Month: April 2016

Nikolaj on NVRAM formats, part 3

~ hucktech ~ Leave a comment

Nikolaj Schlej already has part 3 on his blog series on NVRAM formats in UEFI! Very long post with lot’s of information!

On NVRAM formats, part 3, about Phoenix SCT formats: FlashMap, EVSA, CMDB and some others common ones.

https://habrahabr.ru/post/281469/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281469%2F&sandbox=1

Nikolaj on NVRAM formats, volume 2

Also it appears he’s also released UEFITool NE alpha 25:
https://github.com/LongSoft/UEFITool/releases/tag/NE.A25

Intel Ethernet diagnostics driver for Windows vulnerable

~ hucktech ~ Leave a comment

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00051&languageid=en-fr

Potential vulnerability in the Intel® Ethernet diagnostics driver for Windows®
Intel ID:      INTEL-SA-00051
Product family:      Intel® Ethernet diagnostics driver for Windows®
Impact of vulnerability:      Denial of Service
Severity rating:      Important
Original release:      Apr 11, 2016
CVE Name:  CVE-2015-2291

A vulnerability was identified in the Intel diagnostics driver IQVW32.sys and IQVW64.sys, also identified as CVE-2015-2291. Intel released an update to mitigate this issue in June 2015. Intel highly recommends that customers of the affected products obtain and apply the updated versions of the driver.

https://downloadcenter.intel.com/download/22283/Intel-Ethernet-Adapters-Connections-CD
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00051&languageid=en-fr

Schneider to sign PLC firmware

~ hucktech ~ 1 Comment

https://twitter.com/ReverseICS/status/720605400249139200

http://www.digitalbond.com/blog/2016/04/14/basecamp-redux-integrity-in-modicon-m580/

I normally only see news on Schneider in the US-CERT advisories and in DEF CON/other presentations about exploits, so it is nice to hear that they are securing their firmware. I wish we’d see news like this from all device vendors.

http://www.schneider-electric.com/ww/en/

http://www.schneider-electric.com/en/search/firmware?category=all

A New Approach for Rowhammer Attacks

~ hucktech ~ Leave a comment

Click on the Twitter link for the PDF:

A New Approach for Rowhammer Attacks

Rowhammer is a hardware bug identified in recent commodity DRAMs: repeated row activations can cause bit flips in adjacent rows. Rowhammer has been recognized as both a reliability and security issue. And it is a classic example that layered abstractions and trust (in this case, virtual memory) can be broken from hardware level. Previous rowhammer attacks either rely on rarely used special instructions or complicated memory access patterns. In this paper, we propose a new approach for rowhammer that is based on x86 non-temporal instructions. This approach bypasses existing rowhammer defense and is much less constrained for a more challenging task: remote rowhammer attacks, i.e., triggering rowhammer with existing, benign code. Moreover, we extend our approach and identify libc memset and memcpy functions as a new rowhammer primitive. Our discussions on rowhammer protection suggest that it is critical to understand this new threat to be able to defend in depth.

ByoSoft supports Intel Firmware Engine

~ hucktech ~ Leave a comment

https://twitter.com/FirmwareEngine/status/720168913229590528

Intel Developer Forum (IDF) takes place in San Francisco and also in China, and the one in ShenZhen is in the news now. Nanjing Byosoft Co., Ltd — aka Byosoft, a UEFI firmware vendor, announced that their ByoCore(TM) BIOS will fully support Intel Firmware Engine:

“Byosoft is the first vendor announce to fully support Intel® Firmware Engine among the independent firmware vendors in the industry, and the Intel® Firmware Engine technology will offer a low-cost, high-flexibility, easy-to-use service solution to Byosoft’s customers in Internet of Thing (IoT) and embedded market.”
 
“Byosoft believe Intel® Firmware Engine can greatly help customer to use ByoCoreTM BIOS and finish the customization, especially for those who don’t purchase source code of the ByoCoreTM. Intel® Firmware Engine offers flexible method of firmware customization based on binary, and without involving Byosoft engineer direct support, the customer can finish the firmware modification by themselves to create the required image.”

“Byosoft has co-worked with Intel and upgraded the ByoCoreTM BIOS codebase to support Intel® Firmware Engine. ByoCoreTM customer can fast customize ByoCoreTM firmware through Intel® Firmware Engine, configuring, adding or removing the existed firmware packages, and integrate user-defined payload. With Intel® Firmware Engine, ByoCoreTM customer can build customized firmware faster and easier.”

Full announcement:
http://www.byosoft.com.cn/xwzxx/98.htm

This is great news for the Windows UEFI ecosystem. Again, I wish Intel would release a Linux version of the Windows-only Firmware Engine. 😦

Nikolaj on NVRAM formats, volume 2

~ hucktech ~ Leave a comment

Nikolaj has started a series of blog posts on NVRAM formats in UEFI:

First edition is here:

Nikolaj on UEFI NVRAM formats

The second edition is already out:

https://habrahabr.ru/post/281412/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281412%2F&sandbox=1

Looking forward volume 3!

 

Brian Richardson on UEFI community changes

~ hucktech ~ Leave a comment

Brian Richardson of Intel’s UEFI team posted a new blog with information about recent changes in the Tianocore development ecosystem. Brian summarizes recent activity, including Tony Mangefeste’s new community roadmap, the recent UEFI plugfest in Taipei, and other changes:

http://blogs.intel.com/evangelists/2016/04/11/tianocore-community-uefi/

U-Boot’s EFI loader gets El Torito ISO support

~ hucktech ~ Leave a comment

Alexander Graf of SuSE has updated his EFI patch for U-Boot, adding the ability to boot from El Torito-style ISOs:

efi_loader: Support loading from El Torito isos

Some distributions still provide .iso files for installation media. To give us greatest flexibility, this patch set adds support for El Torito booting with EFI payloads.

  iso: Make little endian and 64bit safe
  iso: Start with partition 1
  iso: Allow 512 byte sector size
  efi_loader: Split drive add into function
  efi_loader: Add el torito support
  efi_loader: Pass file path to payload
  efi_loader: Increase path string to 32 characters
  distro: Enable iso partition code

For more information, see the full patch:
http://lists.denx.de/mailman/listinfo/u-boot

Nikolaj on UEFI NVRAM formats

~ hucktech ~ Leave a comment

Nikolaj Schlej has written the first of a series of articles on NVRAM file formats:

“NVRAM formats of UEFI-compatible firmwares”

It is in Russian. If you don’t read Russian, there are many C structs and colored screenshots that are self-explanatory, and auto-translators (like Google Translate) work pretty well.

If you’ve not been watching UEFITool NE recently, there have been lots of checkins for NVRAM formats.

https://habrahabr.ru/post/281242/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281242%2F&sandbox=1

Nikolaj is also looking for some NVRAM formats for testing:

Hardwear.io: Call For Papers Open

~ hucktech ~ Leave a comment

The Call-for-Papers is open for the 2nd annual Hardware.IO conference, the only (?) hardware-centric security conference.

Hardwear.io is seeking innovative research on hardware security. If you have done interesting research on attacks or mitigation on any Hardware and want to showcase it to the security community, just submit your research paper. Hardwear accepts papers on any topic that discusses in-depth hardware and firmware security both from the offensive as well as defensive perspective.

Dates:
CFP Opens: 5th April 2016
CFP Closing Date: 5th July 2016
Final list of speakers online: 15th July 2016
Training: 20th – 21st Sept 2016
Conference: 22nd – 23rd Sept 2016

Training Venue:
The Hague Security Delta
Wilhelmina van Pruisenweg 104
2595 AN The Hague
The Netherlands
Conference Venue: TBD

http://hardwear.io/

Voltron

~ hucktech ~ Leave a comment

If you have not looked at Voltron, by Jim Fear, please check it out, it is quite powerful:

https://twitter.com/snare/status/718720138866917376

Voltron is an extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB and WinDbg) by enabling the attachment of utility views that can retrieve and display data from the debugger host. By running these views in other TTYs, you can build a customised debugger user interface to suit your needs. Voltron does not aim to be everything to everyone. It’s not a wholesale replacement for your debugger’s CLI. Rather, it aims to complement your existing setup and allow you to extend your CLI debugger as much or as little as you like. If you just want a view of the register contents in a window alongside your debugger, you can do that. If you want to go all out and have something that looks more like OllyDbg, you can do that too.

https://github.com/snare/voltron

 

UEFITool NE Alpha24 released, seeking NVRAM testers

~ hucktech ~ Leave a comment

Nikolaj has updated UEFItool NE again, Alpha 24, with NVRAM support done, and is needing help to test it.

Changes:
* parser for all NVRAM formats known to me, including AMI NVAR, TianoCore VSS (Normal, Authenticated, Apple CRC and _FDC), EVSA and Apple Fsys.
* built with Qt 5.6
* still no editing, because of builder code state

Please test NVRAM parsing, I’m waiting for new GitHub issues. If you know another NVRAM format, please add it to issue #43. Happy testing!

https://github.com/LongSoft/UEFITool/releases/tag/NE.A24

IBM research on USB eavesdropping attacks

~ hucktech ~ Leave a comment

IBM Research has new research on USB attacks and an “UScramBle” implementation for Linux:

USB Eavesdropping Attacks

Attacks that leverage USB as an attack vector are gaining popularity. While attention has so far focused on attacks that either exploit the host’s USB stack or its unrestricted device privileges, it is not necessary to compromise the host to mount an attack over USB. This paper describes and implements a USB sniffing attack. In this attack a USB device passively eavesdrops on all communications from the host to other devices, without being situated on the physical path between the host and the victim device. To prevent this attack, we present UScramBle, a lightweight encryption solution which can be transparently used, with no setup or intervention from the user. Our prototype implementation of UScramBle for the Linux kernel […]

Quanta LTE routers vulnerable

~ hucktech ~ Leave a comment

Pierre Kim has a new detailed blog post on Quanta router firmware vulnerabilities:

Multiple vulnerabilities found in Quanta LTE routers (backdoor, backdoor accounts, RCE, weak WPS …)

Quanta Computer Incorporated is a Taiwan-based manufacturer of electronic hardware. It is the largest manufacturer of notebook computers in the world. The Quanta LTE QDH Router device is a LTE router / access point overall badly designed with a lot of vulnerabilities. It’s available in a number of countries to provide Internet with a LTE network. The summary of the vulnerabilities is: [list of about 20 items omitted for space]. A personal point of view: at best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor. Not all the vulnerabilities found have been disclosed in this advisory. Only the significant ones are shown. Note: This firmware is being used by other Quanta CPEs. From the /usr/www/js/ui/qdisplay.js file, the vulnerable firmware seems to be used in several routers: [list omitted]. The routers are still on sale and used in several countries. Due to lack of communication of the vendor, the specific list of affected countries is unknown. However, we assume the affected firmware is used at least in some Arabic speaking countries as the Help files are written in English, French, Chinese and Arabic (See http://192.168.1.1/help_ar.html). Due to lack of security patches provided by the vendor, the vulnerabilities will remain unpatched. Details […]

FreeBSD 10.3 released

~ hucktech ~ Leave a comment

Marius Strobl announced FreeSD 10.3, with changes to UEFI, amongst other updates and new features. An excerpt of the highlights listed in the announcement:

* The UEFI boot loader received several improvements: It now follows /boot/config and /boot.config files, multi-device boot support works and command line arguments are parsed. Additionally, its framebuffer driver has been enhanced with GOP (Graphics Output Protocol) and UGA (Universal Graphics Adapter) handling, allowing to set the current graphics mode on systems using one of these methods. Moreover, ZFS boot capability has been added to the UEFI boot loader, including support for multiple ZFS Boot Environments (BEs), e. g. those provided by sysutils/beadm.

* The bsdinstall(8) utility has been updated to allow for creating root-on-ZFS installations on UEFI-based systems in automatic mode.

* The mkimg(1) utility has been updated to support NTFS file systems in both GPT and MBR partitioning schemes.

* And much more …

More information:
https://www.FreeBSD.org/releases/10.3R/relnotes.html
https://www.FreeBSD.org/releases/10.3R/errata.html
https://www.FreeBSD.org/releases/10.3R/signatures.html
https://www.FreeBSD.org/releases/10.3R/announce.asc
ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.3/
ftp://ftp.freebsd.org/pub/FreeBSD/releases/VM-IMAGES/10.3-RELEASE/
https://www.FreeBSD.org/releases/10.3R/installation.html
https://lists.freebsd.org/pipermail/freebsd-announce/2016-April/001713.html
https://www.freebsd.org/releases/10.3R/relnotes.html#kernel-bugfix