Date: Thu, 09 Dec 2010 20:20:53 +0000
From: mrx <mrx@...pergander.org.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox Addon: KeyScrambler

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2010 19:33, Elazar Broad wrote:
> Just lightly scratching the surface, KeyScrambler.sys is signed by
> GlobalSign, strings reveals nothing interesting other than OpenSSL
> 0.9.8a is used.
> 
> elazar

Yes I noticed the RSA source code references in the disassembly.

Now I am curious if this implementation of OpenSSL is vulnerable to the various CVE's that have been issued against 0.9.8a.

CVE 2007-4995:Off-by one error in DTLS vulnerability
CVE 2007-5135:One byte buffer overflow in the SSL_get_shared_ciphers function
CVE 2007-3108:BN_from_montgomery side-channel attack.

And how it could be exploited if this is the case. I am not skilled enough to know.
However, if I was developing this software I would update it.

Cheers
Dave


> On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault
> <gary@...ibault.net> wrote:
>> Call me paranoid, but that sure would be a good way to spread a
>> key logger!
> 
>> Gary B
> 
> 
>> On 12/09/2010 07:25 AM, Christian Sciberras wrote:
>>> Dave,
>>>
>>> That's ok. Glad to have helped out :)
>>>
>>> Cheers,
>>> Chris.
>>>
>>>
>>>
>>> On Thu, Dec 9, 2010 at 1:07 PM, mrx <mrx@...pergander.org.uk
>> <mailto:mrx@...pergander.org.uk>> wrote:
>>>
>>> On 09/12/2010 10:26, Christian Sciberras wrote:
>>>>> I tried installing this plugin to Firefox 3.6.12 in a
>> virtualbox
>>> XP32(SP3)
>>>> environment and it is incompatible.
>>>>> I may wait for an update to the plugin and analyse its
>> behaviour,
>>>> providing my curiosity doesn't wane in the meantime.
>>>
>>>> Alternatively, you can just decompress the XPI (it's in fact a
>> zip) and
>>>> inspect the js files and/or decompress any binaries.
>>>> I suppose they are distributing some form of driver, so you'd
>> find
>>>> IDA/ollydbg useful.
>>>
>>>
>>>
>>>> Chris.
>>>
>>>
>>> I extracted the files (various .js files and an exe) from the
>> xpi.
>>> The .js files version check and create an instance of
>> keyscrambler.sys
>>> with the current firefox window passed to it as an argument.
>>>
>>> I also extracted the contents of the executable; setup.exe.
>>> Setup.exe contained various dll's and one sys file. I presumed
>> this
>>> sys file; keyscrambler.sys, is the driver and main component of
>> this
>>> addon.
>>> To confirm I monitored the running of setup.exe.
>>>
>>> My preumption was correct keyscrambler.sys is installed in
>> system32
>>> folder and is registered as an autostarting service, although it
>> is hidden
>>> from the services pane in computer management.
>>>
>>> This is where my "skills" bottom out. ASM is something I have
>> not yet
>>> got my head around.
>>> I have a clue, but that's about all I do have... in time ;-)
>>>
>>> Thanks for your advice and input
>>> regards
>>> Dave
>>>
>>>
>>>> On Thu, Dec 9, 2010 at 11:23 AM, mrx <mrx@...pergander.org.uk
>>> <mailto:mrx@...pergander.org.uk>> wrote:
>>>
>>>> On 08/12/2010 11:30, Tim Gurney wrote:
>>>>>>> Hi
>>>>>>>
>>>>>>> This seems to contradict itself somewhat. A plugin to
>> firefox should
>>>>>>> have no way to encrypt things at a driver level within the
>>> kernel, that
>>>>>>> would require installing seperate software at the root
>> level, a
>>> plugin
