-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/12/2010 19:33, Elazar Broad wrote: > Just lightly scratching the surface, KeyScrambler.sys is signed by > GlobalSign, strings reveals nothing interesting other than OpenSSL > 0.9.8a is used. > > elazar
Yes I noticed the RSA source code references in the disassembly. Now I am curious if this implementation of OpenSSL is vulnerable to the various CVE's that have been issued against 0.9.8a. CVE 2007-4995:Off-by one error in DTLS vulnerability CVE 2007-5135:One byte buffer overflow in the SSL_get_shared_ciphers function CVE 2007-3108:BN_from_montgomery side-channel attack. And how it could be exploited if this is the case. I am not skilled enough to know. However, if I was developing this software I would update it. Cheers Dave > On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault > <[email protected]> wrote: >> Call me paranoid, but that sure would be a good way to spread a >> key logger! > >> Gary B > > >> On 12/09/2010 07:25 AM, Christian Sciberras wrote: >>> Dave, >>> >>> That's ok. Glad to have helped out :) >>> >>> Cheers, >>> Chris. >>> >>> >>> >>> On Thu, Dec 9, 2010 at 1:07 PM, mrx <[email protected] >> <mailto:[email protected]>> wrote: >>> >>> On 09/12/2010 10:26, Christian Sciberras wrote: >>>>> I tried installing this plugin to Firefox 3.6.12 in a >> virtualbox >>> XP32(SP3) >>>> environment and it is incompatible. >>>>> I may wait for an update to the plugin and analyse its >> behaviour, >>>> providing my curiosity doesn't wane in the meantime. >>> >>>> Alternatively, you can just decompress the XPI (it's in fact a >> zip) and >>>> inspect the js files and/or decompress any binaries. >>>> I suppose they are distributing some form of driver, so you'd >> find >>>> IDA/ollydbg useful. >>> >>> >>> >>>> Chris. >>> >>> >>> I extracted the files (various .js files and an exe) from the >> xpi. >>> The .js files version check and create an instance of >> keyscrambler.sys >>> with the current firefox window passed to it as an argument. >>> >>> I also extracted the contents of the executable; setup.exe. >>> Setup.exe contained various dll's and one sys file. I presumed >> this >>> sys file; keyscrambler.sys, is the driver and main component of >> this >>> addon. >>> To confirm I monitored the running of setup.exe. >>> >>> My preumption was correct keyscrambler.sys is installed in >> system32 >>> folder and is registered as an autostarting service, although it >> is hidden >>> from the services pane in computer management. >>> >>> This is where my "skills" bottom out. ASM is something I have >> not yet >>> got my head around. >>> I have a clue, but that's about all I do have... in time ;-) >>> >>> Thanks for your advice and input >>> regards >>> Dave >>> >>> >>>> On Thu, Dec 9, 2010 at 11:23 AM, mrx <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>>> On 08/12/2010 11:30, Tim Gurney wrote: >>>>>>> Hi >>>>>>> >>>>>>> This seems to contradict itself somewhat. A plugin to >> firefox should >>>>>>> have no way to encrypt things at a driver level within the >>> kernel, that >>>>>>> would require installing seperate software at the root >> level, a >>> plugin >>>>>>> should not be able to do this and i would be VERY worried >> and >>> surprised >>>>>>> if it could as it would mean bypassing the security of the >> OS. >>> >>>> I tried installing this plugin to Firefox 3.6.12 in a >> virtualbox >>> XP32(SP3) >>>> environment and it is incompatible. >>>> I may wait for an update to the plugin and analyse its >> behaviour, >>> providing >>>> my curiosity doesn't wane in the meantime. >>> >>>> I am not a professional, I do this kind of research as a hobby >> and for >>>> educational purposes, when I have some free time. >>> >>> >>>>>>> Also if the driver is encrypting the key strokes and the >> plugin is >>>>>>> decrypting, what about all the keystrokes that are not in >>> firefox, like >>>>>>> email, word processing, programming, there is nothing to >> decrypt >>> these >>>>>>> so you would end up only ever being able to use firefox on >> the >>> machine >>>>>>> and nothing else every again. >>> >>>> The devs do state that it only encrypts keystrokes in Firefox >> and >>> not other >>>> applications, although they do sell a version that supposedly >> works >>>> "in over 160 browsers and applications". >>>>>>> >>>>>>> personally I would not touch this with a barge pole and I >> would >>> do a lot >>>>>>> more more digging and checking into this. >>> >>>> Yes, I am sceptical of claims, hence the post to this list. >>> >>> >>> >>>>>>> regards >>>>>>> >>>>>>> Tim >>> >>> >>>> Thanks for your input >>>> Dave. >>> >>> >>>>>>> >>>>>>> On 08/12/10 11:12, mrx wrote: >>>>>>>> Hi list, >>>>>>> >>>>>>>> Is anyone familiar with the firefox addon KeyScrambler? >> According to >>>> developers this encrypts keystrokes. >>>>>>> >>>>>>>> Quote: >>>>>>>> "How KeyScrambler Works: >>>>>>>> When you type on your keyboard, the keys travel along a >> path >>> within the >>>> operating system before it arrives at your browser. Keyloggers >> plant >>>>>>>> themselves along this path and observe and record your >>> keystrokes. The >>>> collected information is then sent to the criminals who will >> use it to >>>>>>>> steal from you. >>>>>>> >>>>>>>> KeyScrambler defeats keyloggers by encrypting your >> keystrokes at the >>>> keyboard driver level, deep within the operating system. When >> the >>> encrypted >>>>>>>> keystrokes reach your browser, KeyScrambler then decrypts >> them >>> so you >>>> see exactly the keys you've typed. Keyloggers can only record >> the >>>>>>>> encrypted keys, which are completely indecipherable." >>>>>>> >>>>>>>> Can this be trusted? As in trusted I mean not bypassed. >>>>>>> >>>>>>>> Input from the professionals on this list would be much >> appreciated. >>>>>>> >>>>>>>> Thank you >>>>>>>> regards >>>>>>>> Dave >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Full-Disclosure - We believe in it. >>>>>>> Charter: http://lists.grok.org.uk/full-disclosure- >> charter.html >>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >>> >>>>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>> > >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTQE6JbIvn8UFHWSmAQJRQggAi254O0gCvGiDI+mS0OrXCe2rrPI90Mow 5zv42HLQFZI1Xas7dY1QqWxkMJ4nDig94FR7swj6eGM8HkgSmSoBB76U2ax0GqKz bKrgpCE+7rVXIjgrMrHLIvfbZZJw52ICQwDqTZ5NhvKrFChOtifru4I2NmrfZZXd UpBePoGi2LD1WRBuC4m06cLkga3ZJt+4t6NSVbYZMQ+7guL4NvSAlBZ8rntwrQR9 zg2FAxHtXlLISE4jIqYz4z6t4E4J06/mi/O9vwsewPMvvpEkvdKcc5VKgaDbbktK xO08PNRNJPQUBD3bkKzywq0Ef8oEO++S4ZQL6HP7S7T4VPDRQ0vjGA== =JAdP -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
