Author: hucktech
fail0verflow: Using HDMI-CEC to get code exec on PS4 southbridge
https://fail0verflow.com/blog/2018/ps4-cec/.
2018-11-03
PS4 Aux Hax 4: Belize via CEC
This post describes another way to attain code execution on Aeolia (actually, the southbridge revision on PS4 Pro which was used in this case is named “Belize”). This exploit differs from the previously documented method as it does not have the prerequisite of gaining control of the APU. Additionally it is fairly generic and therefor workable on all currently released hardware and software versions of PS4.[…]
Ken Shirriff: Reverse Engineering Integrated Circuits: slides available
Hackaday SuperCon 2018: Ken Shirriff: Reverse Engineering Integrated Circuits
upos.info: Latency, Throughput, and Port Usage Information For Instructions on Recent Intel Microarchitectures
This website provides more than 200,000 pages with detailed latency, throughput, and port usage data for most x86 instructions on all generations of Intel’s Core architecture (i.e., from Nehalem to Coffee Lake). While such data is important for understanding, predicting, and optimizing the performance of software running on these microarchitectures, most of it is not documented in Intel’s official processor manuals.
Microwalk: A microarchitectural leakage detection framework using dynamic instrumentation
MicroWalk is a microarchitectural leakage detection framework, that uses dynamic instrumentation to compare a given program’s behaviour for a random set of test cases; if these execution traces differ, it tries to quantify the amount of leaked information.
Linux Unattended Installation – Tools to create an unattended installation of a minimal setup of Linux
This project provides all you need to create an unattended installation of a minimal setup of Linux, whereas minimal translates to the most lightweight setup – including an OpenSSH service and Python – which you can derive from the standard installer of a Linux distribution. The idea is, you will do all further deployment of your configurations and services with the help of Ansible or similar tools once you completed the minimal setup. Use the build-iso.sh script to create an ISO file based on the netsetup image of Ubuntu. Use the build-disk.sh script to create a cloneable preinstalled disk image based on the output of build-iso.sh. […]UEFI and BIOS mode supported.[…]
https://github.com/core-process/linux-unattended-installation
HITB 2018 PEK presentations uploaded
CVE-2018-18440 and CVE-2018-18439: U-Boot boundary checks
CVE-2018-18440: U-Boot insufficient boundary checks in filesystem image load
CVE-2018-18439: U-Boot insufficient boundary checks in network image boot
USB armory Mk II Roadmap published
CVE-2018-5407: new side-channel vulnerability on SMT/Hyper-Threading architectures
From: Billy Brumley:
Date: Fri, 2 Nov 2018 00:12:27 +0200
Howdy Folks,
We recently discovered a new CPU microarchitecture attack vector. The
nature of the leakage is due to execution engine sharing on SMT (e.g.
Hyper-Threading) architectures. More specifically, we detect port contention to construct a timing side channel to exfiltrate information from processes running in parallel on the same physical core. Report is below.[…]
## Credit
Billy Bob Brumley, Cesar Pereida Garcia, Sohaib ul Hassan, Nicola Tuveri (Tampere University of Technology, Finland) Alejandro Cabrera Aldaya (Universidad Tecnologica de la Habana CUJAE, Cuba)
## Refs
https://marc.info/?l=openbsd-cvs&m=152943660103446
https://marc.info/?l=openbsd-tech&m=153504937925732
## Exploit
Attached exploit code (password “infected”) should work out of the box for Skylake and Kaby Lake. Said code, soon to be followed by a preprint with all the nitty-gritty details, is also here:
https://github.com/bbbrumley/portsmash
https://seclists.org/oss-sec/2018/q4/123
https://seclists.org/oss-sec/2018/q4/123
https://access.redhat.com/security/cve/cve-2017-5407
https://nvd.nist.gov/vuln/detail/CVE-2018-5407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407
https://twitter.com/CesarPereidaG/status/1058296725419507712
Linaro Connect Vancouver 2018 videos uploaded
Linux Security Summit Europe 2018 videos uploaded
Linux Security Summit Europe 2018 videos have been uploaded to YouTube:
https://events.linuxfoundation.org/events/linux-security-summit-europe-2018/
And slides are here:
https://events.linuxfoundation.org/events/linux-security-summit-europe-2018/program/slides/
Asset InterTech: Using U-boot as production test strategy — really?
[…]Here is where I see a dilemma with using U-Boot for test. First I have to build U-Boot, and second have enough of the system operational, DDR (DDR controller/PHY) and SD flash interface etc. before testing can begin. Testing often involves non-operational system or minimally functionally operational hardware. The use of U-Boot expects a significant portion of the target hardware operational.
Second, assuming that you were successful in building U-Boot you now need to load it on the flash of the UUT. Be sure to follow the below warning. If U-Boot is already installed and running on your board, you can use these instructions to download another U-Boot image to replace the current one.
Warning: Before you can install the new image, you must erase the current one. If anything goes wrong your board will be dead. It is strongly recommended that you have a backup of the old, working U-Boot image or you know how to install an image on a virgin system.
Next U-Boot has limited testing capabilities.[…]
HPE iLOv5 Firmware Updates, Local Bypass of Security Restrictions
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03894en_us
[…]Release Date: 2018-10-30[…]
A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.[…]
Joanna Rutkowska: Loving(?) SGX
Ubuntu bug 1798863, CVE-2018-18653, UEFI Secure Boot vuln
The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a modified kernel/module.c, in conjunction with certain configuration options, leads to mishandling of the result of signature verification.[…]
Source: MITRE
Description Last Modified: 10/25/2018
https://nvd.nist.gov/vuln/detail/CVE-2018-18653
[…]This flaw is introduced by certain configuration options in combination with this out-of-tree patch from the Lockdown patchset[…]
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1798863
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1798863/comments/23
https://vuldb.com/?id.125976
Current Exploit Price (≈) $5k-$25k
Virtualization/Hypervisor blog series Part 1 of 6: Introduction to Virtualization, Type Definitions, and Support Testing
In this article we’re going to introduce virtualization, the various forms of virtualization, terminology, and a high level view of the abstraction that is virtualization. We’ll also be building out a test function for support of virtual machine instructions, followed by defining structures to represent various architectural registers and components. The reason for using structures to represent these things is because it’s common for people to use preprocessor macros, however, I find the abuse of preprocessor macros to be vague, ugly and bad practice overall. Preprocessor macros have their place, and we will use them in our project, but sparingly. All types, flags, bits, etc., will be defined using structures or unions. In the type definition section I’ll discuss a common problem seen among driver developers and encountered by other hypervisor developers. After all type definitions are created we’ll write a quick test to determine if our machine supports VMX and then we’ll close with recommended reading before the big article that is heavy on implementation details.[…]
Day 1: Introduction to Virtualization, Type Definitions, and Support Testing
PCILeech 3.6 released
Comparing Qualcomm’s XBL UEFI bootloaders on Snapdragon 820, 835, and 845
Comparing Qualcomm’s XBL UEFI bootloaders on Snapdragon 820, 835, and 845
Oct 30, 2018
I compared UEFI bootloaders from Google Pixel XL, 2XL, 3XL, and Lenovo Miix 630 to show how Qualcomm used the flexibility of UEFI to support Android and Windows. This is part 1 of a series about Qualcomm bootloaders. Part 2 will be posted in about a month.[…]
Firmware Security 
You must be logged in to post a comment.