Bypassing TPM-based Bitlocker

Attack on Windows authentication mechanism

At the recent BlackHat Europe conference (November 10 – 13, Amsterdam) a security researcher called Ian Haken presented a very interesting, simple yet powerful attack allowing to bypass Windows (Kerberos) authentication on machines being part of  a Domain.

The attack in itself allows someone – having physical access to the Windows workstation or laptop – to log into the system by resetting the password of a domain account. For that the attacker will just need to setup a rogue Domain Controller and configure it to declare the target account as expired. Indeed Haken identified a loophole in the mechanism which allows an attacker to force the local update of the cached Domain credentials despite the Kerberos KDC failing to prove it’s identity to the target workstation.

The whole attack, whose details are well explained in Ian Haken’s paper, can be setup using common open-source software and very simple configuration steps.

By itself, this would not be a significant breakthrough as other means of achieving similar results are widely known (e.g. by booting the machine on a live system and tampering with the system). This attack however becomes very interesting when applied to systems using Microsoft Bitlocker for full-disk encryption and configured for using the machine’s TPM (without PIN or USB key) in order to avoid explicit pre-boot authentication.

In this context, the encryption keys are automatically retrieved by the Windows bootloader from the TPM without any user (or attacker) input in order to provide a transparent Windows boot. In this scenario, the whole security of the (encrypted) data on the system falls back on the Windows login mechanism as any user being capable of logging into the system would (transparently) have access to all or part of the local data (depending on the user privileges).

Obviously in this context, Haken’s attacks turns out into a way of bypassing Bitlocker encryption in order to have access to the (encrypted) system and data.

Mitigation

A security bulletin (and corresponding patch) has been issued by Microsoft : MS15-122.

According to Microsoft, “the update addresses the bypass by adding an additional authentication check that will run prior to a password change.”

Recommendations

Microsoft’s security bulletin is rated as Important which does not correspond to the highest severity level. However, as the attack targets a common Bitlocker configuration (actually Microsoft does not generally recommend the use of pre-boot authentication) this attacks appears as very easy to implement against stolen or lost laptops with potentially critical consequences in terms of data confidentiality.

For that reason SCRT heavily recommends this patch to be applied as quickly as possible on affected systems, taking care not to neglect mobile systems that may be used by employees “on the field” or “on the road” and that may not be subject to frequent system updates (e.g. because they are often out of reach from standard company’s infrastructure and update workflow).

SCRT Security Day 2015

secDay_banner

Jeudi 17 septembre
09:00 – 17:00
Hôtel Best Western à Chavannes-de-Bogis

PROGRAMME

09:00 – 09:30      Accueil & Petit déjeuner
09:30 – 10:00      Introduction par SCRT
10:00 – 10:45      Tenable : From vulnerability management to continuous network monitoring
10:45 – 11:00      Pause
11:00 – 11:45      HP TippingPoint : HP TippingPoint Advanced Threat Appliance (ATA) solution.
11:45 – 12:30      Fortinet : Internal Segmentation Firewall
12:30 – 13:45      LUNCH
13:45 – 14:30      Varonis : La gouvernance des données à l’aide des solution Varonis
14:30 – 15:15      Splunk : Introducing Splunk; SIEM VS Security Intelligence
15:15 – 15:30      Pause
15:30 – 16:15      Entrust : Entrust eliminating the password in the enterprise
16:15                   APÉRITIF

INSCRIPTIONS

Le nombre de places étant limité, nous vous remercions de bien vouloir confirmer votre présence via le lien suivant : https://www.eventbrite.fr/e/billets-scrt-security-day-2015-17305044855 avant le 7 septembre 2015.

Defcon 2015 résolution heapsoffun

La semaine dernière, plusieurs ingénieurs de SCRT ont participé aux qualifications du CTF Defcon avec l’équipe 0daysober, qui a terminée 10ème et se qualifie donc pour la finale ! Ce post décrit deux des épreuves résolues, knockedup et heapsoffun.

Heapsoffun

If you have been knockedup then you know what to do. Perhaps try "tirer"
sha1sum heapsoffun 5ee5b2cde811e617cd789c73c1d8d2d9e8b27c36
Yes we know the flag is owned by root.

Un challenge pwnable de 4 points faisable après knockedup.

tldr; un challenge de reverse de 1 point permettant d’ouvrir 2 ports en fonction d’une séquence de paquets envoyée sur des ports UDP.

Continue reading Defcon 2015 résolution heapsoffun

Insomni’hack finals – CTF results

Here is the final scoreboard for Insomni’hack 2015!
Congratz to Dragon Sector for winning again this year!

1 Dragon Sector 6035
2 StratumAuhuur 5725
3 int3pids 4800
4 KITCTF 4135
5 0x8F 4105
6 dcua 3255
7 penthackon 3135
8 mushdoom 2660
9 BullShitsecurity 2350
10 RGB 2070
11 13NRV 2060
12 Porc Scanner 2020
13 sec-cured 1780
14 OWE 1645
15 FIXME 1590
16 N05L33P 1515
17 pycured 1470
18 HacKazaar 1265
19 UndefinedBehavior 1265
20 Samurai 1265
21 SeBC 1235
22 Old legends 1230
23 pinkBull 1230
24 waspo 1205
25 Barbah4ck3R2D2 1165
26 H314 1105
27 /dev/null 1055
28 pilons-de-poulet 1030
29 cr4zyg04t0verfl0w 920
30 pic0wn 870
31 NoPwnNoCookie 860
32 […] 845
33 /null/uppercase 810
34 EpsiH4ck 790
35 Soft qui peut 785
36 /null/lowercase 635
37 hard 615
38 C8H10N4O2 480
39 sh0tnb33r 470
40 BlackFox 430
41 KAOS 430
42 unlockedwheel 365
43 vuk 365
44 Epic Hack Battelle 350
45 whoaim 350
46 0x90 310
47 /dev/lowercase 190
48 V3sth4cks153 190
49 eint0 175
50 morb{H}ack 175
51 The_iNeXplication 175
52 theciso 55
53 test 55
54 seultout 55
55 SnakeFeet 55
56  <h1>si 55

The scores have been sent to CTFtime.
Below are some quick stats on the number of solves for each task:

Exploit:
mastermind 9
smtpwn 5
Sql inject flow 2
The Firm(ware) 0
Jurassic Sparc 0
SH1TTY 0
Forensic:
ZoomIn 43
Lost In Memories 26
Elysium ropchain analysis 1
Hardware:
1-2-3-4 3
Mobile:
iBadMovie Season 1 40
iBadMovie Season 2 20
InsomniDroid Phase 1 0
InsomniDroid Phase 2 0
Network:
TimeToLeak 10
Hollywood network 0
Reversing:
Swordfish 43
Swordfish_passwd 12
Shellcoding:
blue pill 8
tldr 6
Web:
n00bs gonna win! 56
Smell of the lamp 32
Hacker News 30
Serial Hackers 19
Smelly lamp got makeup 4
Hacker Idol 2
Jack the clicker 1
Hack like it’s 1999! 0

As you can see a few tasks were not solved during the CTF, so we will try to publish some writeups to explain our solutions, stay tuned!