Friday, March 22, 2013

Planting code in memory - How to bypass Windows logon prompt

Recently I was asked to demonstrate the well known DMA attack. I thought that I had to look for PoC codes and hack them to suit my purposes. How wrong was I?It turns out, that I was really wrong...

First something about the DMA. The technique is used to allow external devices to access the RAM directly, bypassing much of the limiting controls posed by for example the operating systems. This makes DMA-enabled interfaces much faster than if the data would first be passed to the operating system for possible sanitation and using its memory management. DMA enabled interfaces are FireWire, ThunderBolt, Express Card, PCI and PCI Express.

Next the rig: I had 2 laptops, each equipped with Express Card slots, so I purchased 2 FireWire cards for EC and a Cable to connect the 2 cards. The total cost was around 70 EUR.

The target was a Windows 7, with all the available security updates installed and also with a commercial Anti-Virus solution installed. Also the hard disk was encrypted, so the usual cold boot attacks were out of the question.

For attacking I made a clean install of Ubuntu on the other laptop. I will not go into details about what I installed, but I only installed the dependencies for Inception. Once I had Inception installed and the FireWire cards working on the Ubuntu laptop, I was ready to go.

First, I fired up both machines and interconnected them via the FireWire cable. Windows was nice enough to notice me that "a new device has been found" sound when I plugged in the EC Card. I also confirmed that Ubuntu correctly identified it with lspci. Time to fire up the Inception. I first ran it with the probe -flag (-p):

Cool! Everything is working and the Inception even tells me that I'm currently connected to a Microsoft device. Time to test if inception really delivers what is promised. I again fire up inception and follow the instructions on the screen:

Time to wait while the Inception scans the victims memory for the msv1_0.dll, which handles the password checking function. This can take some time, because the target can nowadays have lots and lots of memory... Luckily Inception displays a progress bar, so you can tell that it hasn't hanged:

Once the dll has been found in the memory, Inception will overwrite it to accept any password. After maybe 2 minutes the dll is found and patched:
Patching successful, eh? Time to go to the Windows box and log in with an empty password. Yes! We are in: Local admin permissions aquired!

Naturally there are some limitations for this attack:
  1. You are able to log in only local accounts or those domain accounts whose credentials are cached locally
  2. OS X Lion disables DMA when no  user is logged in and the FileVault is enabled. You can still use Inception for privilege escalation if the user is logged in up to OS X version 10.7.2 
  3. If DMA is off, then naturally this won't work. In Windows this can be done by disabling the SPB-2 driver
In conclusion: The DMA attack works and is no longer just a theoretical attack vector. The physical security should be taken care of and again: services (and in this case drivers) which are not needed, should be disabled to reduce the attack surface.