Security exploit,bypassing PG to start web browser

The exploit/ leak test detailed here is apparantly able to bypass PG's execution protection

Link removed as there are links from that page that are against the Wilders TOS - Thanks. Pilli The link showed a possible exploit using DDE Direct Data Exchange

I have firefox permitted to start once only, yet the expoit code in the leak test is able to start firefox without alerting PG. (Yes, you have to allow the leak test to start first, but that's understood).

Can someone confirm this behavior? And is TDS intending to fix this?

 

Pollmaster, ProcessGuard is not an antileaktest program as such many leaktests do not run as normal processes. Having said that I am concerned that execution protection may not have picked up a new or changed .exe without alerting

I'll let DCS reply as to whether or not the new build will cover such exploits and if the leaktest above is a valid test.

Cheers. Pilli

 

Hi Pollmaster,

I don't use Firefox, but have IE set as my default browser and given "permit once" permission in PG. PG does alert me when zabypass.exe attempts to execute IE:

Tue 04 - 09:12:32 [EXECUTION] "g:\documents and settings\nick\desktop\zabypass.exe" was allowed to run
[EXECUTION] Started by "g:\windows\explorer.exe" [240]
[EXECUTION] Commandline - [ "g:\documents and settings\nick\desktop\zabypass.exe" ]
Tue 04 - 09:12:36 [EXECUTION] "g:\program files\internet explorer\iexplore.exe" was blocked from running
[EXECUTION] Started by "g:\documents and settings\nick\desktop\zabypass.exe" [1888]
[EXECUTION] Commandline - [ "g:\program files\internet explorer\iexplore.exe" -nohome ]

Nick

 

Thanks Phil.

I'm aware that PG is not a official leak test software.

Let's be clear here, the exe of firefox isn't changed, and you have to allow the leak test to start before it does it work. My concern is how something can start firefox or IE without PG noticing, something that should be within PG's execution control area.

It's using a method called DDE to run. According to HPguru this is a method used by other leak tests, but this is the only one I'm aware that is able to start processes without PG being alerted.

I'm looking forward to your reply.

Thanks.

 

Funny thing. Now I can't seem to reproduce it. It still works if firefox or IE is *already* running. But that's expected and arguably not within PG's area of responsibility, though it would be nice to have.

 

It's completely unrelated to PG. There's no exploit for PG, tested and verified. DDE is only useful if the program is already running (IE in this case) AND supports DDE

 

Great to known PG is not affected. Thanks Gavin !