ACPI exploit POC for Ubuntu

[Update: added Dmytro tweet URL.]

From the OSS-Security mailing list. I wonder what other Linux distros have this issue, besides Ubuntu?

[…]I noticed that Ubuntu 18.04’s 4.15 kernels forgot to protect efivar_ssdt with lockdown, making that a vector for disabling lockdown on an efi secure boot machine. I wrote a little PoC exploit to demonstrate these types of ACPI shenanigans:[,,,]

This exploit takes advantage of the efivar_ssdt entry point for injecting acpi tables into Ubuntu Bionic 18.04 kernels, where efivar_ssdt is not protected by kernel lockdown. The result is that one can subsequently load unsigned kernel drivers into systems with Secure Boot enabled, without needing to sign the modules.[…]

https://www.openwall.com/lists/oss-security/2020/06/14/1

https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh

One thought on “ACPI exploit POC for Ubuntu

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s