DumpPartInfo

June 22, 2017 ~ hucktech ~ Leave a comment

Hao Wu of Intel posted a patch to EDK2 which provides support for UEFI’s “EFI Partition Infomation Protocol”, and includes a DumpPartInfo tool:

Add the EFI Partition Information Protocol per the latest UEFI spec.

Test for the series:
A simple application called ‘DumpPartInfo’ is used to dump the contents of the Partition Information protocols when the following devices are attached:
a. MBR Hard disk
b. GPT Hard disk
c. CDROM

The source of the application and the series is available at:
https://github.com/hwu25/edk2 branch:partition_info_test

8 files changed, 216 insertions(+), 88 deletions(-)

Dmytro on PCI-E/SMM vulnerability

June 22, 2017 ~ hucktech ~ Leave a comment

Dmytro has an interesting 6-part twitter post on PCI-e security:

Rogue PCI-E/FireWire/Thunderbolt/etc. device can exploit platform firmware vulns to execute arbitrary System Management Mode code [1/x] pic.twitter.com/CueD3ke0yb

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 22, 2017

Normally SMM memory is protected against rogue DMA using TSEGMB register, discovered vulnerability allows to break this mechanism [2/x]

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 22, 2017

For most of computers with Intel chips SMM code execution means that attacker can infect platform firmware with persistent rootkit [3/x]

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 22, 2017

Vulnerability exists because of design flaws in Intel reference code, it presents in EFI 2.x firmware of almost all new computers [4/x]

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 22, 2017

Apple is only one vendor so far who not vulnerable for sure (they're know how to cook PCI-E and IOMMU properly :)) [5/x]

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 22, 2017

FPGA powered toolkit which implements the attack was tested on Intel NUC 6i3SYH. Test setup pic: https://t.co/59eEwsy2qa [6/6]

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 22, 2017

I discovered this vuln a while ago but had no FPGA knowledge to craft the hardware which can exploit it. Now I can report it to Intel 🙂

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 22, 2017

Hex Editors

June 22, 2017June 22, 2017 ~ hucktech ~ Leave a comment

If you don’t have a good hex editor, here aer two recent posts by two different authors give their opinion on current state-of-the-art of hex editors:

http://www.basicinputoutput.com/2017/06/a-survey-of-hex-editors.html

Hex viewers and editors

FWTS 17.06.00 released

June 22, 2017 ~ hucktech ~ Leave a comment

Alex Hung of Canonical.com announced the 17.06.00 release of FWTS (FirmWare Test Suite).

New Features:
* ACPICA: Update to version 20170531
* olog: olog.json: Update OPAL skiboot errors to check on olog scan
* bios: mtrr: print out actual default type of MTRR

See the full announcement for the list of bugs fixed in this release.

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V17.06.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/17.06.00

Umap2: USB host security assessment tool

June 19, 2017 ~ hucktech ~ Leave a comment

Umap2 is the second revision of NCC Group’s python based USB host security assessment tool. This revision will have all the features that were supported in the first revision:

* umap2emulate – USB device emulation
* umap2scan – USB host scanning for device support
* umap2detect – USB host OS detection (no implemented yet)
* umap2fuzz – USB host fuzzing

In this revision there will be some additional features:

* USB host fuzzing uses kitty as fuzzing engine
* Umap2 not only contains executable scripts, but is also installed as a package and may be used as a library

Umap2 is developed by NCC Group and Cisco SAS team.[…]

https://github.com/nccgroup/umap2
http://goodfet.sourceforge.net/hardware/facedancer21/

See-also:

Free Idea: a QEMU Facedancer fuzzer https://t.co/Cbz2jxx4tI via @NewsBlur

— Diego Elio Pettenò (@flameeyes) June 19, 2017

https://blog.flameeyes.eu/2017/06/free-idea-a-qemu-facedancer-fuzzer/

EFI.js: JavaScript for UEFI

June 18, 2017 ~ hucktech ~ Leave a comment

EFI.js is a runtime environment for UEFI built on:
* V8 JavaScript Engine
* GNU EFI
* musl C Standard Library
* libc++

Building requirements:
* macOS 10.12 Sierra
* Lots of powerful CPU cores
* Lots of RAM

https://github.com/seiyanuta/v8-uefi-test

Debian 9 “Stretch” released

June 18, 2017 ~ hucktech ~ Leave a comment

Excerpts of announcement included below. For full announcement, see the debian-announce mailing list archives.

After 26 months of development the Debian project is proud to present its new stable version 9 (code name “Stretch”), which will be supported for the next 5 years thanks to the combined work of the Debian Security team and of the Debian Long Term Support team. Debian 9 is dedicated to the project’s founder Ian Murdock, who passed away on 28 December 2015.

The UEFI (“Unified Extensible Firmware Interface”) support first introduced in “Wheezy” continues to be greatly improved in “Stretch”, and also supports installing on 32-bit UEFI firmware with a 64-bit kernel. The Debian live images now include support for UEFI booting as a new feature, too.

