Name: DataArmor Full Disk Encryption - Restricted Environment breakout, Privilege Escalation and Full Disk Decryption
Release Date: 30 November 2012
Reference: NGS00193
Discoverer: Stuart Passe <[email protected]>
Vendor: Mobile Armor
Vendor Reference: KB #1060043
Systems Affected: All versions of DataArmor and DriveArmor prior to v3.0.12.861
Risk: Critical
Status: Published
Discovered: 10 January 2012
Released: 17 January 2012
Approved: 17 January 2012
Reported: 17 January 2012
Fixed: 23 January 2012
Published: 30 November 2012
The Mobile Armor DataArmor Full Disk Encryption platform allows users to fully encrypt hard drives utilising centralised security policy management.
An issue exists whereby it is possible for unauthenticated users to break out from the restricted DataArmor environment, providing unrestricted administrative access to the underlying platform and associated configuration files.
This allows users to arbitrarily modify both the platform and associated configuration files. Authentication credentials can then be added and/or generated, providing the ability to escalate privileges and gain full access to data stored on the encrypted partition.
The DataArmor software appears to be running under a restricted Linux X11 environment, configured to grab all keystrokes so that special key combinations which might normally be accepted by a Linux Kernel (such as "reboot" [Ctrl+Alt+Del] or "switch TTY" [Ctrl+Alt+{F1-F12}]) are discarded and not acted upon by the underlying Operating System.
It is possible to bypass this keystroke grabbing (through use of the SysRq key), providing the ability to send special commands directly to the Linux Kernel and break-out from the DataArmor environment into the underlying Linux BusyBox Operating System. This subsequently exposes the running DataArmor environment to full manipulation by any user with physical access to the machine, with the possibility of recovering files or fully decrypting the hard disk by unauthorised users.
Note: The "SysRq" key is usually located near the "Print Screen" key. On some laptops "SysRq" is accessible only by pressing "Fn". In this case the combination is a bit trickier: hold "Alt", hold "Fn", hold "SysRq", release "Fn", press key.
At this stage, it is possible to manipulate the DataArmor environment into performing how we wish, allowing for potential full compromise of the laptop and encrypted data. We can view all current local users and hashes (cat /etc/Source/MAData.xml) for offline password-cracking as well as view and modify the local security policy (cat /etc/Source/PolicyFile.xml). This can however be taken a stage further. In addition to viewing the contents of these files, the DataArmor software re-reads the contents of the files when an authentication attempt is made, allowing a user to modify the files within the XFS /etc partition and have the software act accordingly (this can be useful for acts such as modifying the policy to prevent data erase and lockouts after failed password attempts, or change authentication method to local file containing hashes). The following can be performed after step 13 above, with the DataArmor software fully running.
Note: Whilst the privilege escalation vulnerability has been proven successfully within the test environment, the ability to successfully add users isn't fully tested at this stage due to uncertainties as to the
method of hash generation. This is purely a time restriction limitation due to short-term access to a DataArmor-enabled laptop, and could be successfully overcome with more time to complete reverse engineering efforts.
Alongside fully compromising the running system through modification, the built-in networking capabilities within the Linux BusyBox Operating System mean that all platform files can potentially be moved from the local install to a secondary machine, or vice versa. This allows not only the possibility of extracting the sensitive files for analysis (and potentially cracking) offline in order to gain access to the laptop with existing user credentials, but the ability to transfer files back means that important libraries and executables may be modified on an attacker's machine and then uploaded to the "victim" laptop, potentially fully bypassing the encryption altogether or causing further malicious actions such as logging keystrokes and sending them via network to the attacker in order to capture valid credentials.
An updated version of the software has been released to address these vulnerabilities:
http://esupport.trendmicro.com/solution/en-us/1060043.aspx
It is possible to change the configuration parameters whilst the kernel is running by either setting a sysctl parameter (kernel.sysrq = 0) or disabling directly through the /proc filesystem (echo "0" > /proc/sys/kernel/sysrq), however there is a short period of time where the kernel is still vulnerable during the booting process, before the contents of the configuration files are applied.
Due to this small window of vulnerability, the preferred option is to re-compile the Linux Kernel. The SysRq key combination is compiled in to most modern Linux Kernels by default, and to disable this fully, it must be explicitly specified during compilation of the Linux Kernel by modifying the required option (CONFIG_MAGIC_SYSRQ).
Additionally, consideration should be taken to strip down the Linux BusyBox environment in order to remove any potentially unnecessary functionality such as the shell and associated administrative tools (sh, bash, strace, ssh, scp, etc…).
Wikipedia "Magic SysRq Key" - http://en.wikipedia.org/wiki/Magic_SysRq_key
Linux Kernel Documentation - http://kernel.org/doc/Documentation/sysrq.txt
The Linux Documentation Project - http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/security-sysrq.html
NCC Group Research
http://www.nccgroup.com/research
For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>