Priveon Labs Security Blog

One of several great presentations at this years DEFCON (DC16) was a presentation by Jonathan Brossard (iViZ Technosolutions Research Team) entitled Bypassing pre-boot authentication passwords. It is research like this that gets me to return to DEFCON each year (and I suggest you do the same).

The premise of the presentation is this: It is possible to circumvent/compromise pre-boot passwords such as BIOS and Whole/Partial-Disk Encryption.

The reason this can be accomplished is because of a common lack of knowledge of keyboard functionality and BIOS interrupt handling for the keyboard as well as a lack of understanding of the BIOS keyboard buffer. Every time you type a keystroke on a system with a BIOS, the keystroke is stored in clear-text in the BIOS keyboard buffer. The problem with this is that since we know the precise location to access this buffer we can call the location and read its contents (in the clear). This would not be an issue if the BIOS and pre-boot vendors would sanitize the buffer through a simple API but apparently this is not always the case.

At this point, we now know the BIOS and/or disk encryption passwords to the system. One may think this information is only useful for a second stage attack where the attacker is local to the system but Mr. Brossard took his PoC one more step...

Next, Mr. Brossard illustrated how he could remotely reboot and access the system by forcing the previously learned password to be accepted by the pre-boot authentication mechanisms. He accomplished this by temporarily replacing the systems boot-loader with one capable of reprogramming the keyboard PIC processor to push the keystrokes for us! (Yes, your keyboard has a re-programmable PIC in it... who knew...) Once that was complete, the PoC replaced the original boot-loader so the system would boot as desired. Finally, remote access to the system was obtained as it was the first time (when we learned the passwords) or through a previously placed backdoor.

As you can see, a chain is only as strong as its weakest link. Extra hardware passwords and disk encryption are great so long as the passwords are not stored in the open (or the clear).

Just back from DefCon 2008, one of the many interesting talks attended was Kurt Grutzmacher's "Nail the Coffin Shut, NTLM is Dead." It's no secret that NTLM is has its share of issues, but most people don't realize just how many applications support NTLM.

The long list of NTLM-enabled apps/hardware includes:

• IIS, IAS, Exchange, IE
• samba, Apache, PAM
• Firefox, Safari
• Many proxies (for browsers that do not support NTLM)
• OSX
• IPhones
• WinCE
• Pretty much anything that needs to connect to Windows shares

Common attack scenarios for NTLM mentioned in Grutzmacher's talk:

• The old but still reliable SMB Replay (first discussed here, http://www.xfocus.net/articles/200305/smbrelay.html, more detail here: http://perimetergrid.com/wp/2007/11/27/smb-reflection-made-way-too-easy/)
• Protocol downgrade: forcing clients to use weaker protocols through man-in-the middle tools (Ettercap, Cain & Able)
• NTLM over other protocols (HTTP/IMAP/POP3/etc.)
• NTLM attacks in IE trust zones (Great additional reading about how to do this via Java: http://heasman.blogspot.com/2008/06/stealing-password-hashes-with-java-and.html)
• Many others

In addition to the aforementioned well-known attacks, Grutzmacher introduced expanded NTLM attacks over HTTP with his new tool Squirtle. What's new in squirtle is the ability to use proxy servers written in any language to pass user credentials to a corporate resource. The "wow" factor for this talk included the ability to grab NTLM hashes through any attacked web server or SMB share via a simple XSS attack or addition of an img src tag referring to a malicious server.

The many possible attack scenarios include:

• A compromised internal host renamed to WPAD (http://blogs.zdnet.com/security/?p=710) grabs NTLM hashes and passes credentials to an internal resource
• An XSS vulnerability in a public resource that is both on the domain and public facing can be used to add a web bug image linking back to a malicious Squirtle-enabled host
• Malicious links via email, PDF, or office documents
• many more

Mitigation:
While not perfect, it is always best to force NTLMv2 authentication for all systems. This can typically be performed via GPO on a Windows domain: http://www.windowsecurity.com/articles/Protect-Weak-Authentication-Protocols-Passwords.html.

Squirtle: http://code.google.com/p/squirtle/

While the security community is focusing on malware, patching, 0-day exploits, and other new/emerging attacks some of the most dangerous security threats are often the most simple. As new and improved security tools are introduced, it's easy to lose focus on what should be protected in the first place.

More often than not, the simple fact is we're trying to ensure the integrity of assets and
data. Data may consist of customer information, trade secrets, or simply the integrity
of an OS. In the last few years, one of the controls introduced to ensure data integrity
is the concept of Data Leakage Prevention (DLP). DLP is basically the prevention of
data transfer to unauthorized or untrusted locations.

A brilliantly simple method that illistrates the need for DLP is the USB hacksaw demonstrated by the Hak5 team. The Hak5 team has created a method of using Sandisk U3 technology to automatically WINRAR all documents on
USB drives (non-sandisk included) and STunnel the RAR files to SMTP.gmail.com.

Installation is as easy as plugging in a hacked USB drive, waiting for windows to recognize the drive, and disconnecting. The net result is that all files on any usb drive will be neatly compressed and securely sent to a predetermined gmail account.

It bears mentioning that CSA version 6.0 is among the many products that are adding DLP technology. More information on CSA 6.0 can be found on Cisco's website".

On the web:

http://wiki.hak5.org/wiki/USB_Hacksaw

Since we've mentioned previous version updates, I'll go ahead and post the latest announcement that Cisco has released updates for the Cisco MARS appliance:

For Gen2 Mars devices: 5.3.5 (2934) (Release Notes) is the upgrade from 5.3.4
For Gen1 Mars devices: 4.3.5 (2838) (Release Notes) is the upgrade from 4.3.4

This is pretty much a maintenance release that includes Enhanced Device Support, Updates to IPS signature sets and Bug fixes.

It is extremely important that you only load the associated upgrade for your supported hardware.

As with any new software update, you should make sure you have a valid backup before upgrading. You should also review the product documentation, upgrade instructions and release notes to fully understand the impact of the new version.

Three vulnerabilities have been discovered in the Trillian messaging client. All three have the potential for arbitrary code execution.

CVE-2008-2407 (reserved)

Details
There is vulnerability with overly long FONT tag values in Trillian 3.1.05 and prior resulting in a buffer overrun.

Mitigating Factors
User must be tricked into opening a malicious image file either over the AIM network or through a direct Trillian connection.

Additional Information
http://www.securityfocus.com/archive/1/492433
http://www.zerodayinitiative.com/advisories/ZDI-08-029/
http://secunia.com/advisories/30336/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2407 (note: This CVE number has been reserved for this vulnerability)

CVE-2008-2408 (reserved)

Details
An error within the XML parsing in talk.dll can be exploited to cause a memory corruption via certain malformed attributes within an 'IMG' tag.

Mitigating Factors
Pending

Additional Information
http://www.securityfocus.com/archive/1/492439
http://www.zerodayinitiative.com/advisories/ZDI-08-030/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2408
http://secunia.com/advisories/30336/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2408 (note: This CVE number has been reserved for this vulnerability)

CVE-2008-2409 (reserved)

Details
Vulnerability exists within the header parsing code for the MSN network. Successful exploitation results in code execution with the account privileges of the Trillian user.

Mitigating Factors
Trillian must be configured for the MSN network. Other mitigating factors are pending vulnerability testing & verification.

Additional Information
http://www.securityfocus.com/archive/1/492442/30/0/threaded
http://www.zerodayinitiative.com/advisories/ZDI-08-031
http://secunia.com/advisories/30336/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2409 (note: This CVE number has been reserved for this vulnerability)

All Trillian users should update to Trillian version 3.1.10.0 immediately.