I was under the impression that TrueCrypt installed a boot loader that was responsible for the pretty menu that you usually see when you boot. So to my surprise when I wanted to play around with it….it wasn’t. TrueCrypt actually uses a second stage to display that pretty menu. The traditional boot loader more or less just takes care of loading the second stage which sits compressed on the hard disk, if loading fails it will display some messages and that’s it. Since I still wanted to play around with it and preferably with the version actually sitting on my test machine’s hard disk I decided to dump it. The easiest way was to use Evil Maid, I modified the source slightly to prevent infection, it will still infect though if you omit a second argument :)
Here are the steps if you want to do it yourself:
Retrieve the first 64 sectors, for example with “FTK Imager” if you are under windows
The local directory where the executable patch_tc resides should now contain two files “sectors_backup” and “loader” which is the uncompressed second stage as you can see from a simple strings output:
strings -n 15 loader
No bootable partition found
TrueCrypt Boot Loader 7.1
Keyboard Controls:
[Esc]
Boot Non-Hidden System (Boot Manager)
Skip Authentication (Boot Manager)
[Esc] Cancel
Enter password
for hidden system:
Booting...
BIOS reserved too much memory:
- Upgrade BIOS
- Use a different motherboard model/brand
Warning: Caps Lock is on.
Incorrect password.
If you are sure the password is correct, the key data may be damaged. Boot your
TrueCrypt Rescue Disk and select 'Repair Options' > 'Restore key data'.
Bootable Partitions:
, Partition:
Press 1-9 to select partition:
Your BIOS does not support large drives
due to a bug
- Enable LBA in BIOS
Copying system to hidden volume. To abort, press Esc.
If aborted, copying will have to start from the beginning (if attempted again).
To fix bad sectors: 1) Terminate 2) Encrypt and decrypt sys partition 3) Retry
Remaining:
Copying completed.
Memory corrupted
So this is a *really* old blog post that I wrote a while back when I discovered, or at least so I believed, an XXE bug in the VMware vSphere client. I reported this to the VMware security team but they were not able to reproduce the part where you would use a UNC path to try and steal the credentials of an user. I then got busy and never continued to investigate why they were not able to reproduce it. Since the vSphere client is being replaced by a web client I decided it couldn’t hurt to release this old post, also the likely hood of this being exploited is pretty low.
Curiosity (from Latincuriosus “careful, diligent, curious,” akin to cura “care”) is a quality related to inquisitive thinking such as exploration, investigation, and learning, evident by observation in human and many animal species. (Wikipedia)
As always a driving force behind many discoveries, as well as the recent bug I found in the VMware vSphere client (vvc). Not a very interesting bug, yet a fun journey to approach things from a different perspective. After my last post about a portable virtual lab I wondered what the vvc used as a protocol to communicate with the esxi server and if it could contain any bugs. So this time instead of getting out ollydbg I decided to go for a more high-level approach. Let’s see how I poked around and found the XML External Entity (XXE) (pdf) vulnerability in the vvc.
I first looked in the directory of vvc, just to know the type of files that resided there, here is a screenshot:
Logically the file that drew my attention was the config file of which the following settings also seemed like they would come in handy:
Seems like if we want to tinker with the connection a higher time-out would give us more time and a higher verbosity level of logging could help us during the poking around. Enough looking around at this point let’s get more active.
Zeroization of information is a long standing practices on systems that handle highly sensitive data (usually cryptography systems), yet it’s something that isn’t done very often by most applications on your regular desktop environment. I’ve got no clue why, although I guess that it is because most people assume that if memory is not available anymore to their application it won’t be available to others. This however is a flawed assumption which is eagerly used by investigations that use memory forensics techniques. If you want to see the power of memory forensics take a look at volatility which is an excellent memory forensics framework. Just to give you an idea of how powerful memory forensics can be here is an example taken from the volatility blog:
Taking screenshots from memory files
Like you can see an investigator (or an attacker) is able to pull the complete layout of your windows from a memory dump, isn’t that impressive? So like you are probably guessing by now it should actually be best practice to zero memory before it’s released. In an ideal situation your operating system would take of this for you, but unfortunately it doesn’t. With ideal I mean zero it immediately when the programmer calls the *free*() functions.
