Possible Vulnerability in SSM

Discussion in 'other anti-malware software' started by dmenace, Nov 9, 2007.

Thread Status:
Not open for further replies.
  1. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Dear Wilders Users,

    I am a computer enthusiast and as such occasionally do some programming at home.

    Today however, while writing a new program (completely unrelated to security), I have accidently discovered a critical security vulnerability that affects possibly several security applications.

    I have tested this vulnerability against SSM 2.4.0.619 and it fails allowing the creation of autostart entries in HKLM\Run. The payload can be much worse however as SSM is totally bypassed...

    My question is what should I do? Should I compile the source code and publish a "leak test" or should I contact the software company(s) affected?

    I myself cant believe such a sophisticated HIPS can be bypassed completely. I believe many more security programs may be affected but this has not been confirmed.

    Just a warning of possible zero-day attacks on zero-day protection software. Oh, the irony!
     
  2. Banshee

    Banshee Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    543
    I would do both.-
     
    Last edited by a moderator: Nov 11, 2007
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    You should contact SSM, and not publish code.
     
  4. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    I'm not surprised.
     
  5. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    SSM is far from the most sophisticated HIPS, and even those get bypassed on occassion. No cause to jump in alarm.

    Would the vulnerability involve registry hive files, by any chance?
     
    Last edited: Nov 9, 2007
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Without publishing code, can you explain how this attack is launched?
    • Malware installs and then is executed and bypasses protection?

    • By script embeded in a web site?

    ----
    rich
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Do you mean .reg files?
     
  8. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Solcroft, what HIPs do you feel is the most sophisticated?
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I just wonder why you haven´t contacted the SSM team already? After it´s fixed you can always publish the POC. And all these HIPS can be bypassed, but the question is how many malware creators will actually take the time to try to bypass these tools which are used by only a minority. :)
     
  10. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Nope. .reg files contain registry data, but hive files ARE the the registry itself, as far as I understand it. An attack was published some time ago demonstrating a method to attack the registry using .hiv files, which even EQSecure and ProSec failed to stop unless their data protection features were used to block the creation of the .hiv files in the first place.
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Thanks solcroft :)
     
  12. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Thanks for all your replies.

    Yes thats how it is bypassed. Initially application execution must be allowed.

    I will first contact SSM and several other companies affected then publish the leaktest after say a week.

    This leaktest will have 3 "payloads" - an eicar test file execution, an outbound network connection test and a autostart registry test.

    This is way you can test your AV, HIPS and FW. All 3 can be affected due to the generic nature of the test.

    I'll keep you posted!
     
  13. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Just wondering if like Matousec, is there any money to be made from this? :doubt:

    Edit: I suppose not...
     
    Last edited: Nov 9, 2007
  14. R8y

    R8y Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    33
    Location:
    South Africa
    Me knows what your are talking about....I supposed SSM fixed this problem already.
     
  15. R8y

    R8y Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    33
    Location:
    South Africa
    Can you elaborate on which other company's product is also affected besides SSM?
     
  16. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Not at this moment, however most software firewalls are not affected.
     
  17. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Hi demenace, ok just to make sure I understand, as a user of SSM....Malware gets on your computer, and you have to initially permit it to execute, then SSM is in trouble....yes.
     
  18. R8y

    R8y Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    33
    Location:
    South Africa
    So we are looking at a firewall problem rather than a HIPS problem here? o_O I am confused:eek:
     
  19. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    \

    Yes you are correct, You must allow the application to start then SSM will be in trouble.

    We are looking at a HIPS problem that could affect some other security software like firewalls and antivirus.

    There is however no cause for alarm. I will first contact the vendors and then later publish a leaktest. This is not a traditional leaktest as it is not designed to test only a firewall but also HIPS and AV.
     
  20. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    dmenace, what are the results with my DefenseWall HIPS? Have you testes your sample code with it?
     
  21. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Thanx dmenace, appreciate the warning.
     
  22. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    I've done some more testing:

    DefenseWall HIPS is safe, the test fails when run as untrusted.
    Nod32 is also safe, Eicar file access is denied.
    The only vulnerable program I know is System Safety Monitor.

    I am not doing anymore tests - you can do these yourself when leaktest released later.

    I am bit busy so this leaktest development and contacting SSM has been put on hold but will be done in a week.

    Till then, cya.:-*
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    No specifics have been provided. No offense but -- until such details are revealed -- it's simply an allegation/FUD in my opinion.
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Hi solcroft.

    If you wouldn't mind could you post some links concerning the .hiv risks. I simply like to go over those details for record, and thanks for making mention of it.

    Likewise i would be interested in just what this vulnerability is that bypasses SSM.
     
  25. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    You seem to have enough time to post here. You don't have enough time to drop SSM an e-mail? Just curiouso_O

    ...screamer
     
Thread Status:
Not open for further replies.