Dmytro Oleksiuk (@d_olex) just wrote up some very interesting UEFI security blog post, with CHIPSEC-based sample code!
Breaking UEFI security with software DMA attacks
Hi everyone! In this article I’d like to tell you more about UEFI vulnerabilities exploitation. Last time, in “Exploiting UEFI boot script table vulnerability” blog post I shown how to execute arbitrary shellcode during early PEI phase which allows to bypass security mechanisms that protects System Management Mode memory (SMRAM) from DMA attacks. Now we will perform such DMA attack on SMRAM to disable BIOS_CNTL flash write protection — it will give us the ability to write infected firmware to ROM chip on the motherboard. This attack can be used for installation of my SMM backdoor without having physical access to the target machine (in previous blog post I explained how it works and how to install it using hardware programmer). My software DMA attack approach for Linux operating system hijacks physical address of DMA buffer used by disk driver, concept of such attack originally was presented in BH US 2008 talk by Rafal Wojtczuk “Subverting the Xen hypervisor”.