Manipulation of pre-boot authentication in CryptWare CryptoPro Secure Disk for Bitlocker

SEC Consult Vulnerability Lab Security Advisory < 20160831-0 >


title: Manipulation of pre-boot authentication

product: CryptWare CryptoPro Secure Disk for Bitlocker

vulnerable version:

fixed version: 5.2.1

CVE number: -

impact: critical


found: 2016-06-30

by: R. Freingruber (Office Vienna)

M. von Dach (Office Zurich)

SEC Consult Vulnerability Lab


An integrated part of SEC Consult

Bangkok - Berlin - Linz - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich




Vendor description:


"CryptoPro Secure Disk for BitLocker enhances the functionality of

Microsoft BitLocker to have an own PreBoot Authentification (PBA)

and enables BitLocker to use established and existing authentication

methods like UID/Password and Smartcard/PIN. The encryption

of the hard disk, as well as the recovery mechanism are realized with

Microsoft BitLocker while the user Authentication and Help-Desk

mechanism are handled by CryptoPro Secure Disk for Bitlocker.


This ideal combination of both technologies allows customers to

establish an ease of use and cost effective solution, even without

have to use TPM authentication and administration. Our centralized

encryption management with different roles of administration and

multi-client-capability delivers new opportunities for customers and

third party service providers."





Business recommendation:


By using the vulnerabilities documented in this advisory an attacker

can attack the boot process and backdoor the system to steal

login credentials, the private 802.1x certificate and the associated



SEC Consult recommends not to use this software until a thorough security

review has been performed by security professionals and all identified

issues have been resolved.



Vulnerability overview/description:


1) Terminal access not blocked at login mask

After installing CryptoPro Secure Disk an additional partition (ext3) is

added to the system. This partition contains a small linux operating system

and gets directly started after booting the system (before bitlocker code

gets executed). Via an init script the login application is started.

An attacker can use a keyboard shortcut to open the first terminal.

This spawns an invisible root shell for the attacker (commands can be

executed, however, the output is not directly visible).

The other terminals (terminal two to six) are blocked via commands

inside the /etc/inittab file. The associated line for terminal one is

uncommented and therefore not active.



2) Inadequate software manipulation verification

After starting the system the following application gets started:

/usr/SUPERSHEEP/bin/app_launcher -a ./ss_gui

The app_launcher application carries out checks and finally

starts the graphical user interface with the login mask (ss_gui).

These checks first verify the hashsum of the file


and afterwards execute the script. The script calculates the hashsum

of nearly all files on the system and compares them with a preconfigured

list (which is stored inside an encrypted block special file).

If the hash of the script is wrong or the script reports invalid hashes,

the boot process is stopped and an error is displayed to the user.

The script contains a design / logical error which allows an attacker

to bypass the hash verification. By exploiting this flaw an attacker

can modify all files on the system (e.g. add a backdoor).



Proof of concept:


1) Terminal access not blocked at login mask

An attacker can use the keyboard shortcut ctrl+alt+f1 to open an

invisible root shell. A simple proof-of-concept is to type the

command "reboot". This results in a beep-sound and a reboot of the


Another proof-of-concept is that an attacker connects the victim

system with a DHCP server to assign an IP address and then start the

following command:

/usr/bin/netcat -lvvp 8197 -e /bin/sh


This command must be typed with a german keyboard layout. It

binds a root shell to the port 8197. Afterwards the attacker can

connect to port 8197 to issue commands and receive the output of it.


2) Inadequate software manipulation verification

The script /usr/SUPERSHEEP/bin/

executes the following command to calculate the number of files with

invalid hashes:

/tmp/sha256sum -c $CS_FILE > $CS_FILE.out

Later the wc (word count) utility is used to count the number of

errors. This is done by the following code:

NUM_FAILED=`wc -l $CS_FILE.error | cut -d " " -f 1`

The script uses the wc program and expects that wc was not

modified and the output of it is correct. However, an attacker

can modify it to always return zero which means that zero errors

where found.

The problem is that the script verifies the

hashsum of the wc utility but during verification it already uses

this utilitiy for this verification check.


For a proof-of-concept the wc file was replaced with the following content:


echo „0 x“

exit 0


After that all scripts and binaries can be modified.

For example, the following script from CryptoPro Secure Disk can be used to

backdoor the system to save private keys (802.1x) together with the

associated password:




Vulnerable / tested versions:


The version was found to be vulnerable which was the latest version

at the time of discovery.



Vendor contact timeline:


2016-08-01: Contacting vendor through

2016-08-02: CryptWare was able to reproduce the vulnerabilities

2016-08-10: Release of CryptoPro Secure Disk 5.2.1 which

according to the vendor fixes the vulnerabilities.

2016-08-31: Coordinated release of security advisory





Upgrade to CryptoPro Secure Disk 5.2.1. The patch is provided

by the vendor directly.








Advisory URL:






SEC Consult Vulnerability Lab


SEC Consult

Bangkok - Berlin - Linz - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich


About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.



Interested to work with the experts of SEC Consult?

Send us your application


Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices



Mail: research at sec-consult dot com





EOF R. Freingruber / @2016