Positive Tech at BlackHat EU: Running Unsigned Code in Intel ME

September 21, 2017 ~ hucktech ~ Leave a comment

How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine

Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such “God mode” capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools. Unfortunately, this changing did not go without errors. In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS. Running your own code on ME gives unlimited possibilities for researchers, because it allows exploring the system in dynamics. In our presentation, we will tell how we detected and exploited the vulnerability, and bypassed built-in protection mechanisms.

https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

Intel ME is the new Pandora’s Box…

CVE-2015-7837: RHEL UEFI Secure Boot

September 20, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/security_de/status/910399697986244609

Vulnerability ID 106841
Red Hat Enterprise Linux UEFI Secure Boot privilege escalation

A vulnerability, which was classified as critical, has been found in Red Hat Enterprise Linux (the affected version is unknown). This issue affects an unknown function of the component UEFI Secure Boot. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-269. Impacted is confidentiality, integrity, and availability. The weakness was released 09/19/2017 (oss-sec). The advisory is shared for download at openwall.com. The identification of this vulnerability is CVE-2015-7837 since 10/15/2015. The exploitation is known to be easy. An attack has to be approached locally. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 09/20/2017).[…]

https://tsecurity.de/de/206729/Reverse-Engineering/Exploits/Red-Hat-Enterprise-Linux-UEFI-Secure-Boot-erweiterte-Rechte-CVE-2015-7837/
https://vuldb.com/?id.106841
http://nakedsecurity.com/cve/CVE-2015-7837/
https://cxsecurity.com/cveshow/CVE-2015-7837
http://www.openwall.com/lists/oss-security/2015/10/15/6
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7837
https://www.security-database.com/detail.php?alert=CVE-2015-7837

Comments above seem to incidate a 9/19 update, but I can’t find that, only older messages from 2015-2016. Unclear about current status of this.

Usenix Security 2017 videos online

September 19, 2017 ~ hucktech ~ Leave a comment

The wait is over: #usesec17 talk videos are now posted for your viewing pleasure. Happy weekend! https://t.co/mx7pheWjyo pic.twitter.com/B1FrnQuO9S

— USENIX Security (@USENIXSecurity) September 15, 2017

https://www.usenix.org/conference/usenixsecurity17/technical-sessions

Abusing Chromium EC presentation online

September 19, 2017 ~ hucktech ~ Leave a comment

Slides for my #FOSDEM talk are online. Check the bottom for HTML5 version. Video recording should be there to soon. https://t.co/LwNomtYViE

— Moritz Fischer (@fischmz) February 6, 2017

https://archive.fosdem.org/2017/schedule/event/abusing_chromium_ec/

William reviews ru.efi/ru.exe

September 19, 2017 ~ hucktech ~ Leave a comment

Basic Input/Output: RU! https://t.co/Zb6gdlS3B9 #uefi

— williamleara.eth (@WilliamLeara) September 19, 2017

http://www.basicinputoutput.com/2017/09/ru.html

https://github.com/JamesAmiTw/ru-uefi

http://ruexe.blogspot.com/

Microsoft Azure seeks senior UEFI engineer

September 18, 2017 ~ hucktech ~ Leave a comment

Senior UEFI / FW Development Engineer – CSI / Azure – Cloud Server Infrastructure

The Azure Cloud Server Infrastructure development team (CSI) is seeking a talented FW development engineer with UEFI based BIOS/FW development experience. Candidate will be a member of the MSFT Azure CSI/UEFI FW team and will be responsible for design and development of UEFI FW solutions for MSFT Cloud Platforms. The Senior BIOS/Firmware Developer candidate must have relevant industry experience in the development of UEFI firmware solutions. Candidate must demonstrate skills and experiences from early planning/concept architecture, platform bring-up, UEFI FW features development, board manufacturing support and field issues debug/servicing support.[…]

https://careers.microsoft.com/jobdetails.aspx?jid=320991&job_id=1070474&utm_source=Indeed&show_desc=0

Ecosystem momentum positions Microsoft’s Project Olympus as de facto open compute standard

TCG announces DICE Architecture

September 18, 2017 ~ hucktech ~ Leave a comment

Learn more #DICE RoT #IOT embedded systems; session Oct. 3 @IOTSWC https://t.co/yie2689Z2z

— Trusted Computing (@TrustedComputin) September 18, 2017

Secure #IOT w power/space/cost constraints? #DICE root trust easy & cost effective. New podcast @embedded_comp https://t.co/Wh1ppcuP4e

— Trusted Computing (@TrustedComputin) September 15, 2017

Trusted Computing Group has released the Device Identifier Composition Engine (DICE) Architecture for securing resource-constrained devices that make up the Internet of Things. The DICE Architecture provides critical security and privacy benefits to IoT and embedded systems where traditional Trusted Platform Modules (TPM) may be impractical, while also enabling support for those devices with a TPM for additional security benefits. Security capabilities this new approach enables include strong device identity, attestation of device firmware and security policy, and safe deployment and verification of software updates, which often are a source of malware and other attacks. The DICE Architecture, with its hardware root of trust for measurement, breaks up the boot process into layers, and creates unique secrets and a measure of integrity for each layer. This means if malware is present, the device is automatically re-keyed and secrets are protected. […]

DICE

http://www.businesswire.com/news/home/20170918005087/en/TCG-Announces-DICE-Architecture-Security-Privacy-IoT

Android 8.0 and Project Treble

September 18, 2017 ~ hucktech ~ Leave a comment

Android's new security requirements support Project Treble, for faster firmware updates: https://t.co/bIekoViHod pic.twitter.com/glxIuEC6eE

— The Linux Foundation (@linuxfoundation) September 18, 2017

https://www.linux.com/news/2017/9/android-oreo-adds-linux-kernel-requirements-and-new-hardening-features

https://source.android.com/devices/architecture/kernel/modular-kernels#core-kernel-requirements

“The Android 8.0 release includes Project Treble, a major re-architect of the Android OS framework designed to make it easier, faster, and less costly for manufacturers to update devices to a new version of Android. Treble is for all new devices launching with Android 8.0 and beyond (the new architecture is already running on the Developer Preview for Pixel phones).[…]”

UEFI-CheckScript: PowerShell script for SCCM/WinPE

September 18, 2017 ~ hucktech ~ Leave a comment

“This Windows PowerShell script can be used in an SCCM task sequence to see if WinPE was booted in UEFI or BIOS mode.”

https://github.com/diablolot53/uefi-checkscript

UefiToolsPkg: making UEFI more useful to system hackers

September 16, 2017 ~ hucktech ~ Leave a comment

Andrei Warkentin has created UefiToolsPkg, readme excerpt below:

This is a Tiano Core (edk2) package with various goodies. The goal was to make the UEFI environment much more useful to system hackers. It may be a reduced environment, but there’s no need for it to remain a crippled one. People make the analogy of UEFI being the 21st century equivalent of DOS, yet DOS was a vastly more useful environment than UEFI is today. Hopefully, one day this will grow into a veritable distribution of software to be productive even without a “real OS” around. Contains: Useful utilities for developers and admins,Ported UNIX tools, Useful libraries for developers, Development tools for Windows/Linux, Other tools around the Web.

FdtDump: dump system device tree to storage
AcpiDump: dump system ACPI tables to storage
AcpiLoader: load system ACPI tables from storage
ShellPlatVars: set UEFI Shell variables based on platform configuration
MemResv: create new memory map entries
RangeIsMapped: validates ranges in the memory map
GopTool: Check and manipulate EFI_GRAPHICS_OUTPUT_PROTOCOL instances
tinycc: port of TinyCC to UEFI

There’s at least one other UEFI ‘distribution’ project on Github, mostly non-usable, I forget the name at the moment. If I had some spare time, I’ve been wanting to do something like this, still looking to find the spare time… 😦 The next logical step is to include FPMurphy’s UEFI Utilities:

https://github.com/fpmurphy/UEFI-Utilities-2016

Linux IoT and secure firmware updates

September 15, 2017 ~ hucktech ~ Leave a comment

Identifying secure firmware update mechanisms for embedded Linux devices and open source options
September 15, 2017
Alex Gonzalez
[…]With regards to embedded devices, the firmware update mechanism must be not only secure, but also reliable in that it either succeeds in the update or fails to a recoverable state. In no way should the software update brick a device, and it should be able to happen unattended. Most updates must also preserve the previous device state, although on some occasions recovering a device could involve resetting to a default state.[…]

http://www.embedded-computing.com/dev-tools-and-os/identifying-secure-firmware-update-mechanisms-for-embedded-linux-devices-and-open-source-options

IDA Pro 7.0 released

September 15, 2017 ~ hucktech ~ Leave a comment

IDA 7.0 is out: https://t.co/wrf06yUS5t

— Ilfak Guilfanov (@ilfak) September 14, 2017

Hex-Rays IDA v7.0 and Decompilers released! Lots of changes: x64 support, new API https://t.co/kHNTILGQ6Y https://t.co/0YtXs1HXbY #REhints

— REhints (@REhints) September 14, 2017

A lot of work ahead for IDA plugin developers. Porting Guide to IDA 7.0 SDK from older versions: https://t.co/Hb7xTrI0Vh #REhints

— REhints (@REhints) September 14, 2017

IDA v7.0 have a lot of improvements for parsing RTTI (MSVC, GCC, LLVM). But we working on Decompiler side with new version of #CodeExplorer

— REhints (@REhints) September 15, 2017

https://www.hex-rays.com/products/ida/7.0/index.shtml

https://hex-rays.com/products/decompiler/news.shtml#170914

NIST releases SP 800-125A 2nd ed, hypervisor security

September 15, 2017 ~ hucktech ~ Leave a comment

NIST Releases the Second Public Draft of Special Publication (SP) 800-125A,” Security Recommendations for Hypervisor Deployment” is now available for public comment, deadline for feedback is October 6th.

The NIST web site is changing on September 18 2017. Some links will change, below are pre- and post-Sep 18 URLs:

https://beta.csrc.nist.gov/publications/detail/sp/800-125A/draft
https://csrc.nist.gov/publications/detail/sp/800-125A/draft

Microsoft Azure introduces confidential computing

September 15, 2017 ~ hucktech ~ Leave a comment

Hardware (#SGX) and software enclaves available in Microsoft Azure https://t.co/JQ8LjLhBBE

— Felix Schuster (@flxflx) September 14, 2017

Introducing Azure confidential computing https://t.co/l2fyv3QJPY

— vincent zimmer (@vincentzimmer) September 14, 2017

[…]With Azure confidential computing, we’re developing a platform that enable developers to take advantage of different TEEs without having to change their code. Initially we support two TEEs, Virtual Secure Mode and Intel SGX. Virtual Secure Mode (VSM) is a software-based TEE that’s implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code running on the computer or server, as well as local administrators and cloud service administrators from viewing the contents of the VSM enclave or modifying its execution. We’re also offering hardware-based Intel SGX TEE with the first SGX-capable servers in the public cloud. Customers that want their trust model to not include Azure or Microsoft at all can leverage SGX TEEs. We’re working with Intel and other hardware and software partners to develop additional TEEs and will support them as they become available.[…]

Introducing Azure confidential computing

Patroklos on microcode reversing

September 14, 2017 ~ hucktech ~ Leave a comment

Patroklos (argp) Argyroudis has a new document on microcode reversing:

My brief notes on "Reverse engineering x86 processor microcode": https://t.co/ywfkmZyG6o

— argp (@_argp) September 14, 2017

“Paper notes: Reverse engineering x86 processor microcode
14 Sep 2017”

https://argp.github.io/2017/09/14/re-x86-microcode/

PCILeech presentation uploaded

September 14, 2017 ~ hucktech ~ Leave a comment

Ulf has a new presentation on PCIe attacks online!

Looking forward watching the talk on youtube, slides at https://t.co/yeGFko6tgy

— Ulf Frisk (@UlfFrisk) September 13, 2017

https://github.com/ufrisk/presentations

Click to access SEC-T-0x0Anniversary-Ulf-Frisk-Evil-Devices-and-Direct-Memory-Attacks.pdf

UEFI driver dev presentation

September 14, 2017 ~ hucktech ~ Leave a comment

Elvis Teixeira has a presentation on UEFI driver development, slides are available here:

https://github.com/elvismt/presentations

Armis BlueBorne: Bluetooth vulnerabilities

September 13, 2017 ~ hucktech ~ Leave a comment

Zero day vulnerabilities and security flaws in modern Bluetooth stacks https://t.co/rWrAIWyMJv (PDF) #BlueBorne #0day #vulnerability pic.twitter.com/BycKXycr9b

— x0rz (@x0rz) September 13, 2017

Is it time to dust off old Bluetooth worm doomsday predictions? ☠️ #BlueBorne https://t.co/x4JJuzHIB6 [pdf] pic.twitter.com/M1zg5EP3em

— Yuriy Bulygin (@c7zero) September 12, 2017

BlueBorne Bluetooth Vulnerabilities https://t.co/jb2ZLbruZ5

— CISA Cyber (@CISACyber) September 12, 2017

Patch your Bluetooth today, and contemplate gazillions of unpatchable wormable embedded/IoT netfridges and such… https://t.co/jf3ztBsl8w

— dragosr (@dragosr) September 12, 2017

These vulnerabilities were publicly disclosed by Ben Seri and Gregory Vishnepolsky of Armis. Armis acknowledges Alon Livne for the Linux RCE (CVE-2017-1000251) exploit.

https://www.kb.cert.org/vuls/id/240311

https://www.us-cert.gov/ncas/current-activity/2017/09/12/BlueBorne-Bluetooth-Vulnerabilities

https://www.armis.com/blueborne/

This is why I don’t use bluetooth. 🙂

MCExtractor 1.7.0 released

September 12, 2017 ~ hucktech ~ Leave a comment

MC Extractor v1.7.0 is x2.5 times faster with two new parameters, progress counter and various fixes & improvements https://t.co/I0FZOqcEMH pic.twitter.com/3oSXh7WHma

— Plato Mavropoulos (@platomaniac) September 11, 2017

“Intel, AMD & VIA Microcode Extraction Tool.”

https://github.com/platomav/MCExtractor