Impact
This vulnerability exposes plaintext passwords to malicious attackers who do not know the password. As a result, password authentication can be bypassed without any information related to the correct user's authentication information. In addition, when a malicious attacker succeeds in bypassing password authentication by utilizing this vulnerability, the encrypted and protected data in the secure external hard drive is automatically decrypted and exposed to the attacker, who is authenticated as an allowed user. Thus, the attacker can steal, delete, or change data while safely protected inside the secure external hard drive - even if they do not steal the decryption key or have any information related to the password and decryption key.
Summary
For the secure storage of user data, security technologies, such as secure external hard disks, have emerged. These technologies include user authentication and access control technologies, among which user authentication technology is mainly used. In user authentication technology, password-based authentication technology is most often used for reasons such as ease of implementation and convenience of use. For this reason, Toshiba's canvio premium was selected among the recently used secure external hard disks; and we analyzed the weaknesses of the password-based authentication technology applied to the product.
In this vulnerability, an attacker, without access privileges to data safely protected on a secure external hard disk drive, bypasses user authentication without any information related to the registered user's password. This secure external hard disk drive has a vulnerability in that the inputted password and the registered password are exposed when a user registers a password in the registration process and then compares two passwords running on the management program in the authentication process. Therefore, by exploiting this vulnerability, the attacker can bypass user authentication by using an exposed plaintext password without any information about the correct authentication information.
As a result of the analysis, this vulnerability arose from the problem that the password inputted by the user must be compared with the plaintext password, and as a result, the plaintext password is exposed during the comparing function. Therefore, if the vulnerability is exploited, the attacker acquires all privileges of the secure external hard drive. In addition, data theft automatically decrypts encrypted data stored inside a secure external hard disk drive after the attacker bypasses authentication using an exposed plaintext password. After that, the attacker is authenticated as a registered user. Eventually, the attacker steals, deletes, or changes the safely stored data - without stealing the decryption key.
Analysis
Based on the vulnerability analysis results, we inputted the correct and incorrect passwords to bypass the password authentication in management software for secure external hard drives. The management program stores the inputted password in the memory for password comparison, and also loads the registered password for comparison into the memory.
In order to find the registered password loaded into the memory, we analyzed the code to find a routine that compares passwords in the management program, and a string search was used to find the corresponding location. As a result of accessing the TosHddsc module, we found a function that compares the inputted password with the registered password was found. An example of string search results is shown in the figure below.
Fig 1. An example of string search results in TosHddsc module
Based on string search results, and as a result of analyzing the corresponding codes, we found a function that compares the inputted password with the registered password. 0x00F875AE stores the inputted password in EAX register, and 0x00F875B2 stores the registered password in EDX register. Afterwards, the data on EAX and EDX registers is put on the stack through the PUSH instuction; and the two values are compared at 0x00F875BC. The code for this process is shown in the following figure.
Fig 2. An example of password comparison function code (address: 0x00F875BC)
Looking at the figure, 0x00F875AE stores the inputted password; 0x00F875B2 stores the registered password; and 0x00F875BC is a function that compares the inputted password with the registered password. That is, it determines whether the password inputted by the user is correct or not. In order to analyze the corresponding function, the inside of the password comparison function was entered and the code inside the function was analyzed in detail. An example of a code from 0x00F875BC, which is a password comparison function, is shown.
Fig 3. An example of code inside the password comparison function
Looking at the stack area at 0x00F875BC location, which is a function that compares the inputted password with the registered password, “qwerqwer”, the password inputted by the user in String1, and “boss”, the registered password in String2, were exposed. Accordingly, the attacker steal the password registered by the user without any registered user authentication related information. After that, the attacker can attempt user authentication using the stolen password, and as a result, the attacker was authenticated as a registered user using the exposed registered password as shown in the following figure. After bypassing the authentication, we successfully demonstrated that illegal access to safely protected data in the security area, is possible.
