

    x942 Guest

    That's what I mean :p Yes I will give them the standard 30 days. I won't sign any NDA's though.
  4. Hungry Man

    Hungry Man Registered Member

    Good lol just want to make sure you don't end up with some lawyers on your ass. I'd imagine that if they're willing to throw so much behind marketing they're also willing to throw it behind a legal team.

    Since Trusteer is so useless I wonder if it's so simple to bypass something like Keyscrambler. There seem to be fundamental flaws like the inability to verify that encryption has taken place.

    I would think that key-encryption would take either hardware support or kernel support.
  5. moontan

    moontan Registered Member

    to think that i trusted this thing almost with blind faith.

    eye opener indeed.
  6. x942

    x942 Guest

    How about bypassing with no code? I did some digging and watched everything trusteer did from install to initial run and found some interesting things:

    Step 1: Disable Trusteer Raport's service (RapportMgmtService.exe):

    You could probably use Services.msc as well.

    Step 2: Reboot - This is needed to disable the kernel driver (RapportPG.sys).

    Step 3: You now have access to Trusteer's folders. Open Command Prompt and Navigate over:
     cd \"Program Files"
    Step 4: Rename Trusteer (The folder) to anything else.
    rename Trusteer [New_Name_here]
    Step5: Launch the browser and you are no longer protected. I have wrote a batch script that automates this. Someone more talented than me with code could probably find a way around the reboot in step #2. (Crash the service some how; Maybe a buffer overflow/memory corruption.)

    Step 6: o_O

    Step 7: Profit?

    To undo the changes just reset the value here:
    and rename the Trusteer folder back to "Trusteer"

    rename [New_Name_here] Trusteer
  7. x942

    x942 Guest

    I also find this disturbing:


    Apparently they are stored in encrypted javascript files. Wait. Full stop. I hope they aren't using javascript's (insecure) pseudo-random number generator for keys...
  8. TheWindBringeth

    TheWindBringeth Registered Member

    Conceptually, I love the idea of something preventing you from using the same password at multiple secure sites. I don't, and my pattern wouldn't allow me to, but still. It seems to me that such a utility doesn't have to, and just as a matter of general safe philosphy no one would ever want it to, separately store a password. All it needs to do is store extremely long hashes of the passwords and do so extremely securely, right?
  9. x942

    x942 Guest

    Yes long hashes (SHA256 I would hope) would work. But the passwords are in some form ( I assume) in those encrypted files. Which leads me to think one of three things:

    1) The passwords are not hashed and only stored in those files. (Which means a key is stored somewhere and could be compromised by malware which in turn compromises any passwords).

    2) The passwords are hashed AND stored in those files. (Prevents the attack above from working as all they would have is a (hopefully strong) hash and not plain text).

    3) Passwords are hashed AND stored on their servers. (I don't see this happening from my wireshark logs).

    Number 2 is the most secure as those files are encrypted and the password is just a hash. I have a feeling it's number 1 though. I also have a feeling the encryption key is either hard-coded or generated based on that registration key you enter on initial install.
  10. TheWindBringeth

    TheWindBringeth Registered Member

    I'm all for the "assume they screwed something up and dig for it" type approach when it comes to important software. Is your assumption about stored passwords just in keeping with that or is there some reason for Trusteer to store passwords that I'm not realizing?
  11. x942

    x942 Guest

    I assume they screwed up and store passwords (and not hashes) because of how easy it was to break Trusteer as shown in that video. A few lines of code - that's it. I hope I am wrong on this part but seeing their history, I'm not going to be surprised if it is done wrong. I've also found a way to crash Trusteer using a specially crafted (malformed) packet, leaving the browser unprotected completely.
  12. Dezaxa

    Dezaxa Registered Member

    Another problem with Trusteer Rapport is that it is incompatible with Sandboxie. This gives me a difficulty because I like to run my browser sandboxed, but my bank has provided me with a free copy of Trusteer. I'm a little concerned that if I don't run it and there is some fraudulent activity on my account in future, my bank might claim that I'm partly responsible because I didn't install the security software they provided.
  13. mattfrog

    mattfrog Registered Member

    Wow, what a damning presentation. I thought it was strange I couldn't find many details regarding how it worked (at least from Trusteer).

Thread Status:
Not open for further replies.