GRUB2 security changes in Fedora

March 29, 2019 ~ hucktech ~ Leave a comment

[…]Include Grub’s “verify,” “cryptodisk,” “luks” and <others here> modules in grubx64.efi of the ‘grub2-efi-x64’ package. Users utilising secure boot functionality on the UEFI platform cannot insert modules that aren’t in grubx64.efi. Paradoxically, this means that security-conscious users cannot use grub’s verify module, or employ (near) full disk encryption using cryptodisk and luks. The security benefits of signature verification would reach more users if Fedora automated it by incorporating the process into grub2-mkconfig. For the long-term, to grant flexibility with grub2 modules on secure boot instances, it may be advisable to sign the .mod files in the ‘grub2-efi-x64-modules’ package, modify grub2-mkconfig (or -install) to copy the necessary modules into the EFI partition when required by the user’s configuration and then allow inserting of signed modules in secure boot instances.[…]

https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2

https://www.phoronix.com/scan.php?page=news_item&px=GRUB2-New-EFI-Modules-For-F31

Down the Rabbit Hole blog, part 3 posted

March 29, 2019 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2019/02/18/down-the-rabbit-hole-a-journey-into-the-uefi-land/

https://twitter.com/ihavelotsofspac/status/1111519156715900928

https://erfur.github.io/down_the_rabbit_hole_pt1/

https://erfur.github.io/down_the_rabbit_hole_pt2/

https://erfur.github.io/down_the_rabbit_hole_pt3/

MAC address of targets of ASUS ShadowHammer attack

March 29, 2019 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2019/03/26/asus-releases-diagnostic-tool-for-windows/

Almost 600 #MAC addresses targeted in the #ShadowHammer #APT attack get cracked by @360TIC. Below are statistics of related NIC manufacturers, #ASUS, #Intel and #AzureWave account for the most part. pic.twitter.com/1Geflvxp4h

— RedDrip Team (@RedDrip7) March 27, 2019

We've published the [almost] full list of MAC addresses targeted by #shadowhammer in plain-text form (based on @Kaspersky's work). Feed into your #threatintel to see if your organization was targeted.https://t.co/G8QUVpi34M

— Skylight Cyber (@SkylightCyber) March 29, 2019

https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/

https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/list.txt

Positive Technologies: Intel VISA: Through the Rabbit Hole, slides available

March 29, 2019 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/12/19/positive-technologies-intel-visa-through-the-rabbit-hole/

Here are slides of our VISA BlackHat talk:https://t.co/LmdLzbHcxd pic.twitter.com/LDYbLux8Df

— Mark Ermolov (@_markel___) March 29, 2019

Intel VISA demo: extracting one's of Intel SoCs security fuses (debug root key for TPM, ME file system, Intel IPT and others): pic.twitter.com/gD4L7ndKFC

— Mark Ermolov (@_markel___) March 29, 2019

Click to access bh-asia-Goryachy-Ermolov-Intel-Visa-Through-the-Rabbit-Hole.pdf

PoC||GTFO 0x19 released

March 28, 2019March 29, 2019 ~ hucktech ~ Leave a comment

PoC||GTFO 0x19 is now available on the EU mirror (#SSL, #IPv6), enjoy with a fine cup of tea, coffee or other preferred beverage!https://t.co/dCISiFcS9d

— Arrigo Triulzi (@cynicalsecurity) March 28, 2019

PoC||GTFO 0x19 is out!
It's a PDF, a ZIP, and an HTML page:
If you drop it on itself in a browser,
it can give you a PDF viewer, a video
and a PNG explaining the whole file structure.
All these files have the same MD5. pic.twitter.com/ZyVOxbLqKZ

— Ange (@angealbertini) March 28, 2019

mirrors:https://t.co/DYBF38q25w https://t.co/VxCydlPmUS

— Ange (@angealbertini) March 28, 2019

PoC or GTFO Issue 0x19 was just digitally released and is available for free on my mirror! It is valid as PDF, ZIP, and HTML. It is also available as a Windows PE executable, a PNG image, and an MP4 video, all of which have the same MD5 as the PDF. https://t.co/3ssCNP2ryL pic.twitter.com/p5Kty1zCO7

— Evan Sultanik (@ESultanik) March 28, 2019

https://www.alchemistowl.org/pocorgtfo/

Click to access pocorgtfo19.pdf

Open Source Firmware track at LinuxFestNorthWest 2019

March 28, 2019 ~ hucktech ~ Leave a comment

LinuxFestNorthWest.org is the annual Linux conference for Washington state and the Pacific NorthWest area. This year, there’s an “Open Source Firmware” track, for the first time.

