Thursday, April 19, 2018

Bypassing Local Windows Authentication to Defeat Full Disk Encryption

Full Disk Encryption
• A scheme for protecting data at rest. Encrypts an entire disk or volume.
• Mitigates the impact of a threat with physical access; generally does not provide protection against remote adversaries.
• Encrypts everything, often including the OS.

Microsoft BitLocker
• BitLocker is Microsoft's proprietary full-disk encryption feature.
• Built into all professional/enterprise versions of Windows since Vista.
• Uses the system's Trusted Platform Module (TPM) to store the master encryption key.

What is a TPM?
• A TPM is a hardware module responsible for performing cryptographic operations, performing attestation, and storing secrets.
• It has fairly general APIs, so how it is used is mostly up to applications.
• Example applications include remote attestation, and storing encryption keys.

Storing Secrets on a TPM
• A TPM contains several Platform Configuration Registers (PCRs).
• Starting with the BIOS (which is assumed to be trusted), the next part of the boot process (e.g. the MBR) is hashed and this value is stored in the a PCR.
• Each stage of the boot process is responsible for hashing the next and storing it in a PCR.

Storing Secrets on a TPM
• A boot, the TPM has a zero in all PCR registers.
• Whenever the TPM is told to update a register r with a value v, it always sets: r = HASH (r | v)
• So PCR values can never get set directly, only appended to. Arbitrary PCR values cannot be spoofed.
• This means a set of values in the PCRs can only be replicated by having that same boot chain.

Storing Secrets on a TPM
• When the TPM stores a secret key, that key can be sealed. When a key is sealed, the TPM references the current value of the PCRs.
• An API call to unseal that key will fail unless the current PCR values match the original values from when the key was sealed.
• So effectively, only the original boot process will be able to retrieve that secret key.

Transparent BitLocker
• BitLocker, in addition to the TPM, can optionally require a PIN or a key saved on a USB drive.
• However, it’s recommended configuration works transparently. It seals the secret key in the TPM and only BitLocker can retrieve it.
• Your computer boots up to a login screen as usual, with no indication that FDE is enabled.


Attacks Given Physical Access
• Known Hardware Attacks
            – Attack the TPM (grounding control pins)
            – Do a cold-boot attack to get the key from RAM
• Attack an early part of the boot chain
            – Flash the BIOS/EFI with a custom image
            – Look for a defect in the BIOS, MBR, or boot loader

• Or see we can attack the OS itself and see if Windows will give us the key...

Booting Up With BitLocker


Local Windows Authentication
• The Local Security Authority (LSA) manages authentication, usually using a Security Subsystem Provider (SSP).
• For a client-domain authentication, the Kerberos SSP exchanges messages with the Domain Controller (DC).
            – When attacking FDE, we have physical access. So we control the network and can run a “mock” DC.

Windows Domain Authentication
• Requests a session ticket (TGT) from the DC.
            – The TGT includes a secret key S, encrypted by the DC with the saved user password. Login screen decrypts S using the typed password.


Windows Domain Authentication
• TGT and S are used to request a service ticket T from the DC for the target service (in this case, the local workstation).
            – The local workstation verifies T

Machine Passwords
• When a workstation first joins a domain...
            – A secret key is generated, called the machine password.
            – This password is sent to the DC, so they have a shared secret for future communication.
• To grant access to the workstation, the login process must present a valid service ticket T.
            – This ticket is signed using the machine password.
            – Which we don't have...

If the DC uses the wrong machine password


The Local Credentials Cache
• A user can login when the DC isn’t available
            – Like when you’re using your laptop at a conference during someone’s talk…
• The cache is usually updated whenever the workstation sees the credentials are changed.
            – So it's updated when you successfully login and were authenticating against the DC.
            – Also updated when you change your domain password.

Too Bad We Can't Change the Password On the Login Screen


Password Reset


Poisoned Credentials Cache



Poisoned Credentials Cache


What Now?
• Dump the BitLocker key from kernel memory
            – As long as the domain account is a local admin
            – Although at this point you already have access to all the local user files, so it's pretty moot.
• Just dig through personal data
            – Saved passwords, Outlook emails, source code…
            – Drop in a trojan / backdoor, or whatever other malware you like.

System Configurations Effected
• Applies to any computer with:
            – BitLocker without pre-boot authentication
            – Attached to a domain
            – With a least one person having logged in with a domain account.
• Tested on Windows Vista, Windows 7, and Windows 8.1, Windows 10.
            – (Also Windows XP and Windows 2000)

How Else Does This Attack Apply?
• This isn't really BitLocker specific. More generally, this is an authentication bypass for domain accounts.
• If someone is logged in, locks their screen, and steps away, you could use this to unlock the PC.
            – Someone on their laptop at a coffee shop.
            – A computer in an office.

Impact and Mitigation
• This is 100% reliable attack, software-only, low sophistication, and takes a matter of seconds.
• You could use BitLocker with pre-boot authentication (i.e. using a PIN or USB key)
• You could use a BIOS password on boot
• Microsoft is releasing an update to address the issue. Expected release is November 10.
– ACK to the Microsoft Security Response Center

Reflections: Why Does This Work?
• The protocol for password changes was written in RFC 3244 for Windows 2000, publish in 2002.
• At that point, local access was total access. Local access wasn’t a valid threat model during protocol design.
• But local access is precisely the threat model under which FDE is applicable.

Black Hat Sound Bytes
• A defect in Windows domain authentication means BitLocker Full Disk Encryption can be bypassed; the attack is fast and non-technical.
• Microsoft is releasing a patch for the issue (expected November 10). Make sure all your workstations are up-to-date!
• Threat models change; when they do, you need to re-evaluate previous security choices.


No comments:

Post a Comment

Get Unlimited Free Trials Using a "Real" Fake Credit Card Number

When I see the words "free trial," I know I'm probably going to have to whip out my credit card and enter in the number to ...