Bugtraq mailing list archives
RE: Trusteer Rapport Security Circumvention
From: "Amit Klein" <amit.klein () trusteer com>
Date: Wed, 17 Feb 2010 03:46:13 -0500
Hello BugTraq Andrew Barkley of Computer Sciences Corporation contacted us with this around the same time it was posted to BugTraq. Since then we've fixed the issue and are now completing the QA cycle with the intention of releasing this fix 12 hours after learning about the problem. Best, -Amit Amit Klein, CTO, Trusteer
-----Original Message----- From: barkley () usa net [mailto:barkley () usa net] Sent: Tuesday, February 16, 2010 12:58 To: bugtraq () securityfocus com Subject: Trusteer Rapport Security Circumvention Hi, Trusteer is an innovative software to combat fraud, thus it's global uptake in the financial sector. Trusteer also seems quite adamant that their software is bullet-proof, their website pretty much sums it up. However, on having a closer look and some tinkering, I discovered a complete no brainer vector for circumventing Trusteer's security. I've tested this on various XP platforms successfuly, please feel free to notify the vendor as you wish and/or to publish whatever you feel appropriate under the circumstances. http://www.trusteer.com/solutions http://www.trusteer.com/product-0 http://www.trusteer.com/product/technology Trusteer Rapport locks down your browser once you connect to a sensitive website such as your bank. Any malicious software that tries to ride on the browser is left out of the locked down browser, and cannot access your sensitive information and transactions. Rapport also locks down communication between your browser and the bank, preventing any network-based attack from diverting traffic to fraudulent locations. The following illustrates how malware on entering a system by whichever means, and on detecting Trusteer's services, can easily (automated/scripted) disable Trusteer's security for whatever malevolent purposes. Step-by-step illustration, how to easily circumvent Trusteer's security. Firstly, disable Trusteer's service (RapportMgmtService.exe) in your active Hardware Profile. Trusteer doesn't protect this option, thus this is a good starting point for now. i.e. [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY
_RAPPORTMGMTSERVICE\0000]
"CSConfigFlags"=dword:00000001 NOTE: This in fact disables Trusteer's service (RapportMgmtService.exe) in the Services.msc GUI i.e. Services.msc > "Rapport Management Service" > "Log On" > "Hardware Profile" > "Disabled" On the very next reboot, at least one reboot is required to disable the kernel driver (RapportPG.sys), Trusteer's service (RapportMgmtService.exe) should now be inactive/disabled, and thus you'll be able to rename Trusteer's now unprotected folders. i.e. Command Prompt C:\> cd \"Program Files" C:\> rename Trusteer TrusBeer NOTE: At this point the web browser's not protected by Trusteer, nor is Trusteer's software & system settings protected, thus pretty much open to your imagination. The following step is not required, especially seeing as Trusteer's service (RapportMgmtService.exe) was disabled previously in the active Hardware Profile. However, should you also wish to reconfigure Trusteer's now unprotected drivers & services to start manually, or even disable/delete completely, you may or may not have to reboot one more time, as the following step may need another reboot to take advantage of the previously now renamed unprotected folders in the previous step. i.e. Command Prompt C:\> sc config RapportMgmtService start= demand C:\> sc config RapportPG start= demand Should you wish to cover your tracks (you'll also have to clear event logs), rename Trusteer's home folder back to the original and restore the Hardware Profile registry entry. i.e. [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY
_RAPPORTMGMTSERVICE\0000]
"CSConfigFlags"=dword:00000000 i.e. Command Prompt C:\> cd \"Program Files" C:\> rename TrusBeer Trusteer Cheers Andrew Barkley (-_-)
Current thread:
- Trusteer Rapport Security Circumvention barkley (Feb 16)
- RE: Trusteer Rapport Security Circumvention Amit Klein (Feb 18)