Unbiased Review of Trusteer Rapport - 44Con 2011

Discussion in 'other security issues & news' started by Hungry Man, Mar 18, 2012.

Thread Status:
Not open for further replies.
  1. x942
    Offline

    x942 Registered Member

    So far it i Haven't managed to drop a payload. Trusteer crashes before i have a chance. I've found some other interesting things though. If I do find something I will be sure to post it publicly to force their hand in fixing it.

    I stopped using it for this exact reason: It's useless. It doesn't do anything to help you and if your browser is hit by an exploit (say flash) the malware will still be able to key log you.
  2. Hungry Man
    Offline

    Hungry Man Registered Member

    Well, I'd suggest giving them a warning (and sending information on the exploit) so that there's a reasonable disclosure time. And after a few days you can throw it up on metasploit.
  3. x942
    Offline

    x942 Registered Member

    That's what I mean :p Yes I will give them the standard 30 days. I won't sign any NDA's though.
  4. Hungry Man
    Offline

    Hungry Man Registered Member

    Good lol just want to make sure you don't end up with some lawyers on your ass. I'd imagine that if they're willing to throw so much behind marketing they're also willing to throw it behind a legal team.

    Since Trusteer is so useless I wonder if it's so simple to bypass something like Keyscrambler. There seem to be fundamental flaws like the inability to verify that encryption has taken place.

    I would think that key-encryption would take either hardware support or kernel support.
  5. moontan
    Offline

    moontan Registered Member

    wow!
    to think that i trusted this thing almost with blind faith.

    eye opener indeed.
  6. x942
    Offline

    x942 Registered Member

    How about bypassing with no code? I did some digging and watched everything trusteer did from install to initial run and found some interesting things:

    Step 1: Disable Trusteer Raport's service (RapportMgmtService.exe):

    Code:
    [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_RAPPORTMGMTSERVICE\0000]
    "CSConfigFlags"=dword:00000001
    You could probably use Services.msc as well.

    Step 2: Reboot - This is needed to disable the kernel driver (RapportPG.sys).

    Step 3: You now have access to Trusteer's folders. Open Command Prompt and Navigate over:
    Code:
     cd \"Program Files"
    Step 4: Rename Trusteer (The folder) to anything else.
    Code:
    rename Trusteer [New_Name_here]
    Step5: Launch the browser and you are no longer protected. I have wrote a batch script that automates this. Someone more talented than me with code could probably find a way around the reboot in step #2. (Crash the service some how; Maybe a buffer overflow/memory corruption.)

    Step 6: o_O

    Step 7: Profit?

    To undo the changes just reset the value here:
    Code:
    [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_RAPPORTMGMTSERVICE\0000]
    "CSConfigFlags"=dword:00000000
    and rename the Trusteer folder back to "Trusteer"

    Code:
    rename [New_Name_here] Trusteer
  7. x942
    Offline

    x942 Registered Member

    I also find this disturbing:

    Source

    Apparently they are stored in encrypted javascript files. Wait. Full stop. I hope they aren't using javascript's (insecure) pseudo-random number generator for keys...
  8. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

    Conceptually, I love the idea of something preventing you from using the same password at multiple secure sites. I don't, and my pattern wouldn't allow me to, but still. It seems to me that such a utility doesn't have to, and just as a matter of general safe philosphy no one would ever want it to, separately store a password. All it needs to do is store extremely long hashes of the passwords and do so extremely securely, right?
  9. x942
    Offline

    x942 Registered Member

    Yes long hashes (SHA256 I would hope) would work. But the passwords are in some form ( I assume) in those encrypted files. Which leads me to think one of three things:

    1) The passwords are not hashed and only stored in those files. (Which means a key is stored somewhere and could be compromised by malware which in turn compromises any passwords).

    2) The passwords are hashed AND stored in those files. (Prevents the attack above from working as all they would have is a (hopefully strong) hash and not plain text).

    3) Passwords are hashed AND stored on their servers. (I don't see this happening from my wireshark logs).

    Number 2 is the most secure as those files are encrypted and the password is just a hash. I have a feeling it's number 1 though. I also have a feeling the encryption key is either hard-coded or generated based on that registration key you enter on initial install.
  10. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

    I'm all for the "assume they screwed something up and dig for it" type approach when it comes to important software. Is your assumption about stored passwords just in keeping with that or is there some reason for Trusteer to store passwords that I'm not realizing?
  11. x942
    Offline

    x942 Registered Member

    I assume they screwed up and store passwords (and not hashes) because of how easy it was to break Trusteer as shown in that video. A few lines of code - that's it. I hope I am wrong on this part but seeing their history, I'm not going to be surprised if it is done wrong. I've also found a way to crash Trusteer using a specially crafted (malformed) packet, leaving the browser unprotected completely.
  12. Dezaxa
    Offline

    Dezaxa Registered Member

    Another problem with Trusteer Rapport is that it is incompatible with Sandboxie. This gives me a difficulty because I like to run my browser sandboxed, but my bank has provided me with a free copy of Trusteer. I'm a little concerned that if I don't run it and there is some fraudulent activity on my account in future, my bank might claim that I'm partly responsible because I didn't install the security software they provided.
  13. mattfrog
    Offline

    mattfrog Registered Member

    Wow, what a damning presentation. I thought it was strange I couldn't find many details regarding how it worked (at least from Trusteer).

    UNINSTALLED.
Thread Status:
Not open for further replies.