Full Disclosure mailing list archives

Re: Firefox Addon: KeyScrambler

From: mrx <mrx () propergander org uk>
Date: Thu, 09 Dec 2010 20:20:53 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2010 19:33, Elazar Broad wrote:

Just lightly scratching the surface, KeyScrambler.sys is signed by
GlobalSign, strings reveals nothing interesting other than OpenSSL
0.9.8a is used.

elazar


Yes I noticed the RSA source code references in the disassembly.

Now I am curious if this implementation of OpenSSL is vulnerable to the various CVE's that have been issued against 
0.9.8a.

CVE 2007-4995:Off-by one error in DTLS vulnerability
CVE 2007-5135:One byte buffer overflow in the SSL_get_shared_ciphers function
CVE 2007-3108:BN_from_montgomery side-channel attack.

And how it could be exploited if this is the case. I am not skilled enough to know.
However, if I was developing this software I would update it.

Cheers
Dave

On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault
<gary () baribault net> wrote:

Call me paranoid, but that sure would be a good way to spread a
key logger!

Gary B

On 12/09/2010 07:25 AM, Christian Sciberras wrote:

Dave,

That's ok. Glad to have helped out :)

Cheers,
Chris.



On Thu, Dec 9, 2010 at 1:07 PM, mrx <mrx () propergander org uk

<mailto:mrx () propergander org uk>> wrote:


On 09/12/2010 10:26, Christian Sciberras wrote:

I tried installing this plugin to Firefox 3.6.12 in a

virtualbox

XP32(SP3)

environment and it is incompatible.

I may wait for an update to the plugin and analyse its

behaviour,

providing my curiosity doesn't wane in the meantime.

Alternatively, you can just decompress the XPI (it's in fact a

zip) and

inspect the js files and/or decompress any binaries.
I suppose they are distributing some form of driver, so you'd

find

IDA/ollydbg useful.

Chris.



I extracted the files (various .js files and an exe) from the

xpi.

The .js files version check and create an instance of

keyscrambler.sys

with the current firefox window passed to it as an argument.

I also extracted the contents of the executable; setup.exe.
Setup.exe contained various dll's and one sys file. I presumed

this

sys file; keyscrambler.sys, is the driver and main component of

this

addon.
To confirm I monitored the running of setup.exe.

My preumption was correct keyscrambler.sys is installed in

system32

folder and is registered as an autostarting service, although it

is hidden

from the services pane in computer management.

This is where my "skills" bottom out. ASM is something I have

not yet

got my head around.
I have a clue, but that's about all I do have... in time ;-)

Thanks for your advice and input
regards
Dave

On Thu, Dec 9, 2010 at 11:23 AM, mrx <mrx () propergander org uk

<mailto:mrx () propergander org uk>> wrote:

On 08/12/2010 11:30, Tim Gurney wrote:

Hi

This seems to contradict itself somewhat. A plugin to

firefox should

have no way to encrypt things at a driver level within the

kernel, that

would require installing seperate software at the root

level, a

plugin

should not be able to do this and i would be VERY worried

and

surprised

if it could as it would mean bypassing the security of the

OS.

I tried installing this plugin to Firefox 3.6.12 in a

virtualbox

XP32(SP3)

environment and it is incompatible.
I may wait for an update to the plugin and analyse its

behaviour,

providing

my curiosity doesn't wane in the meantime.

I am not a professional, I do this kind of research as a hobby

and for

educational purposes, when I have some free time.

Also if the driver is encrypting the key strokes and the

plugin is

decrypting, what about all the keystrokes that are not in

firefox, like

email, word processing, programming, there is nothing to

decrypt

these

so you would end up only ever being able to use firefox on

the

machine

and nothing else every again.

The devs do state that it only encrypts keystrokes in Firefox

and

not other

applications, although they do sell a version that supposedly

works

"in over 160 browsers and applications".


personally I would not touch this with a barge pole and I

would

do a lot

more more digging and checking into this.

Yes, I am sceptical of claims, hence the post to this list.

regards

Tim

Thanks for your input
Dave.


On 08/12/10 11:12, mrx wrote:

Hi list,

Is anyone familiar with the firefox addon KeyScrambler?

According to

developers this encrypts keystrokes.

Quote:
"How KeyScrambler Works:
When you type on your keyboard, the keys travel along a

path

within the

operating system before it arrives at your browser. Keyloggers

plant

themselves along this path and observe and record your

keystrokes. The

collected information is then sent to the criminals who will

use it to

steal from you.

KeyScrambler defeats keyloggers by encrypting your

keystrokes at the

keyboard driver level, deep within the operating system. When

the

encrypted

keystrokes reach your browser, KeyScrambler then decrypts

them

so you

see exactly the keys you've typed. Keyloggers can only record

the

encrypted keys, which are completely indecipherable."

Can this be trusted? As in trusted I mean not bypassed.

Input from the professionals on this list would be much

appreciated.

Thank you
regards
Dave



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-

charter.html

Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



- -- 
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTQE6JbIvn8UFHWSmAQJRQggAi254O0gCvGiDI+mS0OrXCe2rrPI90Mow
5zv42HLQFZI1Xas7dY1QqWxkMJ4nDig94FR7swj6eGM8HkgSmSoBB76U2ax0GqKz
bKrgpCE+7rVXIjgrMrHLIvfbZZJw52ICQwDqTZ5NhvKrFChOtifru4I2NmrfZZXd
UpBePoGi2LD1WRBuC4m06cLkga3ZJt+4t6NSVbYZMQ+7guL4NvSAlBZ8rntwrQR9
zg2FAxHtXlLISE4jIqYz4z6t4E4J06/mi/O9vwsewPMvvpEkvdKcc5VKgaDbbktK
xO08PNRNJPQUBD3bkKzywq0Ef8oEO++S4ZQL6HP7S7T4VPDRQ0vjGA==
=JAdP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Firefox Addon: KeyScrambler, (continued)
- - Re: Firefox Addon: KeyScrambler mrx (Dec 08)
- Re: Firefox Addon: KeyScrambler Tim Gurney (Dec 08)
  - Re: Firefox Addon: KeyScrambler mrx (Dec 09)
    - Re: Firefox Addon: KeyScrambler Christian Sciberras (Dec 09)
    - Re: Firefox Addon: KeyScrambler mrx (Dec 09)
    - Re: Firefox Addon: KeyScrambler Christian Sciberras (Dec 09)
    - Re: Firefox Addon: KeyScrambler Gary Baribault (Dec 09)
- Re: Firefox Addon: KeyScrambler Julien Reveret (Dec 08)
  - Re: Firefox Addon: KeyScrambler mrx (Dec 09)
- Re: Firefox Addon: KeyScrambler Elazar Broad (Dec 09)
  - Re: Firefox Addon: KeyScrambler mrx (Dec 09)