CVE-2018-3968: Cisco using outdated U-boot in Cujo

August 2, 2018 ~ hucktech ~ Leave a comment

Let’s hope Cisco Talos will let Mitre/NVD about the details soon. No info on the Talos or Cisco security sites, nor even *Twitter*!, AFAICT. 🙂

https://lists.denx.de/pipermail/u-boot/2018-August/336973.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3968

——– Forwarded Message ——–
Subject: [U-Boot] Talos Security Advisory (TALOS-2018-0633/CVE-2018-3968 )
Date: Thu, 2 Aug 2018 18:52:03 +0000

Hello,

Cisco Talos team discovered a security issue impacting Cujo product using an outdated version of U-boot. We’ve assigned a CVE for this issue (CVE-2018-3968) and have attached a copy of the security advisory provided to Cujo.

Blog has second poster: Paul English of PreOS Security

August 2, 2018 ~ hucktech ~ Leave a comment

So far, this blog has been my daily education, writing down URLs of things I learn that day. A few people also feed me interesting URLs. Paul English, co-founder of PreOS Security[1], has been giving me more and more links, so I’ve asked him to deal with them, instead of asking me to do posts on those URLs. 🙂

This is Paul’s first post:

Meet Us At Black Hat USA 2018

He’s also trying to help fix the WordPress-based site to be more usable. It looks like the font has already changed.

[1] https://preossec.com/

Back Doors for Cross-Signed Windows Drivers

August 2, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/geoffchappell/status/1024757182687010818

Four undocumented registry values vary the default validation of signatures on kernel-mode code such that Windows 10 may allow cross-signed drivers when it is otherwise documented as requiring Microsoft-signed drivers. This may be welcome for running your own drivers on your own computers without having to send them to Microsoft. Or it may be an unwelcome exposure to software that would install drivers by surprise, including to let malware elevate from administrative access to kernel-mode execution. Setting these values requires administrative access. Their action is subject to System Integrity policy, which provides the best defence.[…]

http://www.geoffchappell.com/notes/security/whqlsettings/

QuarksLab: Attacking the ARM’s TrustZone

August 1, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/06/19/quarkslab-intro-to-tee-arms-trustzone/

[BLOG] Attacking ARM''s TrustZone
Part II of Joffrey Guilbon's Introduction to Trusted Execution Environmenthttps://t.co/tZA1gkbM8L

— quarkslab (@quarkslab) July 31, 2018

https://blog.quarkslab.com/attacking-the-arms-trustzone.html

Reversing the Luxeed LED keyboard, a Windows USB driver

August 1, 2018 ~ hucktech ~ Leave a comment

Lots of general debugging skills for Windows USB drivers covered in this blog post.

https://twitter.com/geeknik/status/1024439570019110912

http://jespersaur.com/drupal/book/export/html/21

Intel updates 2 security whitepapers

August 1, 2018 ~ hucktech ~ Leave a comment

The #Intel "Analyzing potential bounds check bypass vulnerabilities" white paper has been updated to 002https://t.co/6xeAM9o567 pic.twitter.com/ImbGTS0IqF

— InstLatX64 (@InstLatX64) August 1, 2018

The #Intel "Managed Runtime Speculative Execution Side Channel Mitigations" white paper has been updated to 002https://t.co/dn82ACIKxe pic.twitter.com/Cgg563iC9m

— InstLatX64 (@InstLatX64) August 1, 2018

Click to access Managed-Runtime-Speculative-Execution-Side-Channel-Mitigations.pdf

Click to access 337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

QuickESP: Minimal and discreet ESP/EFI Mounter application for macOS

August 1, 2018 ~ hucktech ~ Leave a comment

https://github.com/dkoluris/quickesp

Only 4 hours old, “Fresh Meat”, as they used to say in the olde days of the Interwebs.

SMM disabling and verification techniques

August 1, 2018 ~ hucktech ~ Leave a comment

3mdeb points out that there is a patent by Intel with information focused on disabling Intel SMM.

Don’t click on this link if you’re an engineer and are not allowed to view patent information.

If you really want to get rid of SMM there should be plenty of opportunities according to this US Patent – System management mode disabling and verification techniques – #smm #firmware #security https://t.co/1E8L0O1sXv

— 3mdeb (@3mdeb_com) August 1, 2018

https://patents.google.com/patent/US20170168844

chipsec-script: calls multiple CHIPSEC tools

July 31, 2018 ~ hucktech ~ Leave a comment

[I just noticed this, it is a month old. Not many CHIPSEC-based projects on Github, and I was not searching for latest ones…]

https://github.com/yeggor/chipsec-script

This project wraps CHIPSEC and gathers the results of multiple CHIPSEC tools/tests/utils.

PreOS Security is working on fwaudit, a tool that also wraps CHIPSEC, and other tools. I’m in the middle of an update of fwaudit, for Black Hat.

System call dispatching on Windows ARM64

July 31, 2018 ~ hucktech ~ Leave a comment

After years of living under a rock, I decided to start blogging. My first article is about system call dispatching for Windows on ARM64. https://t.co/0SFQeKQ2Jd

— Bruce Dang (@brucedang) July 31, 2018

Microsoft recently announced that there will be Windows ARM64 devices. This article briefly documents the system call dispatching mechanism for Windows on ARM64. Readers are assumed to be familiar with ARM64 assembly and system call dispatching on Windows x86/x64.[…]

https://gracefulbits.com/2018/07/26/system-call-dispatching-for-windows-on-arm64/

Mambo: A DBI and modification tool for AArch32 and AArch64

July 31, 2018 ~ hucktech ~ Leave a comment

MAMBO is a young DBI framework designed specifically for ARM (AArch32/AArch64). It's less powerful/flexible then DynamoRIO but it's very fast. https://t.co/b1Q2ylk2gR

— Dmitriy Evdokimov (@evdokimovds) July 31, 2018

https://github.com/beehive-lab/mambo

FakeSMC_SMMSensors.kext: FakeSMC sensor plugin which uses SMM to obtain info

July 31, 2018 ~ hucktech ~ Leave a comment

https://www.tonymacx86.com/threads/fakesmc-smmsensors.257123/

https://github.com/the-darkvoid/OS-X-FakeSMC-kozlek/tree/smm-sensors

Installing Coreboot on Lenovo X210

July 31, 2018 ~ hucktech ~ Leave a comment

Blog post describing how we got Coreboot ported to the 51nb X210 weird Thinkpad thing – including reverse engineering via grep, rescuing hardware by running it out of tolerance and using i2cdetect to make RAM appear: https://t.co/myXdT92LAb

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) July 31, 2018

https://t.co/veBFZQbXf8 now appears to work perfectly, with the exception of the brightness hotkeys. Probably still a bunch of power management optimisation to do.

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) July 31, 2018

[…]The other fun thing about it is that none of the firmware flashing protection is enabled, including Intel Boot Guard. This means running a custom firmware image is possible, and what would a ridiculous custom Thinkpad be without ridiculous custom firmware? A shadow of its potential, that’s what. So, I read the Coreboot[1] motherboard porting guide and set to.[…]

https://mjg59.dreamwidth.org/50924.html

Lenovo should be giving Matthew a free X210 for this effort:

If I needed some convincing to get a X210 motherboard, you just did it.

— L. Pereira (@lafp) July 31, 2018

Debian UEFI Secure Boot report from DebConf

July 31, 2018July 31, 2018 ~ hucktech ~ Leave a comment

DebConf, the Debian conference is happening, and there’s a EFI Secure Boot talk. Slides are listed on the debian-efi list below:

Today's afternoon is intense at #DebConf18: Report from the Debian EFI team (Secure Boot on Debian), GSoC session, and Debian on Mobile Devices (all streamed) https://t.co/mQBdkuLTHs

— The Debian Project (@debian) July 31, 2018

https://lists.debian.org/debian-efi/2018/07/msg00015.html

https://meetings-archive.debian.net/pub/debian-meetings/2018/DebConf18/?

Open Source Firmware Conference: CfP deadline is tommorow

July 30, 2018 ~ hucktech ~ Leave a comment

Hi There!
Don't Forget CFP Submission Deadline: 31. July 2018.
Submit your paper here https://t.co/63a4huIvMI pic.twitter.com/iE3qMD8vWe

— Open Source Firmware Conference (@osfc_io) July 30, 2018

Final day to submit a talk to the Open Source Firmeware Conference is July 31st!

https://easychair.org/cfp/osfc2018

https://osfc.io/

ftriage: automating forensic artifact acquisition, reduction, and analysis

July 30, 2018 ~ hucktech ~ Leave a comment

New toolkit I’ve been working on to help automate forensic triage of disk and memory images. Still in early stages but coming along nicely! PR’s appreciated. #DFIR #forensics #InfoSec https://t.co/KE2en3F549

— Whiskey (@whiskeypoops) July 26, 2018

My attempt at automating forensic artifact acquisition, reduction, and analysis.

fTriage leverages dozens of popular, open source tools to triage suspect memory/disk image(s). Each script automates a step in the investigation an analyst would otherwise perform manually. Moreover, I’ve written a wrapper to execute collections of data acquisition scripts. There is no limit to how many scripts you can run at once, but naturally there are some that need to be run before others, review the “Recommended Usage” section for example usage of prebuilt script lists.

https://github.com/matthewclarkmay/ftriage

Fail0verflow: PS4 Aux Hax 1: Intro & Aeolia

July 30, 2018 ~ hucktech ~ Leave a comment

A trio of new blog posts! Checkout "PS4 Aux Hax": hacking Aeolia, Syscon, and DS4. https://t.co/7nsAMNzPY0

— fail0verflow (@fail0verflow) July 29, 2018

PS4 Aux Hax 1: Intro & Aeolia

By ps4_enthusiast
Filed under ps4 vulnerability exploit

In the PS4 Aux Hax series of posts, we’ll talk about hacking parts of the PS4 besides the main x86 cores of the APU. In this first entry, we’ll give some background for context and describe how we managed to run arbitrary code persistently on Aeolia, the PS4 southbridge.[…]

https://fail0verflow.com/blog/2018/ps4-aeolia/