Fig 5. Vulnerability demonstration result using this authentication bypass vulnerability
Discoverer(s)/Credits
Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
Wontae Jung/south korea/dnjsxo4354@mokpo.ac.kr
Donghyun Kim/south korea/oksally@cu.ac.kr
Junkwon Lee/south korea/kwonl57@mokpo.ac.kr
Impact
This vulnerability exposes plaintext passwords to malicious attackers who do not know the password. As a result, password authentication can be bypassed without any information related to the correct user's authentication information. In addition, when a malicious attacker succeeds in bypassing password authentication by utilizing this vulnerability, the encrypted and protected data in the secure external hard drive is automatically decrypted and exposed to the attacker, who is authenticated as an allowed user. Thus, the attacker can steal, delete, or change data while safely protected inside the secure external hard drive - even if they do not steal the decryption key or have any information related to the password and decryption key.
Summary
For the secure storage of user data, security technologies, such as secure external hard disks, have emerged. These technologies include user authentication and access control technologies, among which user authentication technology is mainly used. In user authentication technology, password-based authentication technology is most often used for reasons such as ease of implementation and convenience of use. For this reason, Toshiba's canvio premium was selected among the recently used secure external hard disks; and we analyzed the weaknesses of the password-based authentication technology applied to the product.
In this vulnerability, an attacker, without access privileges to data safely protected on a secure external hard disk drive, bypasses user authentication without any information related to the registered user's password. This secure external hard disk drive has a vulnerability in that the inputted password and the registered password are exposed when a user registers a password in the registration process and then compares two passwords running on the management program in the authentication process. Therefore, by exploiting this vulnerability, the attacker can bypass user authentication by using an exposed plaintext password without any information about the correct authentication information.
As a result of the analysis, this vulnerability arose from the problem that the password inputted by the user must be compared with the plaintext password, and as a result, the plaintext password is exposed during the comparing function. Therefore, if the vulnerability is exploited, the attacker acquires all privileges of the secure external hard drive. In addition, data theft automatically decrypts encrypted data stored inside a secure external hard disk drive after the attacker bypasses authentication using an exposed plaintext password. After that, the attacker is authenticated as a registered user. Eventually, the attacker steals, deletes, or changes the safely stored data - without stealing the decryption key.
Analysis
Based on the vulnerability analysis results, we inputted the correct and incorrect passwords to bypass the password authentication in management software for secure external hard drives. The management program stores the inputted password in the memory for password comparison, and also loads the registered password for comparison into the memory.
In order to find the registered password loaded into the memory, we analyzed the code to find a routine that compares passwords in the management program, and a string search was used to find the corresponding location. As a result of accessing the TosHddsc module, we found a function that compares the inputted password with the registered password was found. An example of string search results is shown in the figure below.
Fig 1. An example of string search results in TosHddsc module
Based on string search results, and as a result of analyzing the corresponding codes, we found a function that compares the inputted password with the registered password. 0x00F875AE stores the inputted password in EAX register, and 0x00F875B2 stores the registered password in EDX register. Afterwards, the data on EAX and EDX registers is put on the stack through the PUSH instuction; and the two values are compared at 0x00F875BC. The code for this process is shown in the following figure.
Fig 2. An example of password comparison function code (address: 0x00F875BC)
Looking at the figure, 0x00F875AE stores the inputted password; 0x00F875B2 stores the registered password; and 0x00F875BC is a function that compares the inputted password with the registered password. That is, it determines whether the password inputted by the user is correct or not. In order to analyze the corresponding function, the inside of the password comparison function was entered and the code inside the function was analyzed in detail. An example of a code from 0x00F875BC, which is a password comparison function, is shown.
Fig 3. An example of code inside the password comparison function
Looking at the stack area at 0x00F875BC location, which is a function that compares the inputted password with the registered password, “qwerqwer”, the password inputted by the user in String1, and “boss”, the registered password in String2, were exposed. Accordingly, the attacker steal the password registered by the user without any registered user authentication related information. After that, the attacker can attempt user authentication using the stolen password, and as a result, the attacker was authenticated as a registered user using the exposed registered password as shown in the following figure. After bypassing the authentication, we successfully demonstrated that illegal access to safely protected data in the security area, is possible.
Fig 5. Vulnerability demonstration result using this authentication bypass vulnerability
Discoverer(s)/Credits
Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
Wontae Jung/south korea/dnjsxo4354@mokpo.ac.kr
Donghyun Kim/south korea/oksally@cu.ac.kr
Junkwon Lee/south korea/kwonl57@mokpo.ac.kr