Bypassing Integrity Check of Pre-boot Authentication Software

Usually i write all my articles in my blog. Found medium to be great medium to share stories, So i decided to do it right here. I am intentionally masking all the file names in below description.

This is something i identified 1 and half year ago and sharing now. I was assessing a Pre-boot authentication software, which encrypts the Bitlocker authentication key and protects it and also offers different ways to login into OS. Below was my approach of doing its assessment.

Phase 1: Lucky that laptop was not protected with BIOS password and i could boot using USB stick. After booting with USB stick i extracted the pre-boot authentication software/firmware image partition. After extracting i started exploring its contents. It was a stripped down Linux OS image along with custom binaries which protects confidentiality and integrity.

Phase 2: After some exploration i identified the custom binaries which protects the integrity of entire firmware and performs encryption and decryption. So, the first step was to break the integrity. After thorough analysis i found out that a file named “x” is being invoked first which checks integrity of another file “y.sh”, once integrity check of “y.sh” is satisfied, “y.sh” kicks in and it checks integrity of entire firmware, if it finds any anomalies system does not boot and results in error.

Phase 3: Now the idea is to analyze more and break integrity check. Upon further analysis i identified that “y.sh” uses some of Linux inbuilt utilities such as wc (word count) along with others to check entire file system integrity. if wc is returning value more than 0 it means some file has been modified and error is returned. If wc is 0 no error is returned and integrity check is good. So, if i modify the wc utility to return always 0 then i can break its integrity check.

Phase 4: Further analysis helped me to understand that wc and other linux utilities were extracted at runtime from “x” file and were placed in /tmp directory. So, it is difficult to modify the wc file directly. After some thought i created fake wc utility which always returns 0 upon execution. Later i created a startup script which repeatedly copies our fake wc into /tmp directory and placed it in Linux startup script directory along with fake wc. Write back the modified image and boot up the laptop. Pooff!! Integrity check was broken and the filesystem can be modified now further.

I thoroughly enjoyed performing assessment of such software.

Thanks