Category: Uncategorized

FWTS 16.011.00 released

~ hucktech ~ Leave a comment

Ivan Hu of Canonical announced the 16.011.00 release of FWTS, the FirmWare Test Suite.

New Features include:
 * ACPICA: Update to version 20160930
 * uefibootpath: add test for eMMC device path
 * uefidump: add dumping for the eMMC device path

There are lots of bugfixes as well, see the Changelog.

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V16.11.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.11.00

Nathan: security-centric Android emulator

~ hucktech ~ Leave a comment

Nathan is an Android 5.1.1 SDK 22 AOSP Android emulator customized to perform mobile security assessment that works on x86 and soon will on ARM.

The emulator is equipped with the Xposed Framework and the following pre-installed modules:
* SSLUnpinning, to bypass SSL Certificate pinning.
* Inspeckage, to perform the dynamic analysis of an application.
* RootCloak, to bypass root detection.

The following tools are already installed:
* #SuperSU: Superuser access management tool
* Drozer: Comprehensive security and attack framework for Android

Features:
* Only python 2.7.x required
* Hooking ready with Xposed
* Pre-installed tools for application analysis
* Fully customizable
* Snapshot and restore of user data

https://github.com/mseclab/nathan

UEFI Capsule-Update and Recovery

~ hucktech ~ Leave a comment

On the EDK2-Devel mailing list, Michael Kinney of Intel has started a new EDK2 wiki page on UEFI Capsule-Based-Firmware Update/Recovery. Capsule Updates are how UEFI-based firmware updates itself.

Draft of documentation for Signed Capsule Feature:
I have started a draft of Wiki pages that describe how to use and verify the Signed Capsule feature from Jiewen Yao. I have focused this first draft on the system firmware update use case for signed capsules. Please review this content and provide feedback. I will work on the remaining 3 signed capsule use cases while the content for this fist use case is reviewed. I plan to add this content to the edk2 Wiki once the reviews are completed.

https://github.com/mdkinney/edk2/wiki/Capsule-Based-Firmware-Update-and-Firmware-Recovery

https://github.com/mdkinney/edk2/wiki/Capsule-Based-System-Firmware-Update

https://lists.01.org/mailman/listinfo/edk2-devel

Run As Radio: UEFI Secure Boot

~ hucktech ~ Leave a comment

Episode 503 is on UEFI and Secure Boot:

“The BIOS has evolved, and we need to take advantage of it! While at Ignite in Atlanta, Richard sat down with Mark Minasi to talk about UEFI and SecureBoot. The conversation starts out with a bit of a history lesson about BIOS, ROM and booting up a computer. Mark tells the story of how EFI started with Intel’s Itanium, and eventually appeared everywhere. UEFI is effectively an operating system in its own right, with drivers and it’s own set of security risks. This leads to a conversation around SecureBoot, dealing with the challenges of resisting security exploits from startup onward. It’s easy enough to get SecureBoot running, it’s what happens when it’s triggered that gets complicated. “

http://www.runasradio.com/Shows/Show/503

 

Disassembling x86 binaries

~ hucktech ~ Leave a comment

An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries
Dennis Andriesse, Xi Chen, Victor van der Veen, Asia Slowinska, Herbert Bos

It is well-known that static disassembly is an unsolved problem, but how much of a problem is it in real software— for instance, for binary protection schemes? This work studies the accuracy of nine state-of-the-art disassemblers on 981 real-world compiler-generated binaries with a wide variety of properties. In contrast, prior work focuses on isolated corner cases; we show that this has led to a widespread and overly pessimistic view on the prevalence of complex constructs like inline data and overlapping code, leading reviewers and researchers to underestimate the potential of binary-based research. On the other hand, some constructs, such as function boundaries, are much harder to recover accurately than is reflected in the literature, which rarely discusses much needed error handling for these primitives. We study 30 papers recently published in six major security venues, and reveal a mismatch between expectations in the literature, and the actual capabilities of modern disassemblers. Our findings help improve future research by eliminating this mismatch.

Slides and video here:

https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/andriesse

 

Intel Manageability Commander for Windows: Intel AMT tool

~ hucktech ~ Leave a comment

pdxgrlgeek has a new post on the Intel blog, on the topic of Intel Manageability Commander, an Intel AMT-centric, Microsoft Windows-centric tool, which optionally Integrates with Microsoft SCCM. Excerpts of blog post and from the software’s readme PDF:

I am excited to announce the release of Intel® Manageability Commander.  Built from the widely used MESHCommander application, Intel® Manageability Commander will make it significantly easier to take advantage of Intel® AMT out of band hardware management features provided on Intel® vPro™ platforms. Intel® Manageability Commander is a light weight console used to connect with and utilize the features of Intel® Active Management Technology (Intel® AMT). Through this software, users will be able to connect to activated Intel® AMT devices to perform functions such as power control, remote desktop, hardware inventory, remote terminal, and more. Additionally, this software will plug into Microsoft* System Center Configuration Manager (SCCM) version 1511 and later.

Subset of features from blog post:
* View and modify network settings of Intel® AMT. If the PC has a wireless interface, users can add multiple wireless profiles to connect to Intel® AMT using the wireless interface
* Configure Intel® AMT security features such as System Defense, Audit Log, and Access Control List
* Discover, diagnose and manage Intel® AMT configured PCs remotely
* View and solve user PC and Operating System issues via integrated KVM remote control (Keyboard, Video, Mouse)
* Display Intel® AMT events and filter events by keyword
* Enable or disable Intel® AMT features on a configured system directly from Intel® Manageability Commander’s user interface.
* Integrate with Microsoft SCCM current build version 1511 and later

Read the list of errata in the relnotes, too. For example:
1) Powering off a system using Intel® Manageability Commander uses the Intel® AMT power control feature and is outside of the operating system. This means that an OS-based reboot or power down is not possible. Over time, repeated use of this feature could lead to corruption in the operating system. This is the expected behavior of Intel® AMT power off command for all versions of Intel® AMT”

This is a Windows-centric tool. It appears if you want to have all the fun tools from Intel, you have to use Windows, not Linux or MacOSX or Android or ChromeOS. 😐

https://communities.intel.com/community/tech/vproexpert/blog/2016/11/05/intel-manageability-commander-with-microsoft-sccm-integration
http://www.intel.com/content/www/us/en/support/software/manageability-products/intel-manageability-commander.html
https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander

Click to access Intel_MC_User_Guide.pdf

UEFI-Bootkit

~ hucktech ~ 1 Comment

I just noticed a new UEFI bootkit on Github which I’d never heard of:

“UEFI-Bootkit: A small bootkit designed to use as little ASM as possible. Thanks to pyro666”

https://github.com/dude719/UEFI-Bootkit

I sent a FYI to the UEFI Security group before posting about it to this blog, in the name of responsible disclosure. Dick Wilkins of Phoenix Technologies– and of the UEFI Forum’s Security Response Team (USRT) — replied with his input on the code:

“I just took a quick look at this code in github. It looks like the typical UEFI application that changes the configuration and could cause unexpected things to boot. The unexpected stuff could damage the system and then continue to boot up normally but compromised. This is exactly why Secure Boot was needed. If Secure Boot is disabled (or not implemented), there are many ways to insert code into the boot path and compromise a system. If Secure Boot is enabled, this code and any code like it would not be properly signed and would never run. There is nothing new here. This is why end users must be discouraged from disabling secure boot and running non UEFI Secure Boot aware systems.”

http://www.uefi.org/security

AMI providing Redfish-enabled firmware for Intel and Aspeed models

~ hucktech ~ Leave a comment

AMI is now offering firmware for both BIOS and BMC on Intel customer reference boards (CRB) for the Intel Xeon® processor D-1500 product family and the 4th generation baseboard management controller (BMC) from Aspeed, the Aspeed AST2300 BMC. AMI has developed generic Redfish BIOS and BMC firmware support and has tested on the next generation AMD silicon. AMI’s BIOS and BMC firmware are highly integrated, allowing data center administrators to simultaneously, remotely and securely manage a number of server platforms out-of-box. Other features include BIOS-level firmware configuration and firmware updating. BMC functionality is based on the open industry standard specification and schema from DMTF’s Redfish™ API with the goal of creating seamless integration into existing tool chains.

http://ami.com/products/bios-uefi-firmware/aptio-v/
https://ami.com/news/press-releases/?PressReleaseID=368

VxWorks stack overflow EOP reported

~ hucktech ~ Leave a comment

Intel Product Security has a new security advisory for Wind River’s VxWorks:

Stack overflow vulnerability in Wind River VxWorks
Intel ID:      INTEL-SA-00064
Product family:      Wind River VxWorks
Impact of vulnerability:      Elevation of Privilege
Severity rating:      Critical
Original release:      Nov 01, 2016

WindRiver is releasing mitigations for a privilege escalation issue. This issue affects versions of Wind River VxWorks products. The issue being mitigated is a method to execute arbitrary code without user interactions. Anonymous remote attackers can cause a stack overflow, which can be used to obtain remote code execution on affected devices running vulnerable VxWorks versions without any user interactions. Intel strongly recommends customers using impacted versions of WindRiver VxWorks to upgrade to the latest version listed in the table above.
 
Acknowledgements: Alex Wheeler, David Barksdale – Exodus Intelligence
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00064&languageid=en-fr

New UEFI patch that Enables SMM page level protection.

~ hucktech ~ Leave a comment

Jiewen Yao of Intel submitted a 6-part patch to Tianocore which adds SMM security. It appears it is the first version of the patch.

This series patch enables SMM page level protection. Features are:
1) PiSmmCore reports SMM PE image code/data information in EdkiiPiSmmMemoryAttributeTable, if the SMM image is page aligned.
2) PiSmmCpu consumes EdkiiPiSmmMemoryAttributeTable and set XD for data page and RO for code page.
3) PiSmmCpu enables Static Paging for X64 according to PcdCpuSmmStaticPageTable. If it is true, 1G paging for above 4G is used as long as it is supported.
4) PiSmmCpu sets importance data structure to be read only, such as Gdt, Idt, SmmEntrypoint, and PageTable itself.

tested platform:
1) Intel internal platform (X64).
2) EDKII Quark IA32
3) EDKII Vlv2  X64
4) EDKII OVMF IA32 and IA32X64.

  MdeModulePkg/Include: Add PiSmmMemoryAttributesTable.h
  MdeModulePkg/dec: Add gEdkiiPiSmmMemoryAttributesTableGuid.
  MdeModulePkg/PiSmmCore: Add MemoryAttributes support.
  UefiCpuPkg/dec: Add PcdCpuSmmStaticPageTable.
  UefiCpuPkg/PiSmmCpuDxeSmm: Add paging protection.
  QuarkPlatformPkg/dsc: enable Smm paging protection.
 36 files changed, 4513 insertions(+), 798 deletions(-)

For more information, see the posting on the edk2-devel list:
https://lists.01.org/mailman/listinfo/edk2-devel

Lenovo XClarity

~ hucktech ~ Leave a comment

Apparently Lenovo’s XClarity Administrator software uses the Redfish API:

https://twitter.com/LenovoTechSales/status/793408198640271360

“Lenovo XClarity is a fast, flexible, and scalable hardware systems management application that enables administrators to deploy infrastructure faster and with less effort. This video provides a brief overview of XClarity Administrator, VMware Integration, the XClarity Mobile App, and new features supporting extended management of storage and network switches.”

Here’s a Lenovo video showing the tech:

Secure and Trusted Boot of OpenPOWER

~ hucktech ~ Leave a comment

Stewart Smith of IBM has a new blog post about using POWER8-based systems. This one is very interesting, it talks about OpenPOWER use of Secure and Trusted Boot:

Fast Reset, Trusted Boot and the security of /sbin/reboot:
In OpenPOWER land, we’ve been doing some work on Secure and Trusted Boot ( http://open-power.github.io/skiboot/doc/stb.html )  while at the same time doing some work on what we call fast-reset ( https://github.com/open-power/skiboot/commit/0279d8951ead549fdebce93130a2f6c673081862 )  (or fast-reboot, depending on exactly what mood someone was in at any particular time…. we should start being a bit more consistent).[…]

Fast Reset, Trusted Boot and the security of /sbin/reboot

TrouSerS getting kicked out of Debian?

~ hucktech ~ Leave a comment

Thomas Habets points out on the trousers-users list that TrouSerS, the open source TPM stack, is getting kicked out of Debian, due to it’s lack of OpenSSL 1.1 support. I hope someone at TrouSerS is working on this. Tomas has a similar tool, Simple-TPM-PK11, and has made similar changes in his tool, that TrouSerS will need to do, and describes this in his post to trousers-users.

http://bugs.debian.org/828579

https://github.com/ThomasHabets/simple-tpm-pk11/
https://github.com/ThomasHabets/simple-tpm-pk11/commit/354f0cf3a193dbe8b1151059a08b0598531b645c

https://lists.sourceforge.net/lists/listinfo/trousers-users

http://trousers.sourceforge.net/

MBRFilter: MBR security for Windows

~ hucktech ~ Leave a comment

Lucian Constantin has an article about a new MBR-based Windows-centric tool created by Cisco’s Talos. From his article on CSO Online:

[…]Cisco’s Talos team has developed an open-source tool that can protect the master boot record of Windows computers from modification by ransomware and other malicious attacks. threat intelligence The tool, called MBRFilter, functions as a signed system driver and puts the disk’s sector 0 into a read-only state. It is available for both 32-bit and 64-bit Windows versions and its source code has been published on GitHub. The master boot record (MBR) consists of executable code that’s stored in the first sector (sector 0) of a hard disk drive and launches the operating system’s boot loader. The MBR also contains information about the disk’s partitions and their file systems. Since the MBR code is executed before the OS itself, it can be abused by malware programs to increase their persistence and gain a head start before antivirus programs. Malware programs that infect the MBR to hide from antivirus programs have historically been known as bootkits — boot-level rootkits. […]

From the project’s readme:

[…]This is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers. The goal of this filter is to prevent writing to Sector 0 on disks. This is useful to prevent malware that overwrites the MBR like Petya. This driver will prevent writes to sector 0 on all drives. This can cause an issue when initializing a new disk in the Disk Management application. Hit  ‘Cancel’ when asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting. […]

http://www.csoonline.com/article/3133115/security/free-tool-protects-pcs-from-master-boot-record-attacks.html

https://github.com/vrtadmin/MBRFilter/releases/tag/1.0