SEC Consult Vulnerability Lab Security Advisory < 20160831-0 > ======================================================================= title: Manipulation of pre-boot authentication product: CryptWare CryptoPro Secure Disk for Bitlocker vulnerable version: 5.1.0.6474 fixed version: 5.2.1 CVE number: - impact: critical homepage: http://www.cryptware.eu found: 2016-06-30 by: R. Freingruber (Office Vienna) M. von Dach (Office Zurich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "CryptoPro Secure Disk for BitLocker enhances the functionality of Microsoft BitLocker to have an own PreBoot Authentification (PBA) and enables BitLocker to use established and existing authentication methods like UID/Password and Smartcard/PIN. The encryption of the hard disk, as well as the recovery mechanism are realized with Microsoft BitLocker while the user Authentication and Help-Desk mechanism are handled by CryptoPro Secure Disk for Bitlocker. This ideal combination of both technologies allows customers to establish an ease of use and cost effective solution, even without have to use TPM authentication and administration. Our centralized encryption management with different roles of administration and multi-client-capability delivers new opportunities for customers and third party service providers." Source: http://files.cryptware.eu/200000369-9fec6a1e00/CryptWare_Datenblatt_Secure_Disk_for_BitLocker_EN.pdf Business recommendation: ------------------------ By using the vulnerabilities documented in this advisory an attacker can attack the boot process and backdoor the system to steal login credentials, the private 802.1x certificate and the associated password. SEC Consult recommends not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) Terminal access not blocked at login mask After installing CryptoPro Secure Disk an additional partition (ext3) is added to the system. This partition contains a small linux operating system and gets directly started after booting the system (before bitlocker code gets executed). Via an init script the login application is started. An attacker can use a keyboard shortcut to open the first terminal. This spawns an invisible root shell for the attacker (commands can be executed, however, the output is not directly visible). The other terminals (terminal two to six) are blocked via commands inside the /etc/inittab file. The associated line for terminal one is uncommented and therefore not active. 2) Inadequate software manipulation verification After starting the system the following application gets started: /usr/SUPERSHEEP/bin/app_launcher -a ./ss_gui The app_launcher application carries out checks and finally starts the graphical user interface with the login mask (ss_gui). These checks first verify the hashsum of the file /usr/SUPERSHEEP/bin/verify_checksums.sh and afterwards execute the script. The script calculates the hashsum of nearly all files on the system and compares them with a preconfigured list (which is stored inside an encrypted block special file). If the hash of the script is wrong or the script reports invalid hashes, the boot process is stopped and an error is displayed to the user. The script contains a design / logical error which allows an attacker to bypass the hash verification. By exploiting this flaw an attacker can modify all files on the system (e.g. add a backdoor). Proof of concept: ----------------- 1) Terminal access not blocked at login mask An attacker can use the keyboard shortcut ctrl+alt+f1 to open an invisible root shell. A simple proof-of-concept is to type the command "reboot". This results in a beep-sound and a reboot of the system. Another proof-of-concept is that an attacker connects the victim system with a DHCP server to assign an IP address and then start the following command: /usr/bin/netcat -lvvp 8197 -e /bin/sh This command must be typed with a german keyboard layout. It binds a root shell to the port 8197. Afterwards the attacker can connect to port 8197 to issue commands and receive the output of it. 2) Inadequate software manipulation verification The script /usr/SUPERSHEEP/bin/verify_checksums.sh executes the following command to calculate the number of files with invalid hashes: /tmp/sha256sum -c $CS_FILE > $CS_FILE.out Later the wc (word count) utility is used to count the number of errors. This is done by the following code: NUM_FAILED=`wc -l $CS_FILE.error | cut -d " " -f 1` The script uses the wc program and expects that wc was not modified and the output of it is correct. However, an attacker can modify it to always return zero which means that zero errors where found. The problem is that the script verify_checksums.sh verifies the hashsum of the wc utility but during verification it already uses this utilitiy for this verification check. For a proof-of-concept the wc file was replaced with the following content: #!/bin/sh echo a0 xa exit 0 After that all scripts and binaries can be modified. For example, the following script from CryptoPro Secure Disk can be used to backdoor the system to save private keys (802.1x) together with the associated password: /usr/SUPERSHEEP/extract_certificates.sh Vulnerable / tested versions: ----------------------------- The version 5.1.0.6474 was found to be vulnerable which was the latest version at the time of discovery. Vendor contact timeline: ------------------------ 2016-08-01: Contacting vendor through support@cryptware.eu 2016-08-02: CryptWare was able to reproduce the vulnerabilities 2016-08-10: Release of CryptoPro Secure Disk 5.2.1 which according to the vendor fixes the vulnerabilities. 2016-08-31: Coordinated release of security advisory Solution: --------- Upgrade to CryptoPro Secure Disk 5.2.1. The patch is provided by the vendor directly. Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF R. Freingruber / @2016