Month: August 2016

Multiple Intel systems have SMM runtime EoP

~ hucktech ~ Leave a comment

See the full announcement for the list of vulnerable products. Regardless of model, it sounds like no fix until early September.

SmmRuntime Escalation of Privilege
Intel ID:      INTEL-SA-00056
Product family:      Intel® Server Board S1200/1400/1600/2400/2600/4600 series
Impact of vulnerability:      Elevation of Privilege
Severity rating:      Important
Original release:      Aug 08, 2016

Intel is releasing mitigations for a privilege escalation issue. This issue affects the UEFI BIOS of select Intel Products. The issue identified is a method that enables malicious code to gain access to System Management Mode (SMM). A malicious attacker with local administrative access can leverage the vulnerable function to gain access to System Management Mode (SMM) and take full control of the platform. Intel products that are listed below should apply the update. Other vendors’ products which use the common BIOS function SmmRuntime may be impacted.  To find out whether a product you have may be vulnerable to this issue, please contact your system supplier. Intel highly recommends applying the mitigations. For Intel branded products where a mitigation is still pending, we recommend following good security practices including running with least privilege and keeping security software and operating systems up to date. […]

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00056&languageid=en-fr

SGXfun

~ hucktech ~ Leave a comment

Click to access sgx_bh16.pdf

https://github.com/kudelskisecurity/sgxfun

parse_enclave.py takes an enclave in binary form and extracts some metadata

parse_quote.py takes a quote in binary form and extracts its fields

parse_sealed.py takes a sealed blob of data and extracts its fields

PCI Leech

~ hucktech ~ Leave a comment

 

https://github.com/ufrisk

Does not appear to be a public Github project yet.

 

Nikolaj joins Apple!!

~ hucktech ~ Leave a comment

WOW!!, Nikolaj joins Apple!! First they hired Legbacore, now Nikolaj!

As well, UEFITool has new maintainers, Alex and Dmytro!!

BLESuite: new test tool for Bluetooth Low Energy (BLE) devices

~ hucktech ~ Leave a comment

BLESuite is a Python package that provides an easier way to test Bluetooth Low Energy (BLE) device.
https://github.com/nccgroup/BLESuite

BLESuite_CLI is a command line tool to enable an easier way to test Bluetooth Low Energy (BLE) devices.
https://github.com/nccgroup/BLESuite-CLI

—–

PCWelt: UEFI tricks for PCs

~ hucktech ~ Leave a comment

Here’s an interesting article for end users, with a handful of tool pointers I haven’t seen before:

http://www.pcwelt.de/ratgeber/BIOS_2.0__10_UEFI-Tricks_fuer_Insider-PC_und_Mainboards-8723414.html

English translation:

https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.pcwelt.de%2Fratgeber%2FBIOS_2.0__10_UEFI-Tricks_fuer_Insider-PC_und_Mainboards-8723414.html&edit-text=

new ACPI spec on TCG D-RTM

~ hucktech ~ Leave a comment

I just noticed there’s a new file on the list of ACPI specs, a 1.0 doc from TCG on D-RTM from mid-June:

TCG D-RTM Architecture
Document Version 1.0.0
June 17, 2013

This specification describes the architecture and implementation examples for a Dynamic Root of Trust for Measurement (D-RTM) used for measured platform initialization without a hardware platform restart. This specification extends the TCG PC Client specification (See (1)). The term “dynamic” is used because the measured platform initialization may occur while the hardware platform is running. In contrast, the Static Root of Trust for Measurement (S-RTM) requires a platform shutdown or restart.

Click to access TCG_D-RTM_Architecture_v1-0_Published_06172013.pdf

http://uefi.org/acpi

 

I wish there was an ACPI-announce list, or even a Twitter feed, to keep track of new ACPI specs…

Senrio+Xipiter 0day for MANY D-Link devices

~ hucktech ~ Leave a comment

[…] In our last post we talked about a vulnerability discovered in the D-Link DCS-930L Cloud Camera. Since then the Senrio Research Team has been working closely with the D-Link Security Incident Report Team. Below we disclose technical details of our efforts.  […] What does that mean in terms of exposure to consumers? In a collaboration with Shodan we discovered 400,000 devices publicly accessible that could be affected by this 0day.  […]

http://blog.senr.io/blog/400000-publicly-available-iot-devices-vulnerable-to-single-flaw

Adventures in Making and Breaking Hardware

~ hucktech ~ Leave a comment

Adventures in Making and Breaking Hardware
Andrew “bunnie” Huang

For over a decade, Andrew “bunnie” Huang, one of the world’s most esteemed hackers, has shaped the fields of hacking and hardware, from his cult-classic book Hacking the Xbox to the open-source laptop Novena and his mentorship of various hardware startups and developers. In The Hardware Hacker, Huang shares his experiences in manufacturing and open hardware, creating an illuminating and compelling career retrospective. Huang’s journey starts with his first visit to the staggering electronics markets in Shenzhen, with booths overflowing with capacitors, memory chips, voltmeters, and possibility. He shares how he navigated the overwhelming world of Chinese factories to bring chumby, Novena, and Chibitronics to life, covering everything from creating a Bill of Materials to choosing the factory to best fit his needs. Through this collection of personal essays and interviews on topics ranging from the legality of reverse engineering to a comparison of intellectual property practices between China and the United States, bunnie weaves engineering, law, and society into the tapestry of open hardware. With highly detailed passages on the ins and outs of manufacturing and a comprehensive take on the issues associated with open source hardware, The Hardware Hacker is an invaluable resource for aspiring hackers and makers.

https://www.nostarch.com/hardwarehacker

 

Rootkits and Bootkits: new chapter available

~ hucktech ~ 1 Comment

An update on this book, the early-access ebook edition has a new chapter on UEFI BIOS vulnerablities — and NoStarch has a 30% off earlybird discount:

No Starch Press: Rootkits and Bootkits

https://www.nostarch.com/rootkits

Position Independent Executables for ARM

~ hucktech ~ Leave a comment

Alexandre Belloni submitted a patch to the Linux-kernel list with patch to run Position Independent Executables (PIEs) on ARM:

Embedding Position Independent Executables:
This series introduces Position Independent Executables (PIEs) for the ARM architecture. The main goal is to avoid having to write low level code in assembly as this is currently the case for suspend/resume. Multiple platforms will benefit from this infrastructure: at91, rockchip, sunxi, am335x. I’ve still avoided using the ELF header itself to be more efficient. For example, for atmel, the PIE is 66772 bytes when embedded in an ELF versus 344 bytes standalone. This is working properly because the PIE is self standing and correctly padded. Changes in v2:
 – handle big endian
 – handle gcov and ftrace by disabling them before compilling the PIE
 – Get the alignment from the original ELF to ensure the PIE is
   properly aligned in SRAM.
 – stop using fncpy
 – rebased on v4.7-rc1

 

https://lkml.org/lkml/2016/6/28/989