Full Disclosure mailing list archives
Re: Firefox Addon: KeyScrambler
From: mrx <mrx () propergander org uk>
Date: Thu, 09 Dec 2010 20:20:53 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/12/2010 19:33, Elazar Broad wrote:
Just lightly scratching the surface, KeyScrambler.sys is signed by GlobalSign, strings reveals nothing interesting other than OpenSSL 0.9.8a is used. elazar
Yes I noticed the RSA source code references in the disassembly. Now I am curious if this implementation of OpenSSL is vulnerable to the various CVE's that have been issued against 0.9.8a. CVE 2007-4995:Off-by one error in DTLS vulnerability CVE 2007-5135:One byte buffer overflow in the SSL_get_shared_ciphers function CVE 2007-3108:BN_from_montgomery side-channel attack. And how it could be exploited if this is the case. I am not skilled enough to know. However, if I was developing this software I would update it. Cheers Dave
On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault <gary () baribault net> wrote:Call me paranoid, but that sure would be a good way to spread a key logger!Gary BOn 12/09/2010 07:25 AM, Christian Sciberras wrote:Dave, That's ok. Glad to have helped out :) Cheers, Chris. On Thu, Dec 9, 2010 at 1:07 PM, mrx <mrx () propergander org uk<mailto:mrx () propergander org uk>> wrote:On 09/12/2010 10:26, Christian Sciberras wrote:I tried installing this plugin to Firefox 3.6.12 in avirtualboxXP32(SP3)environment and it is incompatible.I may wait for an update to the plugin and analyse itsbehaviour,providing my curiosity doesn't wane in the meantime.Alternatively, you can just decompress the XPI (it's in fact azip) andinspect the js files and/or decompress any binaries. I suppose they are distributing some form of driver, so you'dfindIDA/ollydbg useful.Chris.I extracted the files (various .js files and an exe) from thexpi.The .js files version check and create an instance ofkeyscrambler.syswith the current firefox window passed to it as an argument. I also extracted the contents of the executable; setup.exe. Setup.exe contained various dll's and one sys file. I presumedthissys file; keyscrambler.sys, is the driver and main component ofthisaddon. To confirm I monitored the running of setup.exe. My preumption was correct keyscrambler.sys is installed insystem32folder and is registered as an autostarting service, although itis hiddenfrom the services pane in computer management. This is where my "skills" bottom out. ASM is something I havenot yetgot my head around. I have a clue, but that's about all I do have... in time ;-) Thanks for your advice and input regards DaveOn Thu, Dec 9, 2010 at 11:23 AM, mrx <mrx () propergander org uk<mailto:mrx () propergander org uk>> wrote:On 08/12/2010 11:30, Tim Gurney wrote:Hi This seems to contradict itself somewhat. A plugin tofirefox shouldhave no way to encrypt things at a driver level within thekernel, thatwould require installing seperate software at the rootlevel, apluginshould not be able to do this and i would be VERY worriedandsurprisedif it could as it would mean bypassing the security of theOS.I tried installing this plugin to Firefox 3.6.12 in avirtualboxXP32(SP3)environment and it is incompatible. I may wait for an update to the plugin and analyse itsbehaviour,providingmy curiosity doesn't wane in the meantime.I am not a professional, I do this kind of research as a hobbyand foreducational purposes, when I have some free time.Also if the driver is encrypting the key strokes and theplugin isdecrypting, what about all the keystrokes that are not infirefox, likeemail, word processing, programming, there is nothing todecrypttheseso you would end up only ever being able to use firefox onthemachineand nothing else every again.The devs do state that it only encrypts keystrokes in Firefoxandnot otherapplications, although they do sell a version that supposedlyworks"in over 160 browsers and applications".personally I would not touch this with a barge pole and Iwoulddo a lotmore more digging and checking into this.Yes, I am sceptical of claims, hence the post to this list.regards TimThanks for your input Dave.On 08/12/10 11:12, mrx wrote:Hi list,Is anyone familiar with the firefox addon KeyScrambler?According todevelopers this encrypts keystrokes.Quote: "How KeyScrambler Works: When you type on your keyboard, the keys travel along apathwithin theoperating system before it arrives at your browser. Keyloggersplantthemselves along this path and observe and record yourkeystrokes. Thecollected information is then sent to the criminals who willuse it tosteal from you.KeyScrambler defeats keyloggers by encrypting yourkeystrokes at thekeyboard driver level, deep within the operating system. Whentheencryptedkeystrokes reach your browser, KeyScrambler then decryptsthemso yousee exactly the keys you've typed. Keyloggers can only recordtheencrypted keys, which are completely indecipherable."Can this be trusted? As in trusted I mean not bypassed.Input from the professionals on this list would be muchappreciated.Thank you regards Dave_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTQE6JbIvn8UFHWSmAQJRQggAi254O0gCvGiDI+mS0OrXCe2rrPI90Mow 5zv42HLQFZI1Xas7dY1QqWxkMJ4nDig94FR7swj6eGM8HkgSmSoBB76U2ax0GqKz bKrgpCE+7rVXIjgrMrHLIvfbZZJw52ICQwDqTZ5NhvKrFChOtifru4I2NmrfZZXd UpBePoGi2LD1WRBuC4m06cLkga3ZJt+4t6NSVbYZMQ+7guL4NvSAlBZ8rntwrQR9 zg2FAxHtXlLISE4jIqYz4z6t4E4J06/mi/O9vwsewPMvvpEkvdKcc5VKgaDbbktK xO08PNRNJPQUBD3bkKzywq0Ef8oEO++S4ZQL6HP7S7T4VPDRQ0vjGA== =JAdP -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Firefox Addon: KeyScrambler, (continued)
- Re: Firefox Addon: KeyScrambler mrx (Dec 08)
- Re: Firefox Addon: KeyScrambler Tim Gurney (Dec 08)
- Re: Firefox Addon: KeyScrambler mrx (Dec 09)
- Re: Firefox Addon: KeyScrambler Christian Sciberras (Dec 09)
- Re: Firefox Addon: KeyScrambler mrx (Dec 09)
- Re: Firefox Addon: KeyScrambler Christian Sciberras (Dec 09)
- Re: Firefox Addon: KeyScrambler Gary Baribault (Dec 09)
- Re: Firefox Addon: KeyScrambler mrx (Dec 09)
- Re: Firefox Addon: KeyScrambler mrx (Dec 09)
- Re: Firefox Addon: KeyScrambler mrx (Dec 09)