A total of ten architectures are supported: 64-bit PC / Intel EM64T / x86-64 (amd64), 32-bit PC / Intel IA-32 (i386), 64-bit little-endian Motorola/IBM PowerPC (ppc64el), 64-bit IBM S/390 (s390x), for ARM, armel and armhf for older and more recent 32-bit hardware, plus arm64 for the 64-bit “AArch64” architecture, and for MIPS, in addition to the two 32-bit mips (big-endian) and mipsel (little-endian), there is a new mips64el architecture for 64-bit little-endian hardware. Support for 32- bit Motorola/IBM PowerPC (powerpc) has been removed in “Stretch”.

https://www.debian.org/News/2017/20170617
http://ftp.debian.org/debian/doc/dedication/dedication-9.0.txt
https://www.debian.org/releases/stretch/installmanual
https://www.debian.org/releases/stretch/releasenotes

CHIPSEC in BlackArch Linux

June 18, 2017 ~ hucktech ~ Leave a comment

It has been in there for a while, but I don’t think I’ve seen an announcement.

https://github.com/BlackArch/blackarch/issues/1568
https://github.com/BlackArch/blackarch/tree/master/packages/chipsec
https://www.blackarch.org/tools.html
https://www.blackarch.org/hardware.html
https://www.blackarch.org/downloads.html

So you can use LUV-live to use CHIPSEC in a batch mode, or you can use BlackArch live to use CHIPSEC in an interactive mode.

PS: Kali status:
https://bugs.kali.org/view.php?id=3940
https://github.com/chipsec/chipsec/wiki/Using-CHIPSEC-with-Kali-Linux

Daniel Gruss: Software-based Microarchitectural Attacks

June 17, 2017 ~ hucktech ~ Leave a comment

PhD thesis: https://t.co/QAQBfn6L7J, defense slides: https://t.co/qAFx8N2qaq #cta #dedup.js #flushflush #rowhammer.js #ARMageddon #prefetch

— Daniel Gruss (@lavados) June 15, 2017

Daniel Gruss
Software-based Microarchitectural Attacks
PhD Thesis
[…]This thesis consists of two parts. In the first part, we provide background on modern processor architectures and discuss state-of-the-art attacks and defenses in the area of microarchitectural side-channel attacks and microarchitectural fault attacks.[…]

Click to access phd_defense_slides.pdf

Click to access phd_thesis.pdf

HPE increases ProLiant firmware security

June 17, 2017 ~ hucktech ~ Leave a comment

Exclusive! HPE's custom silicon enables security at the firmware level https://t.co/wfXxC3KKE4 pic.twitter.com/A7brAEGs8y

— Sue O’Dell (@SBG_SueGriffin) June 16, 2017

HPE’s Gen10 Servers Will Have Security Drilled into Silicon

by Christine Hall on June 12, 2017

Hewlett Packard Enterprise unveiled Gen10 at Discover in Las Vegas last week, the first major upgrade to its ProLiant line of servers since Gen9 was released in 2014. While the release of a new server is generally not very interesting in this age of commodity hardware, this one is a bit more notable as it has some interesting security features built into the hardware. The announcement was made by Alain Andreoli, head of HPE’s infrastructure group, with no shortage of hyperbole: “We have definitively created the world’s most secure industry standard server.” The security feature works at the firmware level, utilizing custom HPE silicon. “In each Gen10 server we have created a unique individual fingerprint for the silicon,” Andreoli explained. “Your server will not boot unless the firmware matches this print — it is just locked end to end.”[…]

http://www.datacenterknowledge.com/archives/2017/06/12/hpes-gen10-servers-will-have-security-drilled-into-silicon/

Project IceStorm and iCEstick

June 17, 2017 ~ hucktech ~ Leave a comment

Plus the @latticesemi iCEstick with the open source tool chain is a really neat alternative https://t.co/ywLEhuUpfh

— Joe Fitz (@securelyfitz) June 15, 2017

Project IceStorm now supports all 23 iCE40 LP/HX 1K/4K/8K variants. https://t.co/I37cf8eeRw pic.twitter.com/2oDNWZPxjp

— Claire Xen 🏳️‍⚧️🧙🏻‍♀️ 💖💛💙 BLM 🏴🚩 (@oe1cxw) February 7, 2016

Project IceStorm aims at reverse engineering and documenting the bitstream format of Lattice iCE40 FPGAs and providing simple tools for analyzing and creating bitstream files. The IceStorm flow (Yosys, Arachne-pnr, and IceStorm) is a fully open source Verilog-to-Bitstream flow for iCE40 FPGAs. The focus of the project is on the iCE40 LP/HX 1K/4K/8K chips. (Most of the work was done on HX1K-TQ144 and HX8K-CT256 parts.)

