Possible Vulnerability in SSM

I think no need to be so emotional. Let,s wait and see for a week or so when dmenace will publish the leaktest.

 

Certainly an interesting finding.

I personally would question the Vendor. Give them time to reply. If no reply, or no protection of this, then it would be open to question againts the Vendor.
I would of course like some verification. If no responce from SSM (which I doubt), could you possibly forward this code/instuctions to me? (either by PM, or I can give you my e-mail via PM) I would then contact SSM if verified, then report here.

 

Hello,

You should see the difference between a bug exploit, and a leaktest. Leaktests (in the firewall meaning) do not exploit bugs, they are generic and if the tested firewall has no protection against the method used, then it's bypassed. For instance a leaktest can run IE to pass it parameters, there is no bug exploitation, and can theoretically work against any firewall. Also, "leaktest" is originally related to firewalls, not HIPS, although the term meaning can change over years (such as hacker/cracker).

However a bug affects one specific software only (generally) and won't affect any other software. If what you found is a SSM's bug, then your test demo should be called a POC (Proof Of Concept) as it exploits a specific software vulnerability, not a leaktest.

I'm also interested to test myself what you described. I have many HIPS at hand to check if you found a vulnerability in SSM or a generic leaktest. You can PM me if you want.

Regards,
gkweb.

 

Dear gkweb,

I think it would qualify as a "leaktest" not a specific bug in SSM. Thus I am sorry for any misunderstanding. This test is generic and focuses on a "Windows design issue".

As such it was not top priority to contact SSM because this is not specifically for their product. If any software manufacture wants source code they will have to email me.

Dear screamer,

I understand, however the code was not finished yesterday. For leaktest it is important to check pass / fail and that was not implemented. Now however it is pretty much complete.

Just need to create a website to host the files. Any ideas? Geocities?

 

Hello,

If it affects any security software out there, and if the users security is your priority, you should send your tool to a list of security vendors, give them X days/weeks to fix it, then disclose the tool. That is what is called "responsible disclosure".

Of course you can do the "full disclosure" way, but I'm not advocating this way, unless the vendor does not respond (just my opinion).

As I said, you can contact me by PM. I can run a complete set of tests against your testing tool and find out how many softwares are concerned, and advise you how to proceed. However if you prefer to be on your own, I hope you'll do the right choice. The question is who do you want to help.

Regards,
gkweb.

EDIT : about webhosting, I can host your executable on my website, if of course it contains nothing malicious

 

How can I obtain such a list of vendors emails?

Also it doesn't affect some products but affects others. I don't have testing resources available. How do I know who to send to?

 

I'd also be interested in this SSM vulnerability. I've been a beta tester of SSM for a long time.

Regarding hosting the files, if all you're doing is sharing the files with a few companies and/or individuals, upload them to rapidshare and give the link to whoever you want to have it.
Rick

 

Option 1 : You do not necessarily need to know which security software is affected and which not, if at least one is. You can make a generic email to send to a list of security vendor, and ask them to check if their software is vulnerable to this or not, and that you will release your tool in X weeks. Generaly sending an email to the support@brandname.com is enough to get an answer.

Option 2 : If you want to know beforehand, as I said I have the ressources to give you the answers. Then you can target specific security vendors. Of course it's not possible to test every existing security software, don't worry about that.

Option 3 : You trust me enough to let me test your tool, contact the concerned security vendors, give them 2 weeks, keeping you fully informed, and giving you of course the full credits (I would just be an intermediary).

Option 4 : You do not warn anyone, you release your tool (I'm personally not for it, just an option).

Regards,
gkweb.

 

Hi dmenace! Any updates on this issue?
U have been so quiet.
Thanks

 

Hello Aigle!

I have contacted a list of security software vendors by email with the details of the new leaktest and gave them 1 week to fix the problem.

So far, I've received a reply from DefenceWall and OnlineArmour who both claim they pass the leaktest. SSM has sent a reply saying they will "test it".

The leaktest will be released on the public on the 21/11/2007 at 9am GMT + 10:00. I will post a link to it on Wilders and give further information later. This is why I was quiet as it has not been released yet.

 

Dear Wilders Community,

As mentioned before I have discovered a simple design issue in Windows that can circumvent the protection of some security software today.

This security tool / leaktest is called System Shutdown Simulator (self-explanatory). It is available for download here:

http://www.geocities.com/zeroday_software/

This leaktest highlights a new vulnerability that exists when a user shuts down their computer and a program cancels the shutdown. For example, when installing new software, the installation program often asks the user to restart their computer to complete the installation. When the user allows the computer to be restarted, the installation program could potentially compromise the user's computer completely undetected by security software as these have already shutdown.

A selection of Security Vendors were notified on the 12/11/07 (list kindly supplied by gkweb of firewallleaktester.com). SySafety was contacted earlier however, on the 10/11/07.

A response has been received from SoftSphere Technologies (DefenseWall HIPS), SySafety (SSM) and Tall Emu (Online Armor).

If you have any issues please contact me at: zeroday_software@yahoo.com
The latest release is 1.0.20

mods maybe close this thread I've created a new one.

 

Newly created thread---> New Leaktest / Security Tool Released - System Shutdown Simulator