Dear OS makers could you implement it by default?
So to try and promote the use of zeroization in regular software I’ve decided to create a few simple wrappers that zero the memory before it’s released. The message to take away here is
*always zero your memory before releasing it*
These wrappers are nothing fancy and as usual can be found on my github.
As said before the wrappers itself are not that interesting, strictly speaking they are not even needed since you can also zero memory yourself before calling a function to free the allocated memory. The important thing to take into account when doing any zeroization of memory is to make sure that the function or technique you use is not optimized away by the compiler. Compilers have a nasty habit of optimizing stuff that you don’t want optimized. It’s however pretty convenient to just call a free function and not having to worry about zeroing the memory yourself. So the first thing I did was having a look at the general concept of memory allocation which is more or less something along the following lines:
Caller requests 100 bytes
Operating system allocates a bit more, say four bytes, so it becomes 104
Operating system stores the size of the requested memory in the extra allocated bytes
Caller gets a memory block of 100 bytes without knowing that it’s actually 104
That sounds simple enough so I decided to start with writing a wrapper for the free() functions to retrieve the size of the block to be free just like the operating system would do it. To my surprise however it wasn’t as easy as it conceptually sounded at first. I started to digging into the malloc() and free() and in my tests it seemed that they are just wrappers for HeapAllocate() and HeapFree(). That didn’t sound to bad at first until I landed in the wonderful world of heap management. If you want a good read on that check out this paper which does a very nice job of explaining it.
This is when I decided to discard the method of trying to retrieve the size of the memory block based on the received pointer and decided to just add a thin layer of “memory size management”. Stupid me though because as you will read later it’s actually dead easy to retrieve the size of a memory block. So I started to write some code that just implemented the conceptual method that I first encountered. This however means I would not only need to wrap the *free*() functions but also the *alloc*() functions. This resulted in the following code for the malloc() and free() functions:
/*
Thanks TheColonial for reminding me of pointer arithmethic and re-educating me on it.
Old unused code, left here in case someone prefers to do it this way.
This code also wrapped the allocater to prepend the size of the allocated memory block.
*/
void *zmalloc( size_t size ){
size_t newsize = (sizeof(size_t) + size);
size_t *newmalloc = 0;
void *originalmalloc = NULL;
originalmalloc = malloc(newsize);
printf("size %i\n",_msize(originalmalloc));
if(originalmalloc == NULL){
return NULL;
}
(*(size_t *)originalmalloc) = size;
newmalloc = (size_t *)originalmalloc;
return (void *)(newmalloc + 1);
}
void zfree(void *memblock){
size_t *newmemblock = NULL;
size_t size = 0;
newmemblock = ((size_t *)memblock)-1;
memcpy_s(&size,sizeof(size_t),newmemblock,sizeof(size_t));
size += sizeof(size_t);
SecureZeroMemory((void *)newmemblock,size);
free((void *)newmemblock);
}
Now as the comment suggested I first failed at properly implementing this since I forgot that when you do pointer arithmetic the size of the destination pointer is used for the operations. So in my first code I ended up with 4*size_t being allocated which is kind of a waste of space. This was all great and so but when I saw the function definition of other memory allocation functions it didn’t really inspire me to continue. So I decided to have one more look at the whole “extract size from memory block pointer” issue.
I often learn a lot of new stuff when working out ideas or playing around, but now I just felt plain stupid see for yourself:
Do you see anything that could be remotely useful? YES most of the memory allocation functions have a size companion that will retrieve the size of the memory block. Which means I go back to only wrapping the free function and reducing the code to:
So this was a fun and interesting path to finally end up with the original idea of just wrapping the free functions. Hope you enjoyed this entry and that after reading this you’ll all be doing zeroing of memory before freeing it :)
DiabloHorn 