Signing boot images for Android Verified Boot

May 10, 2017 ~ hucktech ~ Leave a comment

How-To: Signing boot images for Android Verified Boot (AVB); required for Pixel (XL) on May bootloadershttps://t.co/hqDaD9SY3N

— Chainfire (@ChainfireXDA) May 3, 2017

Signing boot images for Android Verified Boot (AVB)
Various Android devices support Android Verified Boot (AVB). A part of this is more commonly known as dm-verity, which verifies system (and vendor) partition integrity. AVB can however also verify boot images, and stock firmwares generally include signed boot images. Of course this does not mean that all signed boot images are using AVB, many OEMs have their own signature verification scheme. Note: AOSP is moving towards the use of avbtool (taken from Brillo), the following is the old way for signing boot images. Bootloaders might or might not accept unsigned boot images, and might or might not accept boot images signed with our own keys (rather than the OEM’s keys). This depends on the device, bootloader version, and bootloader unlock state. For example, with the bootloader unlocked, the Google Pixel (and XL) devices accepted unsigned boot images up to (but not including) the May 2017 release. From the May 2017 release onwards, the boot images must be signed if flashed (booted works without), but may be signed with your own key rather than the OEM’s. Note: The situation changes when you re-lock the bootloader. I have not tested this, but documentation implies that (one of) the keys used in the current boot image must be used for future flashes until it is unlocked again.[…]

https://forum.xda-developers.com/android/software-hacking/signing-boot-images-android-verified-t3600606

More Info:
https://source.android.com/security/verifiedboot/
https://source.android.com/security/verifiedboot/verified-boot
http://blog.andrsec.com/android/2016/03/26/android-verified-boot.html

Uldk: UEFI lightweight dev kit

May 10, 2017 ~ hucktech ~ Leave a comment

Does not appear to be ready for use yet.

UEFI lightweight development kit
a set of libs including a GUI framework to simplify developing uefi programs
vs2015 project
under developing....

https://github.com/unsccaptain/Uldk

Forbes Magazine on hardware security

May 10, 2017 ~ hucktech ~ Leave a comment

https://t.co/rhTAcN4FQj

— CHIPSEC (@CHIPSEC) May 10, 2017

Forbes Magazine has an article on hardware security, so it must be mainstream now! 🙂

https://www.forbes.com/sites/patrickmoorhead/2017/05/05/security-is-a-constantly-moving-target-isnt-it-time-to-secure-the-hardware/#100ec06f547a

Apple to prevent future firmware modifications?

May 10, 2017 ~ hucktech ~ Leave a comment

” I have just come accross a piece of news on a German tech news site that states that Apple is working on anti-firmware modifications that may affect future installations od MacOS on Hackintosh: https://www.heise.de/newsticker/mel…r-Firmware-Modifikationen-warnen-3708495.html (if anyone has an alternative source in English please post it).”

https://www.tonymacx86.com/threads/anti-firmware-modification-from-apple.221647/

https://www.heise.de/security/meldung/macOS-Sierra-Apple-will-vor-Firmware-Modifikationen-warnen-3708495.html?wt_mc=rss.security.beitrag.rdf

Intel AMT and WiFi

May 10, 2017 ~ hucktech ~ Leave a comment

Read Matthew’s blog post!

If you have AMT enabled over wifi on any hardware that ever leaves your network, turn it off immediately: https://t.co/HiQBj0yrLj

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) May 9, 2017

Intel AMT on wireless networks

http://mjg59.dreamwidth.org/48837.html

ME Analyzer 1.11.1 released

May 9, 2017May 9, 2017 ~ hucktech ~ Leave a comment

ME Analyzer v1.11.1 (better ME 11.7 KBL-R support, better ME x86 Huffman module split) https://t.co/Snttp8fULE

— Plato Mavropoulos (@platomaniac) May 1, 2017

ME Analyzer is a tool which can show various details about Intel Engine Firmware (Management Engine, Trusted Execution Engine, Service Platform Services) images. It can be used to identify whether the firmware is updated, healthy, what Release, Type, SKU it is etc.[…]

https://github.com/platomav/MEAnalyzer

http://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html#msg10191

http://www.win-raid.com/t840f39-ME-Analyzer-Intel-Engine-Firmware-Analysis-Tool.html#msg14803

Current state of fixed firmware found for INTEL-SA-00075/CVE-2017-5689 vulnerability. https://t.co/05xaxpZeTS pic.twitter.com/6hiKgXzUbY

— Plato Mavropoulos (@platomaniac) May 7, 2017

Intel AMT story, continued

May 9, 2017 ~ hucktech ~ Leave a comment

Intel Firmware Vulnerability https://t.co/tTqbTexDYz

— CISA Cyber (@CISACyber) May 8, 2017

https://www.us-cert.gov/ncas/current-activity/2017/05/07/Intel-Firmware-Vulnerability

https://github.com/CerberusSecurity/CVE-2017-5689

https://github.com/chipsec/chipsec/issues/212

https://support.lenovo.com/us/en/product_security/len-14963

http://en.community.dell.com/support-forums/laptop/f/3518/p/20011922/20995860

http://en.community.dell.com/techcenter/extras/m/white_papers/20443914

http://en.community.dell.com/techcenter/extras/m/white_papers/20443937

https://support.hp.com/us-en/document/c05507350

https://community.qualys.com/thread/17263-qids-or-scanning-advice-for-intel-amt-sa-00075

https://www.tenable.com/sc-dashboards/intel-sa-00075-detection

https://www.tenable.com/blog/intel-amt-vulnerability-detection-with-nessus-and-pvs-intel-sa-00075

https://vuldb.com/?id.100794

Intel AMT chip bug suspected backdoor, but likely coding error
[…]Some researchers accused the vulnerability of being a backdoor. Tatu Ylonen, the inventor of the Secure Shell protocol told SC Media Charlie Demerjan, the researcher who spotted the flaw, claims to have been in discussions over bug with Intel for years urging them t to fix it. “If his claim is true (I have no reason to doubt it but have no independent evidence), then it begins to sound very much like a backdoor,” Demerjan said. “I mean, if someone knows their product has a vulnerability that undermines the security of pretty much every enterprise server in the world and most security tools, wouldn’t they want to disclose it to the government, one of their biggest customers?”[…]

https://www.scmagazine.com/intel-amt-flaw-likely-just-coding-error/article/655449/

[…]What is clear, however, is that this flaw (which has existed for more than 9 years) truly is somewhere between nightmarish and apocalyptic. Taking no action is not an option.

http://www.securityweek.com/exploitable-details-intels-apocalyptic-amt-firmware-vulnerability-disclosed

Remember Intel's been keen on mocking OSS for its lack of security & liability. Here's a fragment from the 2014 book by Intel ME architect: pic.twitter.com/1rRSzAyXVf

— Joanna Rutkowska (@rootkovska) May 8, 2017

Organizations all over the world should DEMAND from Intel ability to disable ME/AMT code. For good. There are likely many more bugs there.

— Joanna Rutkowska (@rootkovska) May 8, 2017

Intel should provide means to disable all ME code which runs AFTER host CPU init is complete, i.e. all the UNTURSTED-input processing code.

— Joanna Rutkowska (@rootkovska) May 8, 2017

PcbDraw: convert KiCAD to SVG

May 8, 2017 ~ hucktech ~ Leave a comment

This nice project allows you effortless creation of 2D SVGs drawings from KiCAD board files.https://t.co/pyCU0voXmu pic.twitter.com/WtIdXm0lnn

— Andrea Barisani (@AndreaBarisani) May 8, 2017

Convert your KiCAD board into a nice looking 2D drawing suitable for pinout diagrams

https://github.com/yaqwsx/PcbDraw

efi_i2c_signal

May 8, 2017 ~ hucktech ~ Leave a comment

i2ctool is used to measure I2C signal, the tool run on DOS/UEFI to trigger I2C R/W
https://github.com/kalicodextu/efi_i2c_signal

Red Hat Satellite GRUB UEFI PXE script

May 8, 2017 ~ hucktech ~ Leave a comment

Satellite 6 TFTP boot file legacy grub conversion script

This script is used to convert the tftp boot files (found in /var/lib/tftpboot/pxelinux.cfg/) which are automatically generated by Satellite 6 into the old legacy grub format. Why is this useful? Recently I encountered some HP servers which have an additional 10GbE card in one of the PCI-E slots on the machine which is used for the PXE boot. Unfortunately this additional interface only supports UEFI boot and not classic bios boot. By default Satellite 6 uses the shim image for UEFI but this doesn’t work with the older Linux kernel used by RHEL6.X. If this script is executed on a capsule or satellite server which has TFTP enabled, it will automatically replace the boot files using the old format which gives a successful boot for RHEL6.

https://github.com/RedHat-Consulting-UK/sat6-efi-converter

coreboot 4.6 released!

May 8, 2017 ~ hucktech ~ Leave a comment

Martin Roth posted a new entry on the coreboot blog, announcing coreboot 4.6, excerpting his announcement below, see the full announcement here:

Announcing coreboot 4.6

The full announcement is many pages long, too long to properly summarize.

“Since the last release in October 2016, the coreboot project had 1708 commits by 121 authors.”

There’s a new payload called cbui:

“We provide the libpayload project which is used for writing own payloads from scratch. The library is MOSTLY licensed under BSD and recently received new functionality in order to prepare for the upcoming replacement for the old nvramcui payload. This new payload is called cbui and is based on the nuklear graphics library including keyboard and mouse support. The cbui payload is currently expected to be merged into the main coreboot tree before the next release. The upstream repository is here: https://github.com/siro20/coreboot/tree/cbui/payloads/cbui “

coreboot now integrates ME Cleaner in it’s build system, and has a new tool called blobtool:

“Fighting blobs and proprietary HW components: coreboot’s ultimate goal would be to replace any closed source firmware stack with free software components. Unfortunately this is not always possible due to signed binaries such as the Intel ME firmware, the AMD PSP and microcode. Recently, a way was discovered to let the Intel ME run in a functional error state and reduce it from 1.5/5MB to 80KB. It’s not perfect but it works from Nehalem up to Skylake based Intel systems. The tool is now integrated into the coreboot build system. The upstream repository is https://github.com/corna/me_cleaner “

“Another ongoing improvement is the new utility blobtool. It is currently used for generating the flash descriptor and GbE configuration data on older mainboard which are known to be free software. It can easily be extended for different binaries with well-defined specifications.”

coreboot supports the Ada programming langauge:

“coreboot now supports Ada, and a lot work was done integrating Ada into our toolchain. At the moment only the support for formal verification is missing and will be soon added. At that point, we can prove the absence of runtime errors in our Ada code. In short, everybody can start developing Ada code for our project. The existing Ada code which can be used from now on is another native graphics initialization which will replace in the long term the current implementation. The native graphics code supports all Intel platforms up to skylake. We offer support for HDMI, VGA, DVI and DP external interfaces as well and is ready to be integrated into our mainboard implementations.”

Home

https://www.coreboot.org/

EFIlib

May 8, 2017 ~ hucktech ~ Leave a comment

There is a new UEFI library available, a few days old.

“Most structures and function prototypes defined, from UEFI spec 2.6”

https://github.com/JeppeSRC/EFILib

I’m guessing, but I expect EFilib is going to be used in a new UEFI C/asm bootloader called SuperPotato, by the same author. But for now, SuperPotato is still vaporware.

https://github.com/JeppeSRC/SuperPotato

Alexander Ermolov on Intel BootGuard

May 8, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/qrs/status/858060758965514240

Intel Boot Guard research
17.11.2016 – ZeroNights 2016 – original talk – Intel BootGuard final.pdf
10.03.2017 – Defcon Russia #29 – updated talk – Intel BG part2.pdf

https://github.com/flothrone/bootguard

Intel AMT story, continued

May 7, 2017 ~ hucktech ~ Leave a comment

Business-class personal computers *ARE* impacted.

Customers with personal computers are not affected by this vulnerability. This affection is for 1/3 https://t.co/gzkZRi4WM1

— Intel (@intel) May 5, 2017

https://t.co/uwQP9F8ETG confirms that the Intel AMT vulnerability affects many Thinkpads, so "business" laptops and desktops are vulnerable

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) May 2, 2017

There is an NMap module for AMT now:

https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5689.nse

Hey admins- have you run "sudo nmap -O -p 16992-16995,623,664" recently? #intel #amt #infosec

— Tim Burke (@tmburke) May 7, 2017

http://thehackernews.com/2017/05/intel-amt-vulnerability.html

https://www.ssh.com/vulnerability/intel-amt/

#Intel "Setting this option to disabled does not disable Intel® AMT, but instead only disables certain features." https://t.co/sj2ukAjY10

— greenoid@bsky.social 📯 🇺🇦🌻🐧🇪🇺 (@greenoid_de) May 7, 2017

https://github.com/bartblaze/Disable-Intel-AMT

https://github.com/travisbgreen/intel_amt_honeypot

https://isc.sans.edu/forums/diary/Do+you+have+Intel+AMT+Then+you+have+a+problem+today+Intel+Active+Management+Technology+INTELSA00075/22364/

Intel ME: based on Minix?

May 7, 2017 ~ hucktech ~ 2 Comments

https://twitter.com/lordbaco/status/861216983488004098

“[…]In addition, when we looked inside the decompressed vfs module, we encountered the strings “FS: bogus child for forking” and “FS: forking on top of in-use child,” which clearly originate from Minix3 code. It would seem that ME 11 is based on the MINIX 3 OS developed by Andrew Tanenbaum :)[…]”

http://blog.ptsecurity.com/2017/04/intel-me-way-of-static-analysis.html

http://www.minix3.org/

Hidviz: GUI USB HID class device analyzer

May 7, 2017 ~ hucktech ~ Leave a comment

Introducing Hidviz – The ultimate tool for reverse-engineering of USB HID devices (e.g. your mouse) https://t.co/71djYP0gaH

— Nicolas Krassas (@Dinosn) May 6, 2017

Hidviz is a GUI application for in-depth analysis of USB HID class devices. The 2 main usecases of this aplication are reverse-engineering existing devices and developing new USB HID devices. USB HID class consists of many possible devices, e.g. mice, keyboards, joysticks and gamepads. But that’s not all! There are more exotic HID devices, e.g. weather stations, medical equipment (thermometers, blood pressure monitors) or even simulation devices […]

Hidviz screenshot

The PoC||GTFO Bible

May 5, 2017 ~ hucktech ~ Leave a comment

The PoC||GTFO Bible will be available this summer. Preorder now for only $30, and maybe grab a second for a student.https://t.co/M06fjaDp4m pic.twitter.com/R7ozpMAm7w

— Travis Goodspeed (@travisgoodspeed) May 5, 2017

The book of PoC||GTFO contains a extra chapter with 23 of my file formats diagrams, printed in color.https://t.co/PfB4mJUJhW

— Ange (@angealbertini) May 5, 2017

https://www.nostarch.com/gtfo

SPIflash

May 5, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/osxreverser/status/860539774402260993
Very fast reader for SPI flashes for Teensy 2.x.

Original code by Trammell Hudson.

Modifications and addons by Pedro Vilaça.

I have added a few new commands and options. Also added led flashing when dumping/uploading contents. I’m definitely not an AVR coder so excuse me some ugly things 🙂

To be used with Teensy 2.x devices (and maybe Chinese clones).

https://github.com/gdbinit/spiflash

Intel AMT story, continued

May 5, 2017 ~ hucktech ~ Leave a comment

Important Security Information about Intel Manageability Firmware https://t.co/lQZZmKpMjk

— Intel News (@intelnews) May 5, 2017

https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/

https://downloadcenter.intel.com/download/26755

Thx @Intel for this EULA-protected, UNSIGNED zip w/ a bunch of UNSIGNED (PE) executables, so we can see if vulnerable to your AMT Fuckup! https://t.co/dAV7fMszH5

— Joanna Rutkowska (@rootkovska) May 5, 2017

How Tenable researchers re-discovered the Intel #AMT vulnerability #infosec https://t.co/l0rDyFlb0N pic.twitter.com/AMpAJwy9XR

— Tenable (@TenableSecurity) May 5, 2017

http://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

https://twitter.com/_embedi_/status/860541834606632961

Click to access Silent-Bob-is-Silent.pdf

NCCIC alert on malware in critical infrastructure

May 4, 2017 ~ hucktech ~ Leave a comment

Alert (TA17-117A)
Intrusions Affecting Multiple Victims Across Multiple Sectors
Original release date: April 27, 2017 | Last revised: May 02, 2017

The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools. Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.[…]

https://www.us-cert.gov/ncas/alerts/TA17-117A