>>>>>>> should not be able to do this and i would be VERY worried
>> and
>>> surprised
>>>>>>> if it could as it would mean bypassing the security of the
>> OS.
>>>
>>>> I tried installing this plugin to Firefox 3.6.12 in a
>> virtualbox
>>> XP32(SP3)
>>>> environment and it is incompatible.
>>>> I may wait for an update to the plugin and analyse its
>> behaviour,
>>> providing
>>>> my curiosity doesn't wane in the meantime.
>>>
>>>> I am not a professional, I do this kind of research as a hobby
>> and for
>>>> educational purposes, when I have some free time.
>>>
>>>
>>>>>>> Also if the driver is encrypting the key strokes and the
>> plugin is
>>>>>>> decrypting, what about all the keystrokes that are not in
>>> firefox, like
>>>>>>> email, word processing, programming, there is nothing to
>> decrypt
>>> these
>>>>>>> so you would end up only ever being able to use firefox on
>> the
>>> machine
>>>>>>> and nothing else every again.
>>>
>>>> The devs do state that it only encrypts keystrokes in Firefox
>> and
>>> not other
>>>> applications, although they do sell a version that supposedly
>> works
>>>> "in over 160 browsers and applications".
>>>>>>>
>>>>>>> personally I would not touch this with a barge pole and I
>> would
>>> do a lot
>>>>>>> more more digging and checking into this.
>>>
>>>> Yes, I am sceptical of claims, hence the post to this list.
>>>
>>>
>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Tim
>>>
>>>
>>>> Thanks for your input
>>>> Dave.
>>>
>>>
>>>>>>>
>>>>>>> On 08/12/10 11:12, mrx wrote:
>>>>>>>> Hi list,
>>>>>>>
>>>>>>>> Is anyone familiar with the firefox addon KeyScrambler?
>> According to
>>>> developers this encrypts keystrokes.
>>>>>>>
>>>>>>>> Quote:
>>>>>>>> "How KeyScrambler Works:
>>>>>>>> When you type on your keyboard, the keys travel along a
>> path
>>> within the
>>>> operating system before it arrives at your browser. Keyloggers
>> plant
>>>>>>>> themselves along this path and observe and record your
>>> keystrokes. The
>>>> collected information is then sent to the criminals who will
>> use it to
>>>>>>>> steal from you.
>>>>>>>
>>>>>>>> KeyScrambler defeats keyloggers by encrypting your
>> keystrokes at the
>>>> keyboard driver level, deep within the operating system. When
>> the
>>> encrypted
>>>>>>>> keystrokes reach your browser, KeyScrambler then decrypts
>> them
>>> so you
>>>> see exactly the keys you've typed. Keyloggers can only record
>> the
>>>>>>>> encrypted keys, which are completely indecipherable."
>>>>>>>
>>>>>>>> Can this be trusted? As in trusted I mean not bypassed.
>>>>>>>
>>>>>>>> Input from the professionals on this list would be much
>> appreciated.
>>>>>>>
>>>>>>>> Thank you
>>>>>>>> regards
>>>>>>>> Dave
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-
>> charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>
> 
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



- -- 
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTQE6JbIvn8UFHWSmAQJRQggAi254O0gCvGiDI+mS0OrXCe2rrPI90Mow
5zv42HLQFZI1Xas7dY1QqWxkMJ4nDig94FR7swj6eGM8HkgSmSoBB76U2ax0GqKz
bKrgpCE+7rVXIjgrMrHLIvfbZZJw52ICQwDqTZ5NhvKrFChOtifru4I2NmrfZZXd
UpBePoGi2LD1WRBuC4m06cLkga3ZJt+4t6NSVbYZMQ+7guL4NvSAlBZ8rntwrQR9
zg2FAxHtXlLISE4jIqYz4z6t4E4J06/mi/O9vwsewPMvvpEkvdKcc5VKgaDbbktK
xO08PNRNJPQUBD3bkKzywq0Ef8oEO++S4ZQL6HP7S7T4VPDRQ0vjGA==
=JAdP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists