lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 21 Sep 2011 11:37:15 +0100
From: mu-b <mu-b@...it-labs.org>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Trusteer Rapport and anti-keylogging

All - It has been a few weeks now since I demonstrated the following at
44con (http://www.44con.com) and thus time to just dump the details here.

The following are what can only be described as 'design flaws' in
Trusteer Rapport's anti-keylogger protections, that is Rapport provides
the functionality to decrypt keys to *everyone* along with the ability
to 'switch-off' anti-keylogger protections all together. However, I
should say that in the latter case, Trusteer aren't the only ones to
provide such functionality, KeyScrambler does also.

This is somewhat documented in the following post,
http://www.digit-security.com/blog/?p=47

The following are for OSX *only*, but you can extend these to Windows
trivially (the ioctl obfuscation layer is easily bypassed by using
Trusteer's own code),

http://wwww.digit-security.com/files/exploits/rapport-switchoff.c
- switches off anti-keylogger protections on OSX allowing your already
existing keylogger to function correctly once again.

http://wwww.digit-security.com/files/exploits/rapport-listen.c
- uses Trusteer's own functionality to 'decrypt' keys directly.

-- 
mu-b
(mu-b@...it-labs.org)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"

Powered by blists - more mailing lists