BlackHat资料us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdfVIP

Absolute Backdoor Revisited Vitaliy Kamlyuk, Kaspersky Lab Sergey Belov, Kaspersky Lab Anibal Sacco, Cubica Labs BlackHat, Las Vegas August, 2014 What is Computrace? Computrace is an Anti-Theft software product developed by Absolute Software, which is embedded in BIOS PCI Optional ROM or UEFI Firmware, which can be activated on system boot and creates Windows service by dropping executable file on Windows filesystems. *Images are taken from US Patent 20060272020 A1 Why is this research? We have discovered that some of our private laptops were running Absolute Computrace without prior consent of legitimate owners. Later we found a new computer on sale at a local retail shop which also had Computrace running on it. We decided to investigate who, why and how has activated Computrace on these computers and if that created any security breach on our systems. How does it work? Computrace has 4 stages of operation: 1. BIOS/UEFI module locates FAT32/NTFS partition and injects code into Windows Autochk.exe native application. 2. Modified autochk.exe registers new system service for rpcnetp.exe. 3. rpcnetp.exe connects to control server to download additional executable components and a replacement for rpcnetp.exe which will be started as a service rpcnet each time system boots. 4. rpcnet.exe connects to control server each time system starts. If the service/file is removed, the procedure starts again from the beginning. Remote Code Execution/Design Flaw Computrace by design does remote code execution. The small rpcnetp.exe agent is easily exploitable as it doesnt implement any server authentication mechanism. Assuming that an attacker is able to control victims network traffic (ARP poisoning, DNS hijacking, etc) its possible to execute arbitrary code remotely. DEMO!