[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Trusteer Rapport Security Circumvention

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Trusteer Rapport Security Circumvention
From: barkley@xxxxxxx
Date: Tue, 16 Feb 2010 03:57:59 -0700

Hi,


Trusteer is an innovative software to combat fraud, thus it's global uptake in 
the financial sector. Trusteer also seems quite adamant that their software is 
bullet-proof, their website pretty much sums it up. However, on having a closer 
look and some tinkering, I discovered a complete no brainer vector for 
circumventing Trusteer's security. I've tested this on various XP platforms 
successfuly, please feel free to notify the vendor as you wish and/or to 
publish whatever you feel appropriate under the circumstances.


http://www.trusteer.com/solutions
http://www.trusteer.com/product-0
http://www.trusteer.com/product/technology
Trusteer Rapport locks down your browser once you connect to a sensitive 
website such as your bank. Any malicious software that tries to ride on the 
browser is left out of the locked down browser, and cannot access  your 
sensitive information and transactions. Rapport also locks down communication 
between your browser and the bank, preventing any network-based attack from 
diverting traffic to fraudulent locations.


The following illustrates how malware on entering a system by whichever means, 
and on detecting Trusteer's services, can easily (automated/scripted) disable 
Trusteer's security for whatever malevolent purposes.


Step-by-step illustration, how to easily circumvent Trusteer's security.

Firstly, disable Trusteer's service (RapportMgmtService.exe) in your active 
Hardware Profile. Trusteer doesn't protect this option, thus this is a good 
starting point for now.
i.e.
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_RAPPORTMGMTSERVICE\0000]
"CSConfigFlags"=dword:00000001

NOTE: This in fact disables Trusteer's service (RapportMgmtService.exe) in the 
Services.msc GUI
i.e.
Services.msc > "Rapport Management Service" > "Log On" > "Hardware Profile" > 
"Disabled"


On the very next reboot, at least one reboot is required to disable the kernel 
driver (RapportPG.sys), Trusteer's service (RapportMgmtService.exe) should now 
be inactive/disabled, and thus you'll be able to rename Trusteer's now 
unprotected folders.
i.e. Command Prompt
C:\> cd \"Program Files"
C:\> rename Trusteer TrusBeer

NOTE: At this point the web browser's not protected by Trusteer, nor is 
Trusteer's software & system settings protected, thus pretty much open to your 
imagination.


The following step is not required, especially seeing as Trusteer's service 
(RapportMgmtService.exe) was disabled previously in the active Hardware 
Profile. However, should you also wish to reconfigure Trusteer's now 
unprotected drivers & services to start manually, or even disable/delete 
completely, you may or may not have to reboot one more time, as the following 
step may need another reboot to take advantage of the previously now renamed 
unprotected folders in the previous step.
i.e. Command Prompt
C:\> sc config RapportMgmtService start= demand
C:\> sc config RapportPG start= demand


Should you wish to cover your tracks (you'll also have to clear event logs), 
rename Trusteer's home folder back to the original and restore the Hardware 
Profile registry entry.
i.e.
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_RAPPORTMGMTSERVICE\0000]
"CSConfigFlags"=dword:00000000

i.e. Command Prompt
C:\> cd \"Program Files"
C:\> rename TrusBeer Trusteer


Cheers

Andrew Barkley
(-_-)

Follow-Ups:
- RE: Trusteer Rapport Security Circumvention
  - From: Amit Klein

Prev by Date: Huawei HG510 CSRF, Auth Bypass, DoS
Next by Date: Pixel Portal Sql Injection Vulnerability
Previous by thread: Huawei HG510 CSRF, Auth Bypass, DoS
Next by thread: RE: Trusteer Rapport Security Circumvention
Index(es):
- Date
- Thread