Linux kernel ACPI-centric CVE-2017-13694: Awaiting Analysis

August 25, 2017 ~ hucktech ~ Leave a comment

CVE-2017-13694
Source: MITRE
Last Modified: 08/25/2017
CVE-2017-13694

This vulnerability is currently awaiting analysis.

The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.

https://nvd.nist.gov/vuln/detail/CVE-2017-13694

https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0
https://patchwork.kernel.org/patch/9806085/

HPE iLO: multiple remote vulnerabilities (HPESBHF03769 rev.1)

August 25, 2017 ~ hucktech ~ Leave a comment

Huge! HPE iLO4 (BMC) remote auth bypass and code exec. Props to Airbus security team! https://t.co/GKvlv7rmoT

— Yuriy Bulygin (@c7zero) August 25, 2017

HP finally disclosed that iLO 4 2.53 includes a critical security fix. Patch NOW. Really… https://t.co/zYjUL47C0Q

— F4b (@0xf4b) August 25, 2017

Hewlett Packard Enterprise Support Center
HPESBHF03769 rev.1 – HPE Integrated Lights-out 4 (iLO 4) Multiple Remote Vulnerabilities
Document ID: hpesbhf03769en_us
Last Updated: 2017-08-24
Potential Security Impact: Remote: Authentication Bypass, Code Execution:
A potential security vulnerability has been identified in HPE Integrated Lights-out (iLO 4). The vulnerability could be exploited remotely to allow authentication bypass and execution of code. […] Hewlett Packard Enterprise would like to thank Fabien Perigaud of Airbus Defense and Space CyberSecurity for reporting this vulnerability.

https://www.hpe.com/us/en/servers/integrated-lights-out-ilo.html

http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us

https://tools.cisco.com/security/center/viewAlert.x?alertId=54930

“Limited details are available to describe this vulnerability or how this vulnerability could be exploited by an attacker. However, a successful exploit of this vulnerability could result in a complete system compromise.”

more on Google Titan

August 24, 2017August 24, 2017 ~ hucktech ~ Leave a comment

These are the slides of our research referenced in Titan firmware security chip for Google's Cloud Platform https://t.co/2iOoELk20G [pdf] https://t.co/jEXRRmnwhG

— Yuriy Bulygin (@c7zero) August 24, 2017

Earlier I pointed out some Google Titan info but didn’t have much info on it:

Google “Titan” secure microcontroller

(nobody left a comment, but a few people commented on it on Twitter.)

In the last few days, there’s more info available now:

https://cloudplatform.googleblog.com/2017/08/Titan-in-depth-security-in-plaintext.html

https://www.blog.google/topics/google-cloud/bolstering-security-across-google-cloud/

https://cloud.google.com/security/

probably unrelated?:
https://github.com/GoogleCloudPlatform/titan

Embedi on Intel AMT vulnerability

August 24, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/_embedi_/status/900755346595213312

https://embedi.com/news/adventure-final-intel-amt-problem

Click to access HITB_2017.pdf

DMTF releases Redfish training videos in Chinese

August 24, 2017 ~ hucktech ~ Leave a comment

DMTF has a new educational video series for Redfish in Chinese available:

Viewers in China can now view #RedfishAPI videos! Learn how DMTF’s new Youku channel offers “Redfish School”: https://t.co/jy62YNwJVx

— DMTF (@DMTF) August 22, 2017

http://i.youku.com/i/UMzAwMDE2MDcy?spm=a2hzp.8244740.0.0

QubesOS, Invisible Things Lab, and Purism

August 24, 2017 ~ hucktech ~ Leave a comment

Purism ships Debian-derived PureOS, and used to ship QubesOS. Now, Qubes is not really an option. I don’t know the full story, below posts give some background.

