Possible Vulnerability in SSM

Dear Wilders Users,

I am a computer enthusiast and as such occasionally do some programming at home.

Today however, while writing a new program (completely unrelated to security), I have accidently discovered a critical security vulnerability that affects possibly several security applications.

I have tested this vulnerability against SSM 2.4.0.619 and it fails allowing the creation of autostart entries in HKLM\Run. The payload can be much worse however as SSM is totally bypassed...

My question is what should I do? Should I compile the source code and publish a "leak test" or should I contact the software company(s) affected?

I myself cant believe such a sophisticated HIPS can be bypassed completely. I believe many more security programs may be affected but this has not been confirmed.

Just a warning of possible zero-day attacks on zero-day protection software. Oh, the irony!

 

I would do both.-

 

I'm not surprised.

 

SSM is far from the most sophisticated HIPS, and even those get bypassed on occassion. No cause to jump in alarm.

Would the vulnerability involve registry hive files, by any chance?

 

Without publishing code, can you explain how this attack is launched?

• Malware installs and then is executed and bypasses protection?
  
  
• By script embeded in a web site?

----
rich

 

Do you mean .reg files?

 

Solcroft, what HIPs do you feel is the most sophisticated?

 

I just wonder why you haven´t contacted the SSM team already? After it´s fixed you can always publish the POC. And all these HIPS can be bypassed, but the question is how many malware creators will actually take the time to try to bypass these tools which are used by only a minority.

 

Nope. .reg files contain registry data, but hive files ARE the the registry itself, as far as I understand it. An attack was published some time ago demonstrating a method to attack the registry using .hiv files, which even EQSecure and ProSec failed to stop unless their data protection features were used to block the creation of the .hiv files in the first place.

 

Thanks solcroft

 

Thanks for all your replies.

Yes thats how it is bypassed. Initially application execution must be allowed.

I will first contact SSM and several other companies affected then publish the leaktest after say a week.

This leaktest will have 3 "payloads" - an eicar test file execution, an outbound network connection test and a autostart registry test.

This is way you can test your AV, HIPS and FW. All 3 can be affected due to the generic nature of the test.

I'll keep you posted!

 

Just wondering if like Matousec, is there any money to be made from this?

Edit: I suppose not...

 

Me knows what your are talking about....I supposed SSM fixed this problem already.

 

Can you elaborate on which other company's product is also affected besides SSM?

 

Not at this moment, however most software firewalls are not affected.

 

Hi demenace, ok just to make sure I understand, as a user of SSM....Malware gets on your computer, and you have to initially permit it to execute, then SSM is in trouble....yes.

 

So we are looking at a firewall problem rather than a HIPS problem here? I am confused

 

\

Yes you are correct, You must allow the application to start then SSM will be in trouble.

We are looking at a HIPS problem that could affect some other security software like firewalls and antivirus.

There is however no cause for alarm. I will first contact the vendors and then later publish a leaktest. This is not a traditional leaktest as it is not designed to test only a firewall but also HIPS and AV.

 

dmenace, what are the results with my DefenseWall HIPS? Have you testes your sample code with it?

 

Thanx dmenace, appreciate the warning.

 

I've done some more testing:

DefenseWall HIPS is safe, the test fails when run as untrusted.
Nod32 is also safe, Eicar file access is denied.
The only vulnerable program I know is System Safety Monitor.

I am not doing anymore tests - you can do these yourself when leaktest released later.

I am bit busy so this leaktest development and contacting SSM has been put on hold but will be done in a week.

Till then, cya.

 

No specifics have been provided. No offense but -- until such details are revealed -- it's simply an allegation/FUD in my opinion.

 

Hi solcroft.

If you wouldn't mind could you post some links concerning the .hiv risks. I simply like to go over those details for record, and thanks for making mention of it.

Likewise i would be interested in just what this vulnerability is that bypasses SSM.

 

You seem to have enough time to post here. You don't have enough time to drop SSM an e-mail? Just curious

...screamer