ACPI exploit POC for Ubuntu

[Update: added Dmytro tweet URL.]

From the OSS-Security mailing list. I wonder what other Linux distros have this issue, besides Ubuntu?

[…]I noticed that Ubuntu 18.04’s 4.15 kernels forgot to protect efivar_ssdt with lockdown, making that a vector for disabling lockdown on an efi secure boot machine. I wrote a little PoC exploit to demonstrate these types of ACPI shenanigans:[,,,]

This exploit takes advantage of the efivar_ssdt entry point for injecting acpi tables into Ubuntu Bionic 18.04 kernels, where efivar_ssdt is not protected by kernel lockdown. The result is that one can subsequently load unsigned kernel drivers into systems with Secure Boot enabled, without needing to sign the modules.[…]

One thought on “ACPI exploit POC for Ubuntu

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s