https://groups.google.com/forum/#!topic/qubes-users/2GfyEz0eYCE

https://puri.sm/posts/2017-07-shipping-update-for-qubes-orders/

https://forums.puri.sm/t/no-longer-listed-on-the-qubes-websites-certification-page/1050/5

https://www.qubes-os.org/news/2015/12/09/purism-partnership/

https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptops

https://www.qubes-os.org/doc/system-requirements/

https://www.qubes-os.org/hcl/

https://web.archive.org/web/20170506112157/https://www.qubes-os.org/doc/certified-laptops/

Collabora: Changing the Android boot animation

August 22, 2017 ~ hucktech ~ Leave a comment

Quick hack: Changing the Android boot animation

Posted on 21/04/2017 by Robert Foss

For various reasons you might want to change the Android boot animation to something other than the stock one, this is how you do it. There exists official documentation for how to create a custom boot animation, but unfortunately it is lacking in actual examples. So this guide is a bit more hands-on. Without covering too much of the same gound as the documentation, let’s have a quick look at what is in a simple bootanimation.zip.[…]

https://www.collabora.com/news-and-blog/blog/2017/04/21/quick-hack-changing-the-android-boot-animation/

https://android.googlesource.com/platform/frameworks/base/+/master/cmds/bootanimation/FORMAT.md

William reviews RWEverything

August 22, 2017 ~ hucktech ~ Leave a comment

William has a review of RWEverything, a freeware tool for Windows:

http://www.basicinputoutput.com/2017/08/rweverything-yes-everything.html

Home

See-also:

tool mini-review: RWEverything

op-test-framework: OpenPOWER firmware test harness

August 22, 2017 ~ hucktech ~ Leave a comment

op-test-framework: Let’s break the console!

https://github.com/open-power/op-test-framework

See-also Stewart’s pointer to a blog by Jeremy:

http://jk.ozlabs.org/blog/post/163/openpower-console-implementations/

DR.CHECKER: Linux kernel driver vulnerability detection tool

August 22, 2017 ~ hucktech ~ Leave a comment

Another day, another release. DR.CHECKER: A Vulnerability Detection Tool for Kernel Drivers goes online: https://t.co/BfZ7EuWvWz #usesec17

— Aravind Machiry (@machiry_msidc) August 16, 2017

DR.CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers

usage: run_all.py [-h] [-l LLVM_BC_OUT] [-a CHIPSET_NUM] [-m MAKEOUT] [-g COMPILER_NAME] [-n ARCH_NUM] [-o OUT] [-k KERNEL_SRC_DIR] [-skb] [-skl] [-skp] [-ske] [-ski] [-f SOUNDY_ANALYSIS_OUT]

optional arguments:
-h, –help show this help message and exit
-l LLVM_BC_OUT Destination directory where all the generated bitcode files should be stored.
-a CHIPSET_NUM Chipset number. Valid chipset numbers are:
1(mediatek)|2(qualcomm)|3(huawei)|4(samsung)
-m MAKEOUT Path to the makeout.txt file.
-g COMPILER_NAME Name of the compiler used in the makeout.txt, This is
needed to filter out compilation commands. Ex: aarch64-linux-android-gcc
-n ARCH_NUM Destination architecture, 32 bit (1) or 64 bit (2).
-o OUT Path to the out folder. This is the folder, which
could be used as output directory during compiling
some kernels. (Note: Not all kernels needs a separate out folder)
-k KERNEL_SRC_DIR Base directory of the kernel sources.
-skb Skip LLVM Build (default: not skipped).
-skl Skip Dr Linker (default: not skipped).
-skp Skip Parsing Headers (default: not skipped).
-ske Skip Entry point identification (default: not
skipped).
-ski Skip Soundy Analysis (default: not skipped).
-f SOUNDY_ANALYSIS_OUT Path to the output folder where the soundy analysis output should be stored.

https://github.com/ucsb-seclab/dr_checker

Huawei boot loader vulnerability

August 21, 2017 ~ hucktech ~ Leave a comment

3 boot loader/smartphone security vulnerabilities from Huawei. Text of two and links to all 3 are below:

