pg_msgprot still privileged

Discussion in 'ProcessGuard' started by hojtsy, Mar 28, 2004.

Thread Status:
Not open for further replies.
  1. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    After uninstalling PG 1.3, and installing PG 2.0 I noticed that pg_msgprot.exe is still privileged, but the file is absent.
    This means that any hostile app can copy itself to the old location and name of pg_msgprot.exe, and hijack the privileges it was assigned.

    The PG installer should alert on any privileges assigned to non-existent files to avoid this danger.
    -hojtsy-
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi hojtsy, This is not correct as the MD5 signature will change for the offending file and you will be alerted by the Secure Desktop.

    Simple to try rename any other file for example notepad.exe as pg_msgprot.exe then try to run it ;)

    Having said that I do agree that an alert would be nice if a file is no longer installed and or been moved.

    HTH Pilli
     
  3. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    There is no checksum for pg_msgprot.exe, as the file is absent.
    Execution would go unnoticed if done during the learning period, or the user could also think that the pg_msgprot.exe in the Process Guard directory is legitimate and grant execution right later.
    -hojtsy-
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Hi Hojtsy

    In theory you are right. However the only reason that program is in the protection list is if it is held over from using the old pguard.dat. A brand new user shouldn't see it.

    Also since the program isn't run there is no process to attack, so a hacker would have to know that exe name, and where to place it for what you are suggesting to work.

    The simple solution for now is to simply remove that exe from the program protection list, and all it's privileges are gone.

    Jason may come up with a permanent solution.
     
  5. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    The fact that execution blocking could possibly catch the dropper is no reason to ommit the safe configuration of privileges. With that reasoning you can drop the privilege system and the generic protections altogether.
    Yes, the entry is left over from PG 1.3 config for me, and for several other PG users. I already removed it, but how many of them was observant enough to remove it?
    All I suggest is to check for non-existent files on installation - trivial to implement, and I see no drawbacks.
    -hojtsy-
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    me atleast :D

    agree :)
     
Thread Status:
Not open for further replies.