Category: Uncategorized

Genode 17.08 adds UEFI support

~ hucktech ~ Leave a comment

“Analogously to our work on the seL4 and NOVA kernels in this release, we extended our base-hw kernel to become a Multiboot2 compliant kernel. When used together with GRUB2, it can be started on x86 UEFI machines missing legacy BIOS support (i.e., CSM).”

https://genode.org/documentation/release-notes/17.08

 

new Apple tools: eficheck (and nvm)

~ hucktech ~ 1 Comment

Apple has apparently created a tool for examining Apple Mac EFI firmware, called eficheck. As I understand things, it was released, then pulled due to some issues (bugs?), and is apparently now avabilable in latest macOS updates. Also, it sounds like there might be another tool for NVMe diagnostics.

https://twitter.com/al3xtjames/status/874764154745368576

usage: eficheck: [–save -b] [ –cleanup -b] [–generate-hashes [-b] [-p]] [–integrity-check [-h [-b]]] [–show-hashes [-h] | [-b]]

Apple’s eficheck…


https://www.apple.com/macos/sierra/
https://en.wikipedia.org/wiki/MacOS_High_Sierra
https://www.macrumors.com/roundup/macos-10-13/

eficheck

Maybe someday there’ll be more info on eficheck, if you find any manpage or other info, please leave a Comment.
https://www.apple.com/us/search/eficheck
https://twitter.com/search?q=eficheck&src=typd

Google Pawn: Intel firmware dumping tool!

~ hucktech ~ Leave a comment

Exciting, Google has a new tool that helps dump the UEFI/BIOS into a rom.bin, like FlashROM and CHIPSEC! Pawn is written in C++/C, Apache-licensed, requires Linux and GCC toolchain. Given 2014-2017 copyright, it has been around for YEARS, only went public 3 months ago, and I just noticed it today. See below, I am still looking for “Bishop”…

Pawn BIOS Dumping Tool
Copyright 2014-2017 Google Inc.
Disclaimer: This is not an official Google product (experimental or otherwise), it is just code that happens to be owned by Google.
Pawn is a tool to extract the BIOS firmware from Intel-based workstations and laptops. The name is a play on an internal tool that is also named after a chess piece.
[…]
sudo .build/pawn bios_image.bin
You can then use other tools like UEFITool to process the firmware image further.

https://github.com/google/pawn

What/where is Pawn’s companion utility, Bishop?? From pawn.cc comments:

Pawn, a companion utility to Bishop (go/bishop) to extract BIOS firmware from corp machines.

If you find it, please leave a Comment.

https://github.com/google?utf8=%E2%9C%93&q=Bishop&type=&language=

https://github.com/search?q=topic%3Afirmware-tools+org%3Agoogle&type=Repositories

 

FWTS 17.08.00 released, many new ACPI tests

~ hucktech ~ Leave a comment

FWTS 17.08.00 is released. New Features:

* ACPICA: Update to version 20170728
* New ACPI tests defined by ACPI 6.2
* acpi: sdei: add ACPI SDEI test (mantis 1714)
* acpi: pcct: refactor subspace to individual functions
* acpi: pcct: update PCCT table to ACPI 6.2 (mantis 1659 & 1755)
* acpi: dppt: add ACPI DPPT test (mantis 1795)
* acpi: pptt: add ACPI PPTT test
* acpi: hmat: add ACPI HMAT test (mantis 1705)
* acpi: method: add _LSI test according to ACPI 6.2 (mantis 1721)
* acpi: madt: Add support for ACPI 6.2
* New tests for SBBR
* acpi: fadt: add SBBR compliance tests
* acpi: madt: add SBBR compliance tests
* acpi: spcr: add SBBR compliance tests
* acpi: xsdt: add SBBR compliance tests
* acpi: dbg2: add SBBR compliance tests
* acpi: gtdt: add SBBR compliance tests
* acpi: acpitables: add SBBR compliance tests
* dmi: dmicheck: add SBBR compliance tests
* acpi: method: add SBBR compliance tests
* acpi: rsdp: add SBBR compliance tests
* acpi: sbbr: sync up with new SBBR tests

http://fwts.ubuntu.com/release/fwts-V17.08.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/17.08.00
https://launchpad.net/ubuntu/+source/fwts