Project IceStorm

The iCEstick Evaluation Kit is an easy to use, small size board that allows rapid prototyping of system functions at a very low cost using Lattice Semiconductor’s iCE40 FPGA family.

http://www.latticesemi.com/icestick

bingrep

June 17, 2017 ~ hucktech ~ Leave a comment

bingrep https://t.co/l66z5sujin

— dragosr (@dragosr) June 11, 2017

Bingrep: Greps through binaries from various OSs and architectures, and colors them. Current backends:

* ELF 32/64, arm, x86, openrisc – all others will parse and color, but relocations won’t show properly
* Mach 32/64, arm, x86
* PE (debug only)

https://github.com/m4b/bingrep

BinCAT: Binary Code Analysis Toolkit

June 17, 2017 ~ hucktech ~ Leave a comment

bincat: Binary code static analyser, with IDA integration #sstic https://t.co/6FaUxeU7ps

— Guillaume Valadon (@guedou) June 7, 2017

BinCAT is a static Binary Code Analysis Toolkit, designed to help reverse engineers, directly from IDA. It features: value analysis (registers and memory), taint analysis, type reconstruction and propagation, and backward and forward analysis.

https://github.com/airbus-seclab/bincat

Manticore 0.1.2 released

June 17, 2017 ~ hucktech ~ Leave a comment

Manticore 0.1.2 has been released! Check out the new features and bugfixes in our changelog: https://t.co/kWv6ONqaB9 pic.twitter.com/JSWJlIyaTt

— Trail of Bits (@trailofbits) June 16, 2017

Manticore is a prototyping tool for dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation.

https://github.com/trailofbits/manticore/pull/306/files

Manticore: Symbolic execution for humans

Black Hat Briefings: Firmware is the New Black

June 17, 2017 ~ hucktech ~ Leave a comment

Map BIOS/UEFI firmware vulnerabilities for enhanced threat intelligence @bsdaemon & @vincentzimmer #BHUSA Briefing https://t.co/adwSFbsiym

— Black Hat (@BlackHatEvents) June 13, 2017

Firmware is the New Black – Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities
Bruce Monroe, Rodrigo Branco, Vincent Zimmer

In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems – including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues – most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).

https://www.blackhat.com/us-17/briefings/schedule/index.html#firmware-is-the-new-black—analyzing-past-three-years-of-biosuefi-security-vulnerabilities-6924

Hardware is the new software

June 15, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/binitamshah/status/875375226690863105

Hardware is the new software
Andrew Baumann, Microsoft Research

Moore’s Law may be slowing, but, perhaps as a result, other measures of processor complexity are only accelerating. In recent years, Intel’s architects have turned to an alphabet soup of instruction set extensions such as MPX, SGX, MPK, and CET as a way to sell CPUs through new security features. Unlike prior extensions, which mostly focused on accelerating user-mode data processing, these new features exhibit complex interactions and give system designers plenty to think about. This calls for a rethink of how we approach the instruction set. In this paper we highlight some of the challenges arising from recent security-focused extensions, and speculate about the longer-term implications.

Click to access baumann-hotos17.pdf

Building a USB analyzer with USB armory

June 15, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/osxreverser/status/875036408133627904

Armory Sandbox – Building a USB analyzer with USB armory
June 14, 2017
By Pedro Vilaca
Some time ago a friend received a mysterious USB pen with a note talking about some kind of heavily persistent malware. He had that USB pen stored untouched and of course my curiosity took over. Since one should never plug in unknown USB devices into a computer (well, any USB device we purchase is unknown but that is another story) and I didn’t want to “burn” a computer just to take a look at the contents I decided to use my USB armory to build an air gap sandbox that would be harder to infect and for malware to escape from it.[…]

https://sentinelone.com/blogs/armory-sandbox-building-usb-analyzer-usb-armory/

Maxim security issue?

June 15, 2017 ~ hucktech ~ Leave a comment

Steve Bush has a new blog post on Electronics Weekly:

One I missed: easy security in a single chip:

I took my eye off the ball last year and missed a single chip public key cryptography processor IC from Maxim, aimed at folk who don’t have a deep knowledge in security. The firm’s claim is that: customers don’t need to write firmware and they get a comprehensive set of crypto services, secure key storage and easy certificates distribution. […]

One I missed: easy security in a single chip

https://www.maximintegrated.com/en/products/digital/microcontrollers/MAXQ1061.html

CherryBlossom

June 15, 2017 ~ hucktech ~ Leave a comment

New #Wikileaks release: Cherry Blossom MITM system in implanted router devices https://t.co/DVkI5Bc0z2 #Vault7 #CherryBlossom pic.twitter.com/P82Hoa0Vho

— x0rz (@x0rz) June 15, 2017

[…] CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals. Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices. Therefore these devices are the ideal spot for “Man-In-The-Middle” attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user. The wireless device itself is compromized by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap.[…]

https://wikileaks.org/vault7/#Cherry%20Blossom

AMD updates Server Optimization Guide

June 15, 2017 ~ hucktech ~ Leave a comment

#AMD released the Software Optimization Guide 3.00 for AMD Family 17h Processors #Ryzen https://t.co/UbUsUWj8K7 pic.twitter.com/039H6ZrDtq

— InstLatX64 (@InstLatX64) June 14, 2017

Software Optimization Guide for AMD Family 17h Processors
Publication No. 55723 3.00
Revision Date June 2017

Click to access 55723_SOG_Fam_17h_Processors_3.00.pdf