Security Advisory – Out-of-Bounds Memory Access Vulnerability in the Boot Loaders of Huawei Mobile Phones
SA No:huawei-sa-20170816-01-smartphone
Initial Release Date: 2017-08-16
The boot loaders of some Huawei mobile phones have an out-of-bounds memory access vulnerability due to the lack of parameter validation. An attacker with the root privilege of an Android system may trick a user into installing a malicious APP. The APP can modify specific data to cause buffer overflow in the next system reboot, causing out-of-bounds memory read which can continuous system reboot. (Vulnerability ID: HWPSIRT-2017-01070)
This vulnerability has been assigned a CVE ID: CVE-2017-8149. Huawei has released software updates to fix this vulnerability. Successful exploit could cause out-of-bounds memory read, leading to continuous system reboot.
This vulnerability can be exploited only when the following conditions are present: 1) The attacker has gained the root privilege of an Android system and successfully tricked a user into installing the malicious APP. 2) An attacker with the root privilege of an Android system may trick a user into installing a malicious APP. The APP can modify specific data to cause out-of-bounds memory read, leading to continuous system reboot. This vulnerability was reported to Huawei PSIRT by Aravind, Machiry. Huawei would like to thank Aravind, Machiry for working with us and coordinated vulnerability disclosure to protect our customers.[…]

Security Advisory – Authentication Bypass Vulnerability in Huawei Honor 5S Smart Phones
SA No:huawei-sa-20170816-03-smartphone
Initial Release Date: 2017-08-16
Huawei Honor 5S smart phones have an authentication bypass vulnerability due to the improper design of some components. An attacker can get a user’s smart phone and install malicious apps in the mobile phone, allowing the attacker to reset the password and fingerprint of the phone without authentication. (Vulnerability ID: HWPSIRT-2017-07037). This vulnerability has been assigned a CVE ID: CVE-2017-8151. Huawei has released software updates to fix this vulnerability. Successful exploit could allow the attacker to reset the password and fingerprint of the phone. This vulnerability can be exploited only when the following conditions are present: 1) The attacker obtains a user’s smart phone in unlocked state. An attacker can get a user’s smart phone and install malicious apps in the mobile phone, allowing the attacker to reset the password and fingerprint of the phone without authentication. This vulnerability was reported to Huawei PSIRT by security researcher Zhang Qing. Huawei would like to thank Zhang Qing for working with us and coordinated vulnerability disclosure to protect our customers.

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170816-01-smartphone-en
http://www.huawei.com/my/psirt/security-advisories/huawei-sa-20170807-01-smartphone-en
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-03-smartphone-en
http://www.huawei.com/us/psirt

https://www.linkedin.com/in/aravind-kumar-machiry-00459923

https://cn.linkedin.com/in/%E6%B8%85-%E5%BC%A0-4b37b2108

Frida 10.4 released

August 21, 2017 ~ hucktech ~ Leave a comment

Frida 10.4 is out with brand new APIs for working with machine code across all supported architectures:https://t.co/2kkjC0hOQV pic.twitter.com/ubvdgskleQ

— Frida (@fridadotre) August 16, 2017

Frida provides quite a few building blocks that make it easy to do portable instrumentation across many OSes and architectures. One area that’s been lacking has been in non-portable use-cases. While we did provide some primitives like Memory.alloc(Process.pageSize) and Memory.patchCode(), making it possible to allocate and modify in-memory code, there wasn’t anything to help you actually generate code. Or copy code from one memory location to another. Considering that Frida needs to generate and transform quite a bit of machine code for its own needs, e.g. to implement Interceptor and Stalker, it should come as no surprise that we already have C APIs to do these things across six different instruction set flavors. Initially these APIs were so barebones that I didn’t see much value in exposing them to JavaScript, but after many years of interesting internal use-cases they’ve evolved to the point where the essential bits are now covered pretty well. So with 10.4 we are finally exposing all of these APIs to JavaScript. It’s also worth mentioning that these new bindings are auto-generated, so future additions will be effortless.[…]

https://www.frida.re/news/2017/08/15/frida-10-4-released/

Android 8.0 (“Oreo”) security changes

August 21, 2017 ~ hucktech ~ Leave a comment

Android 8.0 includes the following security-related changes#MobileSecurity #AndroidSecurity #AndroidOreo https://t.co/1brbTQtn4q pic.twitter.com/50xMTKTjbi

— Mobile Security (@mobilesecurity_) August 21, 2017

Also, less telemetry, secured boot loader and boot loader signing key, not iOS builds,

— the grugq (@thegrugq_ebooks) August 21, 2017

https://android-developers.googleblog.com/2017/08/introducing-android-8-oreo.html

https://developer.android.com/about/versions/o/android-8.0-changes.html#security-all

https://developer.android.com/topic/security/index.html

https://developer.android.com/about/versions/o/index.html

The Android boot process

August 21, 2017 ~ hucktech ~ Leave a comment

The Android Boot Process #MobileSecurity #AndroidSecurity https://t.co/2hWlQCyett

— Mobile Security (@mobilesecurity_) August 21, 2017

The Android boot process
Punya Vashist

[…] Android, by the looks of it, seems to be a simplistic Operating System. However, in contrast, the processes and functions that add up to the OS a majority of the smartphone consumer uses are a lot more complex. The boot process, for starters, is nothing but a bunch of fancy images and animations for the end user. This post aims at breaking the boot process down for those very end users. And I promise a thorough read is all you need to understand the process. Nothing is too complicated if explained the right way.[…]

https://thecyberfibre.com/android-boot-process/

dockerscan: A Docker analysis and hacking tools

August 21, 2017 ~ hucktech ~ Leave a comment

dockerscan – Docker Security Analysis and Hacking Tools https://t.co/CVU7uiZOAO

— Nicolas Krassas (@Dinosn) August 20, 2017

dockerscan: A Docker analysis and hacking tools

Authors: Daniel Garcia (cr0hn) / Roberto Munoz (robskye)

https://github.com/cr0hn/dockerscan

Finnbarr on state of Intel ME hacking tools

August 21, 2017 ~ hucktech ~ Leave a comment

Finbarr has a new article on Intel ME, in which he’s wondering if current tools are acquiring bitrot:

[…]It seems to me there is little ongoing work to enhance existing ME analysis tools such as me_unpack or the meloader IDA plugin to support ME firmware versions 9.5.X.X or later. Possible reasons for this state of affairs include the lack of available documentation for ME versions above 9, no ROMB-enabled ME firmware later the version 9 in the wild, or simply that the ME tool developers have moved on to other projects.

https://blog.fpmurphy.com/2017/08/has-intel-me-analysis-tool-development-petered-out.html

Also, this post pointed out an Intel ME web site I had not seen before:

http://me.bios.io/Main_Page

It has an invalid HTTPS cert, and appears to have been last updated a few years ago.

PS: Also, if you are using Finnbarr’s UEFI-Utilities, note that he’s recently started including ThinkPwn as one of the binaries, so be careful how you deploy it. CHIPSEC blacklists ThinkPwn as one of handful of known UEFI malware modules.

Manticore 0.1.4 released

August 19, 2017 ~ hucktech ~ Leave a comment

New today: Manticore 0.1.4 includes significant API improvements, support for symbolic files, and experimental Binary Ninja IL emulation!

— Trail of Bits (@trailofbits) August 18, 2017

See the full changelog for Manticore 0.1.4: https://t.co/Qfo0WnzjWG

— Trail of Bits (@trailofbits) August 18, 2017

https://twitter.com/feliam/status/898677002789462016

https://github.com/trailofbits/manticore/blob/master/CHANGELOG.md#014—2017-08-18

https://github.com/trailofbits/manticore

Manticore: Symbolic execution for humans

New x86 microcode tool

August 19, 2017 ~ hucktech ~ 2 Comments

https://twitter.com/ryanmaple/status/898616746717741058

Microprograms related to our x86 microcode update paper (see https://t.co/kpBETIzbNa) are now available at https://t.co/Tx6xgAdsyT #usesec17

— Thorsten Holz (@thorstenholz) August 19, 2017

https://github.com/RUB-SysSec/Microcode

“This repository contains a collection of x86 CPU microcode samples in binary and rtl form. The samples are compiled from scratch and specifically work with AMD’s K10 processor family.”

LLVM can now emit/parse/diff Windows PDBs

August 19, 2017 ~ hucktech ~ Leave a comment

PDBs are the sidecar symbol files for Windows. The spec used to be private, now is public, and now it is great to see Clang supporting them. Last time I looked, GCC does not support them.

LLVM on windows now can emit and parse pdbs, their code will be useful for other tools as well as the only good opensrc reference impl https://t.co/Bw06XHCqYS

— Richard Johnson (@richinseattle) August 19, 2017

https://twitter.com/aionescu/status/898829293714784256

http://blog.llvm.org/2017/08/llvm-on-windows-now-supports-pdb-debug.html

Cr4sh’s DmaHvBackdoor.c: Hyper-V backdoor for UEFI

August 19, 2017August 19, 2017 ~ hucktech ~ Leave a comment

Cr4sh is having fun with Windows Device Guard:

Thanks to UEFI and winload it's quite easy to implement such pre-boot intrusion things in reliable way, see my code snippet for more details

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 18, 2017

Device Guard enabled Win 10 doesn't allows to debug the Hyper-V core, so I'm planning to introspect it from guest VM using this backdoor

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 18, 2017

Btw, winload level backdoors are also convenient for injecting arbitrary code into the VSM secure kernel running in VTL1 pic.twitter.com/GWPd8WGaoJ

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 18, 2017

Also, this HvlpBelow1MbPage constant address thing might work for ASLR/NX bypass during exploitation of Hyper-V kernel vulnerabilities

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 18, 2017

Made an interesting payload for my evil PCI-E device, VM exit handler backdoor for Hyper-V based on UEFI DXE driver: https://t.co/EdALr4RxlN pic.twitter.com/ZGxXsiaDWi

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 18, 2017

Hypervisor introspection from guest VM with the help of DIY Hyper-V backdoor from my previous tweets pic.twitter.com/7oolndxe2M

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 19, 2017

Injecting code into *secure* kernel running in *secure* mode on top of *secure* boot??? OMG, we totally need more of that secure stuff!!! https://t.co/3RXeEvyLB1

— Yuriy Bulygin (@c7zero) August 19, 2017

DmaHvBackdoor.c comments:

Part of UEFI DXE driver code that injects Hyper-V VM exit handler backdoor into the Device Guard enabled Windows 10 Enterprise. Execution starts from new_ExitBootServices() — a hook handler for EFI_BOOT_SERVICES.ExitBootServices() which being called by winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi transfers exeution to previously loaded Hyper-V kernel (hvix64.sys) by calling winload!HvlpTransferToHypervisor(). To transfer execution to Hyper-V winload.efi uses a special stub winload!HvlpLowMemoryStub() copied to reserved memory page at constant address 0x2000. During runtime phase this memory page is visible to hypervisor core at the same virtual and physical address and has executable permissions which makes it a perfect place to store our Hyper-V backdoor code. VMExitHandler() is a hook handler for VM exit function of hypervisor core, it might be used for interaction between hypervisor backdoor and guest virtual machines.

WordPress chokes on Github gist-based URLs, so click on initial Tweet above for URL. Or look for entry that matches date: