Intel: efiwrapper, library which simulates a UEFI firmware implementation

August 21, 2018 ~ hucktech ~ Leave a comment

EfiWrapper is a library which simulate a UEFI firmware implementation. Its first purpose is to run a subset of the Kernelflinger OS loader to run in a non-UEFI environment.

https://github.com/intel/efiwrapper

Created about 2 years ago. Recently updated.

Intel-microcode has license that prevents redistribution

August 21, 2018 ~ hucktech ~ Leave a comment

In case technical issues weren’t enough, the lawyers at Intel have apparently made it more difficult for some open source operating systems to use the latest Intel microcode.

https://twitter.com/stevelord/status/1031819787431804928

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906158

https://bugs.gentoo.org/664134

Remember the @Intel microcode EULA that we mentioned just prior? Section 3(v) prohibits all third party benchmarking! This license file is distributed with https://t.co/p77wYA43HX , see https://t.co/uya2r1BFPJ for an archive copy. @FSF @FSFe this is why open µcode is important!

— Raptor Engineering (@RaptorEng) August 21, 2018

PS: AMD is apparently still blocked at technical issues:

AMD still has not uploaded the latest microcode updates to the Linux firmware repository [1]. It’s time AMD takes security seriously. See the analysis in Mike’s comment from August 20th [2]. @AMD

[1]: https://t.co/936epQGXgl
[2]: https://t.co/TObiV3kjtL

— Paul Menzel (@pmenzel_molgen) August 20, 2018

https://github.com/pcengines/apu2-documentation/issues/75

android-efi: x86 bootloader

August 20, 2018 ~ hucktech ~ Leave a comment

android-efi is a simple x86 EFI bootloader for Android™ boot images. It accepts the partition GUID and/or path of an Android boot image on the command line, loads the kernel, ramdisk and command line and finally hands over control to the kernel.

https://github.com/me176c-dev/android-efi

No SGX on Intel Android

August 20, 2018 ~ hucktech ~ Leave a comment

An Intel response to a question about SGX support on Celadon (Intel’s flavor of Android, tuned for Intel systems):

“By now there is no plan to support SGX for Android. Hope it clarifies.”

https://lists.01.org/pipermail/celadon/2018-August/001280.html

_Three_ Lenovo rootkit variants?

August 20, 2018 ~ hucktech ~ Leave a comment

_Three_ Lenovo rootkit variants? https://t.co/YE7fb8S5qF

— Roger Thompson (@tcsl) August 20, 2018

https://tcsltesting.blogspot.com/2018/08/three-lenovo-rootkit-versions.html

From Thompson Cyber Security Labs: https://armor.ai/

Manufacturers analyzed: {‘Toshiba’, ‘Acer’, ‘Lenovo’, ‘Asrock’, ‘Desenvolvida por Positivo Informatica SA’, ‘Razer’, ‘Clevo’, ‘American Megatrends Inc./Advantech’, ‘American Megatrends Inc.’, ‘LG Electronics’, ‘Dell’, ‘ASUSTeK’, ‘Gygabyte’, ‘Intel’, ‘Sony’, ‘Hewlett-Packard’, ‘Apple Inc.’}

Total firmware analyzed: 550

Total firmware with portable executables analyzed: 515

Total portable executables analyzed: 131289

Total portable executables triggering one heuristic: 20964

Total portable executables triggering more than one heuristic: 3178

Average portable executables per ROM: 254

Average portable executables triggering heuristic per ROM: 40

Average portable executables triggering more than one heuristic per ROM: 6

A Universal Windows Bootkit: An analysis of the MBR bootkit referred to as “HDRoot”

August 20, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/subTee/status/1030991146338533377

http://williamshowalter.com/a-universal-windows-bootkit/

barbie’s notes – Firmware 101: Extracting the Firmware

August 20, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/barbieauglend/status/1030868222701174784

Extracting the Firmware

In the last post, we discussed how to find important information about how to communicate with the device’s. In this post, we are going to describe the standard approch of getting the code we want to reverse and use the information we collected before.[…]

https://barbieauglend.github.io/2018-07-23-hardware_101/

https://barbieauglend.github.io/2018-08-03-firmware_101/

Dependencies – An open-source modern Dependency Walker for Windows

August 20, 2018 ~ hucktech ~ Leave a comment

For those who missed the mention in @cppcast I want to give a shout out to Dependencies, the reimplementation of the good old Dependency Walker.
It's much faster and handles both 32 and 64 bits in the same app.https://t.co/z9R6nI3O8S

— Mathieu Ropert (@MatRopert) August 18, 2018

A rewrite of the old legacy software “depends.exe” in C# for Windows devs to troubleshoot dll load dependencies issues.

https://github.com/lucasg/Dependencies

Haven and evil maids

August 18, 2018 ~ hucktech ~ Leave a comment

https://github.com/guardianproject/haven

https://play.google.com/store/apps/details?id=org.havenapp.main

https://guardianproject.github.io/haven/

https://irishtechnews.ie/dealing-with-evil-maid-exploits-and-how-to-protect-your-company/

Dealing with Evil Maid exploits and how to protect your company.
Giulio D’Agostino
August 18, 2018
CyberSecurityMalwareSecurity

An Evil Maid assault is when a device has physically tampered without the device owner’s knowledge. Evil Maid attacks where a bootloader has been installed onto the victim’s computer which defeats full disk encryption. Now, however, thanks to solutions like Edward Snowden’s new Android program, which is called Haven, people can help prevent Evil Maid strikes and protect their devices from physical tampering while they’re not present.[…]This program is vital for those that have sensitive information on their devices and need extra protection against Evil Maid attacks. […]

Seealso: YONTMA and DoNotDisturb

DoNotDisturb: now with email support (and YONTMA)

SpeculationControl: PowerShell script

August 18, 2018 ~ hucktech ~ Leave a comment

I created a github repo for the SpeculationControl PowerShell script: https://t.co/zkk8jUUvZ8

— Matt Miller (@epakskape) August 17, 2018

SpeculationControl is a PowerShell script that summarizes the state of configurable Windows mitigations for various speculative execution side channel vulnerabilities, such as CVE-2017-5715 (Spectre variant 2) and CVE-2017-5754 (Meltdown). For an explanation on how to interpret the output of this tool, please see Understanding Get-SpeculationControlSettings PowerShell script output.[…]

https://github.com/Microsoft/SpeculationControl

https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell

hvpp: lightweight C++ Intel x64/VT-x hypervisor for Windows

August 18, 2018 ~ hucktech ~ Leave a comment

I hope I'm not too late to the party, but here's my take at hypervisors – meet hvpp, the simple x64/VT-x hypervisor for Windows.https://t.co/zLB2Vypirk

Repo includes example which shows CPUID interception and hiding of user-mode hooks via EPT.

— Petr Beneš (@PetrBenes) August 17, 2018

https://github.com/wbenny/hvpp

NVMe Firmware: I Need Your Data

August 18, 2018 ~ hucktech ~ Leave a comment

[…]The NVMe ecosystem is pretty new, and things like “what version number firmware am I running now” and “is this firmware OEM firmware or retail firmware” are still queried using vendor-specific extensions. I only have two devices to test with (Lenovo P50 and Dell XPS 13) and so I’m asking for some help with data collection. Primarily I’m trying to find out what NMVe hardware people are actually using, so I can approach the most popular vendors first (via the existing OEMs). I’m also going to be looking at the firmware revision string that each vendor sets to find quirks we need — for instance, Toshiba encodes MODEL VENDOR, and everyone else specifies VENDOR MODEL.[…]

NVMe Firmware: I Need Your Data

https://plus.google.com/+RichardHughes/posts/Wqqtots46aA

Eclypsium presentations from Blackhat and DEF CON uploaded

August 16, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/08/10/eclypsium-remotely-attacking-system-firmware/

Click to access DC26_UEFI_EXPLOITATION_MASSES_FINAL.pdf

Click to access BH2018_REMOTELY_ATACKING_SYSTEM_FIRMWARE_FINAL.pdf

Progress bar: loading and installing persistent UEFI firmware implant remotely 😁😁😁…

before BitLocker, System Guard, Credential Guard or other SW defenses, before the OS!

Remote UEFI exploit by @jessemichael @HackingThings @ABazhaniuk at #BHUSA

Demo https://t.co/V8LP4FE9M4 pic.twitter.com/Vhg2wntQOh

— Yuriy Bulygin (@c7zero) August 16, 2018

Slides of "UEFI Exploitation for the Masses" #DEFCON26 talk. @HackingThings and @jessemichael showed how to debug exploits in UEFI system firmware: https://t.co/fjlGzucote pic.twitter.com/OjdsIkgtiD

— Alex Bazhaniuk (@ABazhaniuk) August 16, 2018

Slides of our "Remotely Attacking System Firmware" #Blackhat2018 presentation. We demonstrated 100% reliable RCE exploit in the UEFI system firmware : https://t.co/iL6nZpwSnf // with @HackingThings @jessemichael pic.twitter.com/L4WB8apPry

— Alex Bazhaniuk (@ABazhaniuk) August 16, 2018

Black Hat presentation: https://t.co/rOTwxwv3H6 [PDF]

DEFCON presentation with additional details: https://t.co/xBP9lo4PQ6 [PDF]

— Yuriy Bulygin (@c7zero) August 16, 2018

more on Intel-SA-00161

August 16, 2018 ~ hucktech ~ 2 Comments

Re: https://firmwaresecurity.com/2018/08/15/intel-sa-00161-l1-terminal-fault-l1tf-speculative-execution-side-channel-attack-foreshadow/

and https://firmwaresecurity.com/2018/08/15/more-on-intel-sa-00161/ :

Update from Intel:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html

https://careers.tenable.com/blogs/tenable-blog-548d2213-b14f-4795-a028-c85ba38381df/foreshadow-speculative-execution-attack-targets-intel-sgx

https://twitter.com/juanrga/status/1029678537790423040

https://www.amd.com/en/corporate/security-updates

https://www.tenable.com/plugins/nessus/111703

https://www.trendmicro.com/vinfo/in/security/news/vulnerabilities-and-exploits/foreshadow-l1tf-intel-processor-vulnerabilities-what-you-need-to-know

more on Intel-SA-00161

August 15, 2018 ~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/08/15/intel-sa-00161-l1-terminal-fault-l1tf-speculative-execution-side-channel-attack-foreshadow/

https://en.wikipedia.org/wiki/Foreshadow_(security_vulnerability)
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3620.html
https://support.microsoft.com/en-us/help/4343909/windows-10-update-kb4343909
https://xenbits.xen.org/xsa/advisory-273.html
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF
https://blogs.oracle.com/oraclesecurity/intel-l1tf
https://cloud.google.com/blog/products/gcp/protecting-against-the-new-l1tf-speculative-vulnerabilities
https://kb.vmware.com/s/article/55636
https://blogs.vmware.com/security/2018/08/new-vmware-security-advisory-vmsa-2018-0022-and-updated-security-advisory-vmsa-2018-0019-1.html
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03874en_us
https://blog.rapid7.com/2018/08/14/patch-tuesday-august-2018/
https://lkml.org/lkml/2018/8/14/885
https://www.suse.com/support/kb/doc/?id=7023077
https://marc.info/?l=openbsd-tech&m=153431475429367&w=2

Intel-SA-00161: L1 Terminal Fault (L1TF) speculative execution side-channel attack (Foreshadow)

August 15, 2018 ~ hucktech ~ 1 Comment

Following seven months of responsible disclosure, we are happy to announce that our Foreshadow attack is now public https://t.co/4hL8XryEYz.

Work with @MarinaMinkin @ofir1942 @jovanbulck @raoul_strackx @bariskasikci @ThomasWenisch Mark Silberstein, Daniel Genkin, Frank Piessens pic.twitter.com/T8GkpURJs5

— Yuval Yarom (@yuvalyarom) August 14, 2018

Security researchers have identified a speculative execution side-channel method called L1 Terminal Fault (L1TF). This method impacts select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX). Further investigation by Intel has identified two related applications of L1TF with the potential to impact additional microprocessors, operating systems, system management mode, and virtualization software. If used for malicious purposes, this class of vulnerability has the potential to improperly infer data values from multiple types of computing devices.[…]

https://foreshadowattack.eu/

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

https://www.intel.com/content/www/us/en/architecture-and-technology/l1tf.html

https://access.redhat.com/security/vulnerabilities/L1TF

https://www.redhat.com/en/blog/understanding-l1-terminal-fault-aka-foreshadow-what-you-need-know

https://blogs.technet.microsoft.com/virtualization/2018/08/14/hyper-v-hyperclear/

https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/

https://www.us-cert.gov/ncas/current-activity/2018/08/14/Intel-Side-Channel-Vulnerability

Linux UEFI firmware updates via LVFS at Linaro Connect

August 14, 2018 ~ hucktech ~ Leave a comment

System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules

Firmware is responsible for low-level platform initialization, establishing root-of-trust, and loading the operating system (OS). Signed UEFI Capsules define an OS-agnostic process for verified firmware updates, utilizing the root-of-trust established by firmware. The open source FmpDevicePkg in TianoCore provides a simple method to update system firmware images and device firmware images using UEFI Capsules and the Firmware Management Protocol (FMP). This session describes the EFI Development Kit II (EDK II) capsule implementation, implementing FMP using FmpDevicePkg, creating Signed UEFI Capsules using open source tools, and an update workflow based on the Linux Vendor Firmware Service (fwupd.org).

https://yvr18.pathable.com/meetings/740447

http://connect.linaro.org/schedule/

https://fwupd.org/

USENIX Security presentation on Meltdown uploaded

August 14, 2018 ~ hucktech ~ Leave a comment

Join our talk on "#Meltdown: Reading Kernel Memory from User Space" @USENIXSecurity on Thursday (#day2) – Find our updated paper here: https://t.co/xdb4LjCCe4 /cc @misc0110 @lavados @gonzodaruler @anders_fogh @tehjh @StefanMangard @yuvalyarom #usesec18 pic.twitter.com/rqrOMJJBiX

— Moritz Lipp (@mlqxyz) August 14, 2018

https://mlq.me/download/meltdown.pd

mOSL: Bash script to audit and fix macOS High Sierra (10.13.x) security settings

August 14, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/0x0304/status/1028933297135661056

Settings that can be audited/ fixed:

enable automatic updates
enable gatekeeper
enable firewall
enable admin password preferences
enable terminal secure entry
disable firewall builin software
disable firewall downloaded signed
disable ipv6
disable mail remote content
disable remote apple events
disable remote login
set airdrop contacts only
set appstore update check daily
check SIP
check kext loading consent
check EFI integrity
check filevault
check firmware password set

https://github.com/0xmachos/mOSL

USB Charging Actually Poses Security Risks – Hacking a Laptop via a USB-C Adapter

August 14, 2018 ~ hucktech ~ Leave a comment

USB Charging Actually Poses Security Risks – Hacking a Laptop via a USB-C Adapter https://t.co/tYUwmglj17

— CNX Software (@cnxsoft) August 14, 2018

Smartphones have been charged over USB for many years, but with the advance of USB type-C now even laptops may be charged over USB, instead of the typical DC power barrel jack.[…]

https://www.cnx-software.com/2018/08/14/usb-charging-security-risks/