UEFI Boot for Mere Mortals
Why Open Source is Critical For Platform Firmware
Defending Out-of-Band Management Attacks
Network Boot in a Zero-Trust Environment
Open-Source Host Firmware Directions
The Fight for a Secure Linux BIOS… Past, Present and Future

https://www.linuxfestnorthwest.org/conferences/2019/schedule/events

https://www.linuxfestnorthwest.org/conferences/2019

LFNW logo

Spring 2019 UEFI Plugfest: schedule announced

March 28, 2019 ~ hucktech ~ Leave a comment

State of the UEFI Forum
UEFI Self Certification Tests (UEFI-SCT) and Firmware Test Suite (FWTS)
UEFI Updates and Open Source Firmware evolutions on Arm
10:30 Risks to UEFI firmware due to growing attack surfaces
From Runtime to Compile Time: Improving ASL Through Enhanced Namespace Resolution
Microsoft UEFI Update
Hardening Firmware Components with Host-based Analysis
Half Duplex controller support and Multi IO support in SPI framework
Improving UEFI Network Stack Performance
Case Study: Removing SMM from Intel Platforms
Support Secure UEFI and OPTEE OS together on Arm
Role Modeling Open Source Best Practices in Firmware
Using Capsules for Firmware Configuration Update
UEFI topics for the manufacturing efficiency/second half hour of lunch
How Writing Portable UEFI Drivers Improves Reliability (and Helps Me)
Redfish Implementation for UEFI
Redfish Host Interface: UEFI and OS implications

https://uefi.org/node/3925

Click to access 2019%20Spring%20Schedule%2027March%202019%20final.pdf

Google: Mitigating risk in the hardware supply chain

March 28, 2019 ~ hucktech ~ Leave a comment

Google has a new blog post talking about supply-chain security and their Titan chip.

[…]One area where we’ve put a lot of thought, and which we continue to focus on, is the security of our hardware supply chain. Today, I’d like to go into a few of the things we do specifically in this area.[…]

https://cloud.google.com/blog/products/identity-security/mitigating-risk-in-the-hardware-supply-chain

bcdedit-revert-uefi-gpt-boot-order: Powershell script to modify the UEFI/GPT boot order

March 28, 2019 ~ hucktech ~ Leave a comment

This powershell script modifies the UEFI/GPT boot order by finding the first non-Windows entry and moving it to the top of the order. When using UEFI+GPT, the Windows installation (since Windows 7?) creates its own boot device entry (“Windows Boot Manager”, a.k.a. “{bootmgr}”) in the UEFI/GPT boot order list and, obnoxiously, takes the liberty of moving said entry to the top of the list. Under most circumstances, this is fine, and probably desirable. However for systems used for repeated deployment testing, or systems which you want a different bootloader to take priority (such as dual-boot systems, or computer lab systems that can be remotely re-imaged), this is a show stopper. So I needed a way to do this programmatically. This script makes use of the arcane and undocumented {fwbootmgr} identifier implemented by bcdedit to find the first non-Windows boot device entry in the UEFI/GPT boot order list and move it to the top of the list.

https://github.com/mmseng/bcdedit-revert-uefi-gpt-boot-order

Automating Firmware Security with FwAnalyzer

March 27, 2019 ~ hucktech ~ 1 Comment

#QPSS19 “Automating Firmware Security with FwAnalyzer” by Collin Mulliner @collinrm – Cruise Automation

— Renwei Ge (@RatedG4E) March 27, 2019

Thanks to all the strong submissions to this year's Qualcomm Product Security Summit #QPSS19, the selection process is really difficult! Finally we got our list and it's available here, https://t.co/650TkQ0PRX. Congrats to all the accepted talks!

— Renwei Ge (@RatedG4E) March 27, 2019

Looking forward to seeing what FwAnalyzer is about!!

by Collin Mulliner – Cruise Automation

Modern devices are complex and their firmware often consists of multiple parts that together make up the software stack of the product. Securing firmware is a lot of work and even basic issues can cause a lot of pain in the long run. Firmware changes over time and is built for different purposes such as development, testing, and production. Simple but bad changes can have a huge effect if put into production catching those changes before shipping or even during development can prevent a lot of issues.
This talk is about FwAnalyzer, a tool to analyze filesystem images for security issues. Analysis is based on configurable rules that model things such as file ownership, permissions, and file content. FwAnalyzer further provides a data extraction engine that is used to gather information from a filesystem and make it accessible via its machine readable report. Overall FwAnalyzer is built to be used by experts for security analysis of existing firmware and for integrating it into the build pipeline to provide direct feedback during development. The talk is based on our experience of dealing with firmware for Linux-based devices built in-house and developed by 3rd parties.

https://qct-qualcomm.secure.force.com/QCTConference/GenericSitePage?eventname=SecuritySummit&page=Summit+Schedule

NoStarch: Rootkits and Bootkits has shipped to the printer

March 27, 2019 ~ hucktech ~ Leave a comment

Just got word that Rootkits and Bootkits has shipped to the printer. Hooray! Just a few weeks until we all see printed books. @nostarch

— Bill Pollock — nostarch@infosec.exchange (@billpollock) March 27, 2019

We’ve been waiting for this book for a while!

https://bootkits.io/

Rootkits and Bootkits: all chapters now available in Early Access (~600 p)

Rootkits and Bootkits: new chapter available

Rootkits and Bootkits book update

No Starch Press: Rootkits and Bootkits

Linux Foundation adopts the LVFS Project

March 27, 2019 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/08/linux-foundation-taking-over-linux-vendor-firmware-service-lvms/

The Linux Foundation welcomes the Linux Vendor Firmware Service (LVFS) as a new project. LVFS is a secure website that allows hardware vendors to upload firmware updates. It’s used by all major Linux distributions to provide metadata for clients, such as fwupdmgr, GNOME Software and KDE Discover. To learn more about the project’s history and goals, we talked with Richard Hughes, upstream maintainer of LVFS and Principal Software Engineer at Red Hat.[…]

https://www.linuxfoundation.org/blog/2019/03/lvfs-project-announcement/
https://www.linux.com/news/linux-foundation-welcomes-lvfs-project

see-also:
https://github.com/hughsie/fwupd
https://fwupd.org/lvfs/devicelist

ASUS releases diagnostic tool for Windows

March 26, 2019 ~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2019/03/25/asus-live-update-utility-security-issues/

https://www.us-cert.gov/ncas/current-activity/2019/03/26/ASUS-Releases-Security-Update-Live-Update-Software

Secure your ASUS PC devices now! Download the latest version of Live Update tool to make sure your device is protected from any malicious programs. #cybersecurity #ASUS #ASUSLaptops https://t.co/h728NY6hb0 pic.twitter.com/tcqNdMx0db

— ASUS (@ASUS) March 26, 2019

https://www.asus.com/News/hqfgVUyZ6uyAyJe1

ASUS Releases Security Update for Live Update Software https://t.co/kBchbV4Rpv #cyber #cybersecurity #infosec

— CISA Cyber (@CISACyber) March 26, 2019

[…]Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found:
https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip

A second CHIPSEC GUI

March 26, 2019March 26, 2019 ~ hucktech ~ Leave a comment

The first CHIPSEC GUI I knew about was chipsec_gui. This one has Persian and English UIs.

CHIPSEC_GUI

https://github.com/EmadHelmi/chipsec_gui

Now there is another CHIPSEC GUI, called CHIPSEC-GUI.

https://github.com/SoheilKhodayari/CHIPSEC-GUI

Both are PyQt-based. Neither are from the Intel CHIPSEC team, or included with the core CHIPSEC project.

Awesome Windows Rootkits

March 26, 2019 ~ hucktech ~ Leave a comment

1-day old, let’s see if it if grows…

https://github.com/d3xt3rsl4b/awesome-windows-rootkits

EfiGuard: Disable PatchGuard and DSE at boot time

March 26, 2019 ~ hucktech ~ Leave a comment

https://github.com/Mattiwatti/EfiGuard

I suspect a legal infringment from MSFT, they have “* Guard” trademarked… 🙂

Airbus Security Lab: Riding the lightning iLO BMC security wrap-up

March 26, 2019March 26, 2019 ~ hucktech ~ Leave a comment

Turning your BMC into a revolving door: the HPE iLO case by Alexandre Gazet, Fabien Perigaud (@0xf4b), Joffrey Czarny (@_Sn0rkY)https://t.co/GS6J4pXM3q

— Insomni'hack (@1ns0mn1h4ck) January 31, 2019

Slides for our "Riding the lightning: iLO4&5 BMC security wrap-up" talk at @1ns0mn1h4ck 2019 are now available here: https://t.co/HdseWaCDjZ with Alex, @0xf4b @_Sn0rkY

— Airbus Security Lab (@AirbusSecLab) March 25, 2019

By: Fabien Perigaud, Alexandre Gazet & Joffrey Czarny

https://airbus-seclab.github.io/

https://insomnihack.ch/conferences/

Click to access INSOMNIHACK2019-Slides-Riding_the_lightning_iLO4_5_BMC_security_wrapup-perigaud-gazet-czarny.pdf

See-also:

Tenable: BadUSB in routers

March 25, 2019 ~ hucktech ~ Leave a comment

Just presented “BadUSB in routers” at #bsidesdub2019 – slides, code, and POC videos available at https://t.co/2bcUZ7gYSB

— Jacob Baines (@Junior_Baines) March 23, 2019

https://twitter.com/JonnySchnittger/status/1109447471669886978

https://github.com/tenable/router_badusb

Click to access slides.pdf

It uses P4wnP1:

https://github.com/mame82/P4wnP1

CoonBOOT: UEFI x86_64 bootloader written in Rust

March 25, 2019 ~ hucktech ~ Leave a comment

UEFI x86_64 bootloader for upcoming CoonOS written in Rust.

Presumably named after the icon of the creator:

https://github.com/Rirush/CoonBOOT

ASUS Live Update Utility: security issues

March 25, 2019 ~ hucktech ~ 1 Comment

Thanks to a new technology in our products that is capable of detecting supply-chain attacks, our experts have uncovered what seems to be one of the biggest supply-chain incidents ever. #ShadowHammer hits hundreds of thousands of ASUS laptop users: https://t.co/4RHiatSPKD pic.twitter.com/Lu8Li4DsYr

— Eugene Kaspersky (@e_kaspersky) March 25, 2019

A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.[…]

ShadowHammer: Malicious updates for ASUS laptops

ASUS Live Update has been having some firmware security issues for a while, see: https://firmwaresecurity.com/2016/06/05/asus-liveupdate-of-uefi-sent-authenticated/