Senrio: JTAG explained

October 5, 2016 ~ hucktech ~ Leave a comment

Senrio has a nice blog post on JTAG usage on consumer IoT devices:

Superb article – JTAG explained https://t.co/h3POBwxS3U #dfir

— Alex (@AleXgTorres) October 1, 2016

JTAG Explained (finally!): Why “IoT”, Software Security Engineers, and Manufacturers Should Care: Imagine you are handed this device and asked to get root on it as quickly as possible. No further information is given. Where would you begin? (If you just want to see the router get rooted, jump down to “Mounting an Attack: Rooting a Home Router” 😉 Our target: A VERY common/popular consumer Access Point. Since you have the device in your hands, you might try directly attacking the hardware. However, if you’ve never done any kind of hardware hacking, getting started can be intimidating. In this post, we are going to talk about the fundamental information you need to know to use JTAG for hacking hardware. We’ll also go over a quick example to illustrate the power of direct hardware access. […]

http://blog.senr.io/blog/jtag-explained

video of Brian’s Tianocore Linaro Connect presentation

October 5, 2016 ~ hucktech ~ Leave a comment

Brian Richardson of Intel recently gave a presentation at ARM Ltd’s Linaro Connect on the subject of UEFI. Intel started UEFI but in recent years ARM is also using UEFI.

TianoCore – Open Source UEFI Community Update by Brian Richardson
Watch Live: https://t.co/tVDGnAZowb pic.twitter.com/HqYsoFmWxQ

— Linaro (@LinaroOrg) September 29, 2016

My @tianocore keynote from @LinaroConnect is available on YouTube. Proof I talked about UEFI & did not have tomatoes thrown at me. https://t.co/5ETGeastBK

— Brian Richardson (on LinkedIn) (@BrianOnChips) September 29, 2016

Micah Scott: slurping firmware over USB

October 5, 2016 ~ hucktech ~ Leave a comment

Glitching USB Firmware for Fun

https://twitter.com/scanlime/status/782784934222016512

https://twitter.com/nicowaisman/status/783681295893291008

EoP vulnerability in Intel SSD Toolbox

October 5, 2016 ~ hucktech ~ Leave a comment

Exercpting Intel’s Security Advisory:

Vulnerability in Intel SSD Toolbox allows authenticated users to elevate privileges via updater subsystem
Intel ID:     INTEL-SA-00061
Product family:     Intel® Solid-State Drive Consumer, Professional, Embedded and Data Center
Impact of vulnerability:     Elevation of Privilege
Severity rating:     Important
Original release:     Oct 04, 2016

The vulnerability allows a potentially malicious 3rd party to gain the highest possible elevation of privilege level in the Operating System. The root cause of the vulnerability has been identified as an implementation bug in the updater subsystem of the Intel SSD Toolbox. Intel strongly recommends customers impacted by this issue to upgrade to the latest version listed in the table above. This issue was reported to Intel by Florian Bogner @ Kapsch BusinessCom AG.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00061&languageid=en-fr
https://downloadcenter.intel.com/download/26085/Intel-Solid-State-Drive-Toolbox?v=t

UEFI Forum updates PI spec

October 4, 2016 ~ hucktech ~ Leave a comment

System Management Mode (SMM), meet Trust Zone (TZ). And SMM + TZ = Management Mode (MM) in Volume 4 of PI 1.5 spec https://t.co/toxesJlLwv

— vincent zimmer (@vincentzimmer) October 4, 2016

Reading UEFI PI 1.5 right now. Management mode changes are huge, but I'll wait for first images to see how they will be implemented.

— Nikolaj Schlej (@NikolajSchlej) October 4, 2016

There’s a bit more to be gleaned from reading the above two twitter threads.

http://www.uefi.org/specifications

Intel IPP crypto has RSA private key side-channel attack

October 4, 2016 ~ hucktech ~ Leave a comment

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00060&languageid=en-fr

Intel has found an RSA private key vulnerability with their Intel Performance Primitives (Intel IPP).

