lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BAY174-W77107F61BBA4CB89E87AA85520@phx.gbl>
Date: Sat, 3 Aug 2013 20:17:20 +0000
From: saw saw <dovakin_saw@...mail.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Trusteer Rapport memory selfcheck bypass

 # Exploit Title: Trusteer Rapport memory selfcheck bypass
 # Date: 29.07.2013
 # Exploit Author: dovakin
 # Vendor Homepage: http://www.trusteer.com
 # Software Link: https://www.trusteer.com/download-trusteer-rapport?
 # Version: <= 1208.41
 # Tested on: Win 7 Prosessional English x32 

Trusteer Rapport allows to make memory modification in the context of critical process and turn off Rapport's selfcheck unhooking and intercepting system Api's

Unsafe subroutine IsApiPatched in RapportGP.dll module. We can easily modificate memory of patch checking routine in order to disable Rapport's userhooks replacement checks.

; =============== S U B  R O U T  I N E =======================================


IsApiPatched    proc near

arg_0        = dword    ptr  4
arg_4        = dword    ptr  8

        push    ebx
        mov    ebx, [esp+4+arg_0]
        push    ebp
        push    esi
        mov    esi, [esp+0Ch+arg_4]
        mov    eax, [esi]
        mov    edx, [eax+10h]
        push    edi
        mov    ebp, ecx
        push    ebx
        mov    ecx, esi
        call    edx
        mov    edi, eax
        test    edi, edi
        jz    GoodGuy        ; !!! jump to IsApiPatched always returns ok
        push    offset aPerformingPatc ; "Performing patch fix."
        push    offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
        push    offset a_Patch_sentryP ; ".\\patch_sentry\\patching_sentry_reporter"...
        push    1
        call    sub_CD0CA0
        mov    eax, [esi]
        mov    edx, [eax+14h]
        add    esp, 10h
        push    edi
        push    ebx
        mov    ecx, esi
        call    edx        ; !!! restore hooked Api
        mov    bl, al
        test    bl, bl
        jnz    short loc_CA690F
        push    offset aPatchFixFailed ; "Patch    fix failed."
        push    offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
        push    offset a_Patch_sentr_0 ; ".\\patch_sentry\\patching_sentry_reporter"...
        push    4
        jmp    short loc_CA6920
; ---------------------------------------------------------------------------

loc_CA690F:                ; CODE XREF: IsApiPatched+4A.j
        push    offset aPatchFixDone_ ;    "Patch fix done."
        push    offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
        push    offset a_Patch_sentr_1 ; ".\\patch_sentry\\patching_sentry_reporter"...
        push    1

loc_CA6920:                ; CODE XREF: IsApiPatched+5D.j
        call    sub_CD0CA0
        add    esp, 10h
        cmp    dword ptr [ebp+4], 0
        jz    short loc_CA6961
        push    offset aReportingPatch ; "Reporting patch."
        push    offset aPatch_sentry_0 ; "patch_sentry_policy_fix_and_report_if_p"...
        push    offset a_Patch_sentr_2 ; ".\\patch_sentry\\patching_sentry_reporter"...
        push    1
        call    sub_CD0CA0
        add    esp, 10h
        test    bl, bl
        mov    ecx, offset aFixed ; "fixed"
        jnz    short loc_CA6955
        mov    ecx, offset aErrors_during_ ; "errors_during_fix"

loc_CA6955:                ; CODE XREF: IsApiPatched+9E.j
        mov    eax, [ebp+4]
        push    edi
        push    eax
        mov    edx, esi
        call    sub_CA6430

loc_CA6961:                ; CODE XREF: IsApiPatched+7C.j
        mov    edx, [edi]
        mov    eax, [edx]
        push    1
        mov    ecx, edi
        call    eax

GoodGuy:                ; CODE XREF: IsApiPatched+1C.j
        pop    edi
        pop    esi
        pop    ebp
        pop    ebx
        retn    8
IsApiPatched    endp

; ---------------------------------------------------------------------------


Included PoC sourcecodes and screenshots of Rapport selfcheck disabling and paypal and hotmail password grabbing further
# PoC sources: rapport_mem_selfcheck_bypass.zip
# screenshots: trusteer_password_grabbing_screenshots.zip
# video demo: trusteer_password_grabbing_video.avi
 		 	   		  
Content of type "text/html" skipped

Download attachment "trusteer_password_grabbing_screenshots.zip" of type "application/zip" (399834 bytes)

Download attachment "trusteer_password_grabbing_video.zip" of type "application/zip" (4816340 bytes)

Download attachment "rapport_mem_selfcheck_bypass.zip" of type "application/zip" (99326 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