Presented at BSides Seattle 2015 on February 20, 2016, this talk discusses vulnerabilities MS15-122 and MS16-014 and how they can be exploited to attack Windows authentication and BitLocker full disk encryption.
See also https://github.com/JackOfMostTrades/bluebox .
12. Ian Haken Attacking Windows Authentication and BitLocker Full Disk Encryption 12
Attacks on the TPM
BIOS/EFIBIOS/EFI
MBR and
bootloader
MBR and
bootloader
Operating System
(Encrypted)
Operating System
(Encrypted)
TPM RAM
●
In 2007, Dartmouth researchers were able to
reset the PCR values on a TPM 1.1 chip by using
a wire to ground a particular bus line.
– http://www.cs.dartmouth.edu/~pkilab/sparks/
– http://rdist.root.org/2007/07/16/tpmhardware
attacks/
●
Addressed in version 1.2 of the TPM
specifications (minimum spec required by
BitLocker)
13. Ian Haken Attacking Windows Authentication and BitLocker Full Disk Encryption 13
BIOS/EFIBIOS/EFI
MBR and
bootloader
MBR and
bootloader
Operating System
(Encrypted)
Operating System
(Encrypted)
TPM RAM
Attacks on the RAM
●
Cold boot attacks are a known class of attack
where sensitive data can be extracted from the
RAM by hardrebooting into an attacker
controlled OS, or even physically removing the
RAM module and placing it in an attacker
controlled system.
– https://citp.princeton.edu/research/memory/
●
The “TCG Platform Reset Attack Mitigation
Specification” requires the BIOS to overwrite
memory during POST if the operating system
was not shut down cleanly.
14. Ian Haken Attacking Windows Authentication and BitLocker Full Disk Encryption 14
Attacks on BIOS/EFI
BIOS/EFIBIOS/EFI
MBR and
bootloader
MBR and
bootloader
Operating System
(Encrypted)
Operating System
(Encrypted)
TPM RAM
●
If the mainboard does not use signed BIOS/EFI
updates, an attacker can load a custom image
which doesn't load the MBR into the PCR.
– Yuriy Bulygin had a proof of concept which defeated
BitLocker specifically at CanSecWest 2013
– https://cansecwest.com/slides/2013/Evil%20Maid
%20Just%20Got%20Angrier.pdf
●
Even if proper signing is in effect, other bugs in
BIOS may still allow an attacker to flash a
malicious and defeat BitLocker in the same way.
– http://www.legbacore.com/News_files/HowManyMillio
nBIOSesWouldYouLikeToInfect_Whitepaper_v1.pdf
15. Ian Haken Attacking Windows Authentication and BitLocker Full Disk Encryption 15
Attacks on the MBR/Bootloader
BIOS/EFIBIOS/EFI
MBR and
bootloader
MBR and
bootloader
Operating System
(Encrypted)
Operating System
(Encrypted)
TPM RAM
●
The MBR and NTFS boot sector are very small
and simple. Much easier to verify that there are
no defects here.
●
The initial program loader (IPL) gets more
complex and the Windows Boot Manager
(BOOTMAN) even more so; NTFS drivers, XML
parsers, oh my!
– If there's a memory corruption bug in here, it could
defeat the entire chain of trust...
– But I'm not aware of any defects in this code.
30. Ian Haken Attacking Windows Authentication and BitLocker Full Disk Encryption 30
What Now?
●
Recover the BitLocker key
– As long as the domain account is a local admin
– Save a recovery key to your USB drive, or disable
BitLocker entirely.
– Although at this point you already have access to all
the local user files, so it's pretty moot.
●
Just dig through personal data
– Saved passwords, Outlook emails, source code…
●
Drop in a remote access toolkit, or whatever
other malware you like.
39. Ian Haken Attacking Windows Authentication and BitLocker Full Disk Encryption 39
How It Works
1) Find an unattended computer.
2) Plug in bluebox to the ethernet port.
3) Log in with the password “a”. When prompted, set
a new password (like “b”).
4) Remove bluebox, login with the new password.
5) Install a RAT or other malware.
6) Leave quietly; later on access the RAT and retrieve
data.
PWR
OK
LKN
FDX
10M
RaspberryPi
48. Ian Haken Attacking Windows Authentication and BitLocker Full Disk Encryption 48
Recovering users' passwords
1) Unplug the laptop, wait for the battery to drain
enough for the laptop to automatically
hibernate.
2) Plug it back in, perform the login bypass attack,
copy the HIBERFIL.SYS file from the system.
3) Use WinDbg and mimikatz to extract passwords
from the dump.
– http://woshub.com/howtoextractwindowsuser
passwordsfromhiberfilsys/
59. Ian Haken Attacking Windows Authentication and BitLocker Full Disk Encryption 59
Some Final Thoughts
●
How should you be mitigating these issues?
– Make sure you're uptodate on Windows security patches.
– Where possible, use preboot authentication with BitLocker.
– For online servers, disable credentials caching entirely
where possible.
●
Don't take physical security for granted
– Consider physical security where building your threat model
●
Get these tools, play with them, send pull requests!
– https://github.com/JackOfMostTrades/bluebox
●
Twitter: @ianhaken, Email: ian.haken@synopsys.com