A vulnerability in Intel Integrated Performance Primitives (IPP) Cryptography allows local users to recover the RSA private key via a potential side-channel.
Intel ID:     INTEL-SA-00060
Product family:     The cryptography (CP) domain in Intel® Integrated Performance Primitives (Intel® IPP)
Impact of vulnerability:     Information Disclosure
Severity rating:     Important
Original release:     Oct 04, 2016

The cryptography (CP) domain in Intel’s newest version of Intel® Integrated Performance Primitives (Intel® IPP) v2017 has been enhanced to improve its security and customers are strongly urged to update to this release. A potential side-channel vulnerability was identified in the Intel® Integrated Performance Primitives Cryptography which is bundled with Intel® IPP. The vulnerability allows an attacker to potentially recover enough information to retrieve a RSA private key. The root cause of the issue has been identified and mitigated in the latest release of IPP Cryptography. The CVSSv3 severity rating for this issue 7.1 (High). Intel has developed an update to the Intel® IPP Cryptography software and is making it available to customers. The mitigated versions are Intel® IPP Cryptography 2017 and 9.0.4. Users with licensed versions of IPP Cryptography can obtain the mitigated versions at this URL: <https://registrationcenter.intel.com/en/>. Intel strongly recommends customers impacted by this issue to upgrade to the latest version listed in the table above. […]

Intel issues SMM patches for Intel NUCs

October 4, 2016 ~ hucktech ~ Leave a comment

Intel has updated NUCs for the recent SMM EoP issue. They updated their servers earlier.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00057&languageid=en-fr

Recommendations: Intel highly recommends updating the BIOS of all Intel® NUC’s to the recommended BIOS or later listed in the table of affected products.

Acknowledgements: Intel would like to thank Security Researcher Dmytro Oleksiuk for discovering and reporting this issue.

As I understand it, this SMM issue impacts many systems, not just Lenovo and Intel-based products. If you have an OEM-based Intel system, check if they have updates. Lenovo and HP may have some, but it is still unclear about all the other OEMs and IBVs.

PVS-Studio blog on bugs in GRUB

October 3, 2016 ~ hucktech ~ Leave a comment

Small PVS-Studio aritcle: What's Hiding Inside the GNU Boot Loader? Searching for Bugs in Grub – https://t.co/8EgGHy1Qj0 (#grub, #gnugrub)

— Andrey Karpov (@Code_Analysis) October 3, 2016

http://www.viva64.com/en/b/0432/

What’s Hiding Inside the GNU Boot Loader? Searching for Bugs in Grub
PVS-Studio analyzer continues to explore and adapt to the Linux platform. Today we will take a look at the bugs that the tool managed to find in the Grub boot loader. In this article, we will talk about the results of analysis of the boot loader for Unix-like operating systems, known as Grub. This program was developed by Erich Boleyn and comes as part of the GNU Project. GRUB is a reference boot loader implementation compliant with the Multiboot specification and is able to boot any compliant operating system. The Grub project is written in C and has been already checked by other analyzers, including Coverity, so you wouldn’t expect to find any unchecked code fragments in a project like that. PVS-Studio analyzer, however, did manage to catch a few interesting bugs. […]

Qubes 3.2 released

October 3, 2016 ~ hucktech ~ Leave a comment

http://blog.invisiblethings.org/2016/09/29/qubes-32.html

Excerpting information about the new 3.2 “USB passthrough” feature from the announcement blog post:

[…] In Qubes 3.2, we’re also introducing USB passthrough, which allows one to assign individual USB devices, such as cameras, Bitcoin hardware wallets, and various FTDI devices, to AppVMs. This means that it’s now possible to use Skype and other video conferencing software on Qubes! Qubes has supported the sandboxing of USB devices since the very beginning (2010), but the catch has always been that all the USB devices connected to the same USB controller had to be assigned to the same VM. This limitation was due to the underlying hardware architecture (specifically, PCIe and VT-d technologies). We can now get around this limitation by using software backends. The price we pay for this, however, is increased attack surface on the backend, which is important in the event that several USB devices of different security contexts are connected to a single controller. Sadly, on laptops this is almost always the case. Another potential security problem is that USB virtualization does not prevent a potentially malicious USB device from attacking the VM to which it is connected. These problems are not inherent to Qubes OS. In fact, they pose an even greater threat to traditional, monolithic operating systems. In the case of Qubes, it has at least been possible to isolate all USB devices from the user’s AppVMs. The new USB passthrough feature gives the user more fine-grained control over the management of USB devices while still maintaining this isolation. Nonetheless, it’s very important for users to realize that there are no “automagical” solutions to malicious USB problems. Users should plan their compartmentalization with this in mind. We should also mention that Qubes has long supported the secure virtualization of a certain class of USB devices, specifically mass storage devices (such as flash drives and external hard drives) and, more recently, USB mice. Please note that it is always preferable to use these special, security-optimized protocols when available rather than generic USB passthrough. […]

Heads

October 3, 2016 ~ hucktech ~ Leave a comment

https://twitter.com/fowlslegs/status/782711615816740864

Heads is a very interesting new distro by Trammel Hudson. If you like Qubes or Subgraph or Tails, read about this new distro.

The threat model that Heads proposes to address is very different from that of Tails. Tails’s goal is to allow users to to do computation on a machine in a way that doesn’t leave in trace on that system. This requires that the hardware in the system is trusted, which unfortunately is not the case for many users. Additionally many users need a way to keep state in a permanent way and don’t want to expose this state to random machines. Their machines might be subject to physical attacks that might install untrusted firmware or other devices into the system.[1][2] For these reasons, Tails is not sufficient for many users who want a laptop that they can travel with and want to have some assurances that most adversaries won’t be able to modify the hardware underneath them. Complicating this goal is that modern x86 hardware is full of modifiable state[3] and it is full of dusty corners that can hide malware or unauthorized code. Additionally there is unverifable code running in the Intel Management Engine, which has access to memory, to the network and various other peripherals. As a result we must trust certain entities more than others and this does affect our threat model. This document discusses some of the threats that make building slightly more secure mobile systems very difficult. There is a separate guide on installing Heads on the Thinkpad x230, which covers the practical issues of hardening a laptop against some of the threats described here. […]”

https://trmm.net/Heads

https://trmm.net/Installing_Heads

October 7-9, Berlin: coreboot.berlin event!

September 30, 2016 ~ hucktech ~ Leave a comment

On the coreboot-announce list, Peter Stuge just announced the coreboot.berlin event happening NEXT WEEKEND, October 7-9:

SHORT NOTICE: coreboot.berlin next weekend, Oct. 7-9
Hello all, I’m happy to *finally* have the information and registration page online:
https://coreboot.berlin/
Yes, it’s very late, but I hope that we will still be a good number of people meeting up next weekend. Quick feedback helps me make sure that everyone will get food. If you are interested in attending, but unable to register at the Community Registration Fee cost then please get in touch with me, so that we can try to work something out. Thank you very much, and hope to see you in Berlin on the 7:th!

https://www.coreboot.org/pipermail/coreboot-announce/2016-September/000023.html

https://coreboot.berlin/

Intel issues update for SMM EoP

September 29, 2016 ~ hucktech ~ Leave a comment

It appears that Intel now has updates available:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00056&languageid=en-fr

Update on Intel SMM updates

More info on Microsoft BIOS to UEFI feature

September 29, 2016 ~ hucktech ~ Leave a comment

Earlier I saw some brief information about some “BIOS to UEFI” feature that Microsoft was adding to some product of theirs, but had no idea what it was about. Here is a bit more information on the System Center feature:

Improvements for bios to uefi conversion #SCCM #Windows10 https://t.co/rtH7URbGzS

— Ahmed Sebbahi (@ahsebbahi) September 28, 2016

Microsoft working on a “BIOS to UEFI feature” ?

“Improvements for BIOS to UEFI conversion

You can now customize an operating system deployment task sequence with a new variable, TSUEFIDrive, so that the Restart Computer step will prepare a FAT32 partition on the hard drive for transition to UEFI. The following procedure provides an example of how you can create task sequence steps to prepare the hard drive for the BIOS to UEFI conversion.”

https://technet.microsoft.com/library/mt772349(TechNet.10).aspx#Improvements-for-BIOS-to-UEFI-conversion

Linaro Connect

September 29, 2016 ~ hucktech ~ Leave a comment

ARM’s Linaro Connect is happening. Click on their web page for live streaming.
In addition to all of the ARM topics, Brian Richardson, an Intel evangelist will be speaking about UEFI at this event. 🙂

http://connect.linaro.org/las16/

Watch @Intel_Brian give his Tianocore keynote tomorrow at @LinaroConnect, live at 8:50am PDT on @YouTube – https://t.co/oZ9Sg2YYvV

— tianocore (@tianocore) September 29, 2016

Watch Live: Thursday #LAS16 keynote on @tianocore – Open Source UEFI Community: https://t.co/glY4CVz5Q3
@Intel_Brian #UEFI pic.twitter.com/DJ0TjJeS00

— Linaro (@LinaroOrg) September 29, 2016

Thursday #LAS16 keynote by Brian Richardson on @tianocore – Open Source UEFI Community: https://t.co/glY4CVz5Q3
@Intel_Brian #UEFI pic.twitter.com/fFMke5PMBK

— Linaro (@LinaroOrg) September 29, 2016

new CHIPSEC test for Xen XSA-188

September 29, 2016 ~ hucktech ~ Leave a comment

New module: tools.vmm.xen.xsa188 – host crash PoC for Xen XSA-188 discovered by @mikhailgorobets https://t.co/yAwsff5koS

— CHIPSEC (@CHIPSEC) September 29, 2016

CHIPSEC added a PoC module for Xen 4.4 host DoS XSA-188 (CVE-2016-7154) "use after free in FIFO event channel" https://t.co/f2qy3qhcvs

— Yuriy Bulygin (@c7zero) September 29, 2016

Proof-of-concept module for Xen XSA-188 (https://xenbits.xen.org/xsa/advisory-188.html)
CVE-2016-7154: “use after free in FIFO event channel code”
Discovered by Mikhail Gorobets
This module triggers host crash on vulnerable Xen 4.4
Usage:
“chipsec_main.py -m tools.vmm.xen.xsa188“

https://github.com/chipsec/chipsec/blob/master/source/tool/chipsec/modules/tools/vmm/xen/xsa188.py

Anders Fogh on finding covert channels in SMT

September 28, 2016 ~ hucktech ~ Leave a comment

New Blog post [Techincal]: Covert Shotgun: Automatically finding covert channels in SMT.https://t.co/X6BmfUeRpL

— Anders Fogh (@anders_fogh) September 27, 2016

Covert Shotgun: Automatically finding SMT covert channels:
In my last blog post I found two covert channels in my Broadwell CPU. This blog post will again be about covert channels. For those unfamiliar a covert channel is a side channel where the attacker has an implant in the victim context and uses his channel to “smuggle information” in and out of the victim context across existing security boundaries. In this blog post I’ll explore how we can automate finding SMT covert channels. SMT is intel speak for hyper threading. Before I proceed I should note that one of the two covert channels I found in my last blog passed, the one based on the RdSeed instruction, appears also to have been found by others. You can read about it in D. Evtyushkin & D. Ponomarev [1]. They will be presenting their work on this channel at CCS. Unlike myself they develop the channel fully