 

ME_Cleaner updated to set HAP bit

~ hucktech ~ Leave a comment

UNTESTED: Set the HAP bit:
Positive Technologies discovered the presence of an undocumented HAP bit in the PCHSTRP0 field of the descriptor which, when set to 1, disables completely Intel ME just after the initialization. This is confirmed both by an analysis of the status of Intel ME after the setting of the bit and by reverse engineering the BUP module.

https://github.com/corna/me_cleaner/commit/350903a695851dda20b2be5d6099b58e377653b7

https://github.com/corna/me_cleaner

PTSecurity on Intel ME

 

Rufus: insecure online behavior

~ hucktech ~ Leave a comment

[[update: see: https://github.com/pbatard/rufus/commit/c3c39f7f8a11f612c4ebf7affce25ec6928eb1cb ]]

 

 

Vulnerability Note VU#403768
Akeo Consulting Rufus fails to update itself securely

Akeo Consulting Rufus fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code on a vulnerable system. Akeo Consulting Rufus 2.16 retrieves updates over HTTP. While Rufus does attempt to perform some basic signature checking of downloaded updates, it does not ensure that the update was signed by a trusted certificate authority (CA). This lack of CA checking allows the use of a self-signed certificate. Because of these two weaknesses, an attacker can subvert the update process to achieve arbitrary code execution. An attacker on the same network as, or who can otherwise affect network traffic from, a Rufus user can cause the Rufus update process to execute arbitrary code. The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:
* Don’t use built-in update capabilities
* Because Rufus does not include the ability to securely install updates, any Rufus updates should be obtained from https://rufus.akeo.ie/ directly, using your web browser.
* Avoid untrusted networks
* Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a MITM attack.

https://github.com/pbatard/rufus

https://rufus.akeo.ie/

http://pete.akeo.ie/

Ulf: Attacking UEFI over DMA

~ hucktech ~ Leave a comment

Attacking UEFI:
Unlike macs many PCs are likely to be vulnerable to pre-boot Direct Memory Access (DMA) attacks against UEFI. If an attack is successful on a system configured with secure boot – then the chain of trust is broken and secure boot becomes insecure boot. If code execution is gained before the operating system is started further compromise of the not yet loaded operating system may be possible. As an example it may be possible to compromise a Windows 10 system running Virtualization Based Security (VBS) with Device Guard. This have already been researched by Dmytro Oleksiuk. This post will focus on attacking UEFI over DMA and not potential further compromises of the system.[…]

https://github.com/ufrisk/pcileech

http://blog.frizk.net/2017/08/attacking-uefi.html

 

WinDbg updated

~ hucktech ~ Leave a comment

 

New WinDbg available in preview!
We are excited to announce a preview version of a brand new WinDbg. We’ve updated WinDbg to have more modern visuals, faster windows, a full-fledged scripting experience, built with the easily extensible debugger data model front and center. I’ll start this by saying that WinDbg Preview is using the same underlying engine as WinDbg today, so all the commands, extensions, and workflows you’re used to will still work just as they did before.

https://blogs.msdn.microsoft.com/windbg/2017/08/28/new-windbg-available-in-preview/

Windbg always had restrictions in what UI widgets it could use, since Windbg was used to debug those same UI widgets (OLE, COM, etc.) and had to work even those widgets did not work.

Two new Rust/UEFI projects by Jiří Zárevúcky

~ hucktech ~ Leave a comment

Two new Rust/UEFI projects:

rust-efi-app: High-level bindings for writing UEFI applications in Rust. Currently in very early stages. The goal is that the library will make it easy and safe to write an application (e.g. an OS kernel) that is capable of functioning across call to ExitBootServices() without depending on the programmer’s judgement for safety, transparently dealing with issues like memory allocations and console output.

https://github.com/le-jzr/rust-efi-app

rust-efi-types:  Autogenerated Rust bindings for UEFI types and methods. Generated using bindgen from the headers distributed with gnu-efi. The headers are included. Only works on x86_64, and I don’t plan to extend it to other platforms, or clean it up in any way, because it’s all just a giant hack so that I don’t have to waste much time on proper bindings at this moment. Eventually, it will outlive its usefulness and be unceremoniously dumped into trash.

https://github.com/le-jzr/rust-efi-types

 

PTSecurity on Intel ME

~ hucktech ~ Leave a comment

Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government’s High Assurance Platform (HAP) program.

Disclaimer: The methods described here are risky and may damage or destroy your computer. We take no responsibility for any attempts inspired by our work and do not guarantee the operability of anything. For those who are aware of the risks and decide to experiment anyway, we recommend using an SPI programmer.[…]

http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

https://github.com/ptresearch/unME11

https://github.com/ptresearch/me-disablement

TrustedSec’s PTF (PenTesters Framework)

~ hucktech ~ Leave a comment

It is a few years old, but I just learned about this tool. After you’ve installed a new OS, with all the tools that that come with that distro/marketplace, then you run PTF with a list of all your Github-based tools which don’t have binary packages, and it installs them for you. I guess some people use this as an alternative to pre-built security distros like Kali or BlackArch. I’ve heard that PTS works on more OSes than the below readme excerpt hints at. Ignore the “pentest” part of the name, it is applicable to non-pentesters, it is useful for people who have a list of Git/Svn-hosted source tools that do not have binary packages, which you want to have installed when you install a fresh OS. You can modify PTF with your list of source projects. If you have a custom script that sets up some firmware-related tools, please leave a Comment on the blog! The only firmware-related tool I noticed a PTF module for was for BinWalk.

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we’ve been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those “go to” tools that we use on a regular basis, and using the latest and greatest is important. PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It’s all up to you. The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It’s super simple to configure and add them and only takes a few minute.

https://github.com/trustedsec/ptf/
https://github.com/trustedsec/ptf/blob/master/modules/reversing/binwalk.py
https://www.trustedsec.com/2015/05/new-tool-the-pentesters-framework-ptf-released/
https://www.trustedsec.com/pentesters-framework/

NVIDIA seeks Embedded Firmware Security Lead

~ hucktech ~ Leave a comment

We are looking for an engaged individual with an ability to assimilate complex software designs in order to identify security vulnerabilities and advocate for solutions. The applicant should demonstrate ability to use formal methods such as threat models and attack-trees to support appropriate architectural decisions.You should understand and be able to mentor others in security fundamental and principles of design. This includes testing techniques and a familiarity with static code analysis, dynamic analysis, fuzzing, negative testing and other techniques. Experience with secure code quality practices and tooling to support quick engagements and rapid analysis – static analysis tools (Coverity, Checkmarx, or similar), dynamic scanning (Rapid 7, AppSider, or similar), Fuzzing (AFL, Peach, or similar) and code coverage (Bullseye, LDRA, etc). 

https://www.linkedin.com/jobs/view/356235238

Booting Windows from USB drive

~ hucktech ~ Leave a comment

Here’s a MSDN blog entry on how to boot Windows via a thumbdrive. It is basically an introduction to Rufus…

Installing Windows with Secure Boot from USB drive
July 18, 2017
by Anders Lybecker

Once and a while I reinstall my machine. It feels nice with a clean slate as I tend to install all kinds of applications that pollutes my machine. A newly installed machine just runs better somehow. My machine needs to be secure, so Secure Boot and encrypted drive via BitLocker is a must. It limits the risk of someone messing with my machine and stealing my data. Here is how…[…]

https://blogs.msdn.microsoft.com/lybecker/2017/07/18/installing-windows-with-secure-boot-from-usb-drive/

http://www.lybecker.com/blog/2017/07/18/installing-windows-with-secure-boot-from-usb-drive/

https://github.com/pbatard/rufus

https://rufus.akeo.ie/

BTW, these days it is pretty rare to see a modern open source GUI tool that is written to use the native Windows Win32 GUI (GDI). These days, most GUIs are written using friendlier GUI frameworks/languages. Rufus is an ‘old school’ Windows tool, no drag-and-drop IDE-generated GUI code… 🙂

https://github.com/pbatard/rufus/blob/master/src/rufus.c

PureOS joins Debian derivatives census

~ hucktech ~ Leave a comment

PureOS is the Debian-based Linux distribution by Purism for their laptops.  Jonas Smedegaard has apparently joined Purism to help with PureOS:

“I am long time Debian developer with a special interest in Pure Blends (a.k.a. friendly assimilation of derivatives into Debian). Since about a month ago I am hired by Purism to help develop PureOS – a Debian derivative for which I will act as Derivatives Census contact.”

https://wiki.debian.org/Derivatives/Census/PureOS

Hector Oron of Debian, who invited PureOS into the Debian Derivative census, made a few interesting initial comments evaluating PureOS, some things that need I hope Purism addresses:

“The page says that PureOS modifies Debian binary packages. It is quite rare that distributions modify Debian binary packages instead of modifying source packages and rebuilding them. Does PureOS actually do this? If so could you describe what kind of modifications you are making? If not I guess the page needs to be fixed. The apt repository for PureOS does not contain source packages [for the contrib and non-free section], including for packages licensed under the GNU GPL. This may or may not be a copyright violation depending on whether or not you distribute those elsewhere. In any case, please add source packages to your repository so that Debian can automatically create patches to be presented to Debian package maintainers.”

For more info, read the thread on the debian-derivatives@lists.debian.org mailing list.

https://puri.sm/?s=Debian

Radare Conference 2017

~ hucktech ~ Leave a comment

https://rada.re/con/2017/

http://radare.org/con/2017/

Training:
Beginner Training (pancake, alvarofe)
Intro to Unpacking on Windows (newlog, Giomismo, zlowram)
Beginner Training (maijin, xvilka)
Tiny uControllers firmware reversing and exploiting (dark_k3y)

Presentations:
r2frida (@mrmacete)
SIOL – condret
CFG-based fussy hash for malware classification using r2 (robin marsollier)
zdbg (@zutle)
GSoC talks (gdbserver, windows support and backstepping) @xvilka
r2anal (alvaro) + limits of esil (killabyte)
RAIR (@oddcoder)
r2 module for Yara (@plutec_net + @mmorenog)
Anal clemency (@raysong)
Intro to Reversing Windows Malware Using r2 @ newlog
Surprise talk by @oleavr
Diaphora and r2 (@pancake, @matalaz)
Road to the kernel (@nighterman)
Pimp my Triton (ak42)

AMI announces NVMe UEFI Option ROM service for OEMs

~ hucktech ~ Leave a comment

American Megatrends Provides Service for Developing NVMe UEFI Option ROMs for UEFI BIOS Firmware

AMI is pleased to announce new service for developing NVMe® UEFI Option ROMs. Recently, AMI added support for technologies such as NVMe metadata/data encryption and NVMe namespace management. Continuing its support for NVMe-related technologies, AMI has also developed UEFI NVMe Option ROMs. This service for developing UEFI NVMe Option ROMs enables OEMs and NVMe device manufacturers to ship NVMe devices with Option ROMs embedded in them. OEMs and NVMe device manufacturers will have the ability to add features that are traditionally unavailable with generic UEFI drivers and can implement vendor-specific commands and features within their devices. Some of the additional features that are available for NVMe Option ROMs include disk management for namespace management in BIOS setup, metadata/end-to-end data protection, NVMe firmware updates in BIOS setup and SMART data information. Interested OEMs and NVMe drive manufacturers should contact their AMI sales representative for more information.

https://ami.com/en/news/press-releases/american-megatrends-provides-service-for-developing-nvme-uefi-option-roms-for-uefi-bios-firmware/
http://ami.com/products/bios-uefi-firmware/aptio-v/