{"id":605,"date":"2016-11-04T14:39:13","date_gmt":"2016-11-04T14:39:13","guid":{"rendered":"http:\/\/www.adlice.com\/?p=605"},"modified":"2022-12-21T10:36:00","modified_gmt":"2022-12-21T10:36:00","slug":"google-chrome-secure-preferences","status":"publish","type":"post","link":"https:\/\/www.adlice.com\/de\/google-chrome-secure-preferences\/","title":{"rendered":"Google Chrome: How to Bypass Secure Preferences"},"content":{"rendered":"\n

Google Chrome protects its user preferences<\/strong> using a hashing (HMAC SHA256) mechanism. However, there’s a way to bypass it and it’s quite used by malware<\/strong> in the wild.<\/p>\n\n\n\n

We will first study the way Chrome protects its user settings<\/strong> (Secure Preferences), then we will see how it can be defeated by rewriting the needed hashes<\/strong>. In the end, we will study a malware that uses that technique<\/strong> and we will see how RogueKiller Anti-malware<\/a> can defeat it using that technique as well.<\/p>\n\n\n\n


Secure Preferences<\/h2>\n\n\n\n

Each user profile (located in %localappdata%\/Google\/Chrome\/User Data\/ProfileName<\/strong>) has a bunch of configuration files for storing bookmarks, history, and preferences<\/strong>. Among those files, two of them (Preferences, Secure Preferences) are storing the user settings like homepage, search engine<\/strong>, etc…<\/p>\n\n\n\n

Secure Preferences<\/strong> implements (as its name suggests) some securing mechanism to ensure no malware comes to modify the file<\/strong> manually. This is achieved by hashing some of the json nodes<\/strong> with a custom hashing protocol, based on HMAC SHA256<\/strong>, each time a setting is modified by Google Chrome.<\/p>\n\n\n\n

At startup, Chrome then verifies all the hashes<\/strong> and if something doesn’t match it asks for a restore<\/strong>.<\/p>\n\n\n\n

\"corrupted\"<\/a><\/figure>\n\n\n\n

This is how (an infected) Secure Preferences file looks like:<\/p>\n\n\n\n

{\n  \"browser\": {\n    \"show_home_button\": true\n  },\n  \"default_search_provider\": {\n    \"enabled\": true,\n    \"encodings\": \"UTF-8\",\n    \"prepopulate_id\": 0\n  },\n  \"default_search_provider_data\": {\n    \"template_url_data\": {\n      \"keyword\": \"trotux\",      \n      \"url\": \"http:\\\/\\\/www.trotux.com\\\/search\\\/?q={searchTerms}&z=63239075972bb5d9d70da35g4zdm9zdeacac3q6oct&from=icb&uid=VBOXXHARDDISK_VB3d33e4ab-f149eb42&type=sp\",\n      ...\n    }\n  },\n  \"extensions\": {\n    \"known_disabled\": [\n      \n    ],\n    \"settings\": {\n        ...\n    }\n  },\n  \"homepage\": \"http:\\\/\\\/www.trotux.com\\\/?z=63239075972bb5d9d70da35g4zdm9zdeacac3q6oct&from=icb&uid=VBOXXHARDDISK_VB3d33e4ab-f149eb42&type=hp\",\n  \"homepage_changed\": true,\n  \"homepage_is_newtabpage\": false,\n  \"pinned_tabs\": [    \n  ],\n  \"protection\": {\n    \"macs\": {\n      \"browser\": {\n        \"show_home_button\": \"D72D3A4AE301492E30C5840566DCCD9EE5F2066E792805D5F59B7DFC056B2F83\"\n      },\n      \"default_search_provider\": {\n        \"keyword\": \"4E70E531D9FE35B77433ED7CBB36F9A72701C928679E49F64F71E63D3813EF86\",\n        \"name\": \"2C12B4EE800F1C223FDF8B2D24967192C55841015DBE6F3602538E75B2209075\",\n        \"search_url\": \"7AB9E5FCF7FF91530B1F36B3D593EA9D48DE74BB228B8F566BBC4E74C4E97705\"\n      },\n      \"default_search_provider_data\": {\n        \"template_url_data\": \"14C800C1FB62974BB653070FEABEC06A4F91ED01773354C03B5C2456DCC3B78A\"\n      },\n      \"extensions\": {\n        \"known_disabled\": \"3B2D6F2EE0DE5BB99976E4DE120B6C6E9E8AE6D50BA6665CF4D7A617783CA5B9\",\n        \"settings\": {\n          ...\n        }\n      },\n      \"google\": {\n        \"services\": {\n          \"account_id\": \"B06F39E76B49B24DE765021EBB621EC88FD029F86F4FE2A588360110A7DF4EA1\",\n          \"last_account_id\": \"2CE2762DD69EB763602E6D67F063A9A3302909B0080C6962F7E4BBE1F3AC1861\",\n          \"last_username\": \"C1E45A7D2667A3CFE15B5F1BA572E51554F5BB35AC5ABB709DC3EC0E83596FC3\",\n          \"username\": \"C9139E29A994D7131018AF8C6520A3EFBE59BB3555D3CE5B6F07906CCD10456D\"\n        }\n      },\n      \"homepage\": \"6D5A2725E3385B12610051F2019FDC7452CFF7863DF5C4A202CFACF5AE166ACF\",\n      \"homepage_changed\": true,\n      \"homepage_is_newtabpage\": \"8CD33E8A34AD6F5F8341702ED482FD16020BBBA37972D958168D8334945CA533\",\n      \"pinned_tabs\": \"6443846DA531F6BDFFE87F17E1AFF9739D4A816CABCAAAF35C0A0EF0E81D9162\",\n      \"prefs\": {\n        \"preference_reset_time\": \"DE6810A8F6703E3EDEABD407E27612F88E9DBA3B0318692F57A71005142C2B69\"\n      },\n      \"profile\": {\n        \"reset_prompt_memento\": \"7122E3BBEDDBEC92FDBBD0899A15E3D0B6F8C546195045E571405DFB99C8B82D\"\n      },\n      \"safebrowsing\": {\n        \"incidents_sent\": \"DA02CC41A2157A273538A127A693AF1AB06329276766E7A0BFA1DCCED5720D4A\"\n      },\n      \"search_provider_overrides\": \"C623DCD793B7DE76BEE45387932E1D245150D190F5322680F0F0E88F73698487\",\n      \"session\": {\n        \"restore_on_startup\": \"F1AD6F4A7E65CBCA6683C30586F2F14B958729A1A2E89231DF300F245B5923DD\",\n        \"startup_urls\": \"CCFD36CED4675FF0817C0847AFE300476D804E7AAE437CB2B074F5E8477A4C2D\"\n      },\n      \"software_reporter\": {\n        \"prompt_seed\": \"FED73C26AAD4579B62F8793895CBEC2ECFBE59199C79AB68F486A29AAC51B220\",\n        \"prompt_version\": \"623DD568AFD8A981E71A63CD11663071E151C2B96171AD56D3C58558A6776133\"\n      }\n    },\n    \"super_mac\": \"3AA7590924852A9F2A55AC29641D603DDF1EAC8D96E72B0582770B5BC49CD47B\"\n  },\n  \"session\": {\n    \"restore_on_startup\": 4,\n    \"startup_urls\": [\n      \"http:\\\/\\\/www.trotux.com\\\/?z=63239075972bb5d9d70da35g4zdm9zdeacac3q6oct&from=icb&uid=VBOXXHARDDISK_VB3d33e4ab-f149eb42&type=hp\"\n    ]\n  },\n  \"sync\": {    \n  }\n}<\/code><\/pre>\n\n\n\n

We can see a few interesting fields<\/strong> regarding startup urls and homepage (highlighted). For each field, we have a corresponding entry in the “protection.macs”<\/strong> node. If some program modifies (manually) one of the settings above it will need to update the corresponding hash<\/strong> in the macs, as well as the “super_mac” entry.<\/p>\n\n\n\n

Custom HMAC<\/h2>\n\n\n\n
The custom HMAC hash is fortunately documented from the Chromium sources<\/a>. With a little bit of reverse, guesses and code reading, we’ve been able to reproduce the algorithm<\/strong>:<\/p>\n\n\n\n
The HMAC SHA256 is a hashing mechanism that produces a SHA256 from a key (or seed) and a message<\/strong>. Let’s see how to obtain them:<\/p>\n\n\n\n

HMAC Seed<\/h4>\n\n\n\n
The seed is unique to a machine<\/strong> where Chrome is installed (or per Chrome version?). It’s stored in Chrome’s installation path (C:\\Program Files (x86)\\Google\\Chrome\\Application\\ChromeVersion\\resources.pak<\/strong>). This format is quite known now, and well explained here<\/a>.<\/p>\n\n\n\n
All you need to do is to look for the first resource with a length of 64<\/strong>.<\/p>\n\n\n\n
\"seed\"<\/a><\/figure>\n\n\n\n

HMAC Message<\/h4>\n\n\n\n
To build the message, we first need to get a Machine ID<\/strong> (unique identifier per machine). We can follow the logic once again in the Chromium sources<\/a>, but basically it looks like this:<\/p>\n\n\n\n
Obtain machine SID<\/h5>\n\n\n\n