Security exploit,bypassing PG to start web browser

Discussion in 'ProcessGuard' started by Pollmaster, Oct 4, 2005.

Thread Status:
Not open for further replies.
  1. Pollmaster

    Pollmaster Guest

    The exploit/ leak test detailed here is apparantly able to bypass PG's execution protection

    Link removed as there are links from that page that are against the Wilders TOS - Thanks. Pilli The link showed a possible exploit using DDE Direct Data Exchange

    I have firefox permitted to start once only, yet the expoit code in the leak test is able to start firefox without alerting PG. (Yes, you have to allow the leak test to start first, but that's understood).

    Can someone confirm this behavior? And is TDS intending to fix this?
     
    Last edited by a moderator: Oct 4, 2005
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Pollmaster, ProcessGuard is not an antileaktest program as such many leaktests do not run as normal processes. Having said that I am concerned that execution protection may not have picked up a new or changed .exe without alerting

    I'll let DCS reply as to whether or not the new build will cover such exploits and if the leaktest above is a valid test. :)

    Cheers. Pilli
     
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Pollmaster,

    I don't use Firefox, but have IE set as my default browser and given "permit once" permission in PG. PG does alert me when zabypass.exe attempts to execute IE:

    Tue 04 - 09:12:32 [EXECUTION] "g:\documents and settings\nick\desktop\zabypass.exe" was allowed to run
    [EXECUTION] Started by "g:\windows\explorer.exe" [240]
    [EXECUTION] Commandline - [ "g:\documents and settings\nick\desktop\zabypass.exe" ]
    Tue 04 - 09:12:36 [EXECUTION] "g:\program files\internet explorer\iexplore.exe" was blocked from running
    [EXECUTION] Started by "g:\documents and settings\nick\desktop\zabypass.exe" [1888]
    [EXECUTION] Commandline - [ "g:\program files\internet explorer\iexplore.exe" -nohome ]

    Nick
     
    Last edited by a moderator: Oct 4, 2005
  4. Pollmaster

    Pollmaster Guest

    Thanks Phil.

    I'm aware that PG is not a official leak test software.

    Let's be clear here, the exe of firefox isn't changed, and you have to allow the leak test to start before it does it work. My concern is how something can start firefox or IE without PG noticing, something that should be within PG's execution control area.

    It's using a method called DDE to run. According to HPguru this is a method used by other leak tests, but this is the only one I'm aware that is able to start processes without PG being alerted.

    I'm looking forward to your reply.

    Thanks.
     
  5. Pollmaster

    Pollmaster Guest

    Funny thing. Now I can't seem to reproduce it. It still works if firefox or IE is *already* running. But that's expected and arguably not within PG's area of responsibility, though it would be nice to have.
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It's completely unrelated to PG. There's no exploit for PG, tested and verified. DDE is only useful if the program is already running (IE in this case) AND supports DDE
     
  7. MichelB

    MichelB Guest

    Great to known PG is not affected. Thanks Gavin !
     
Thread Status:
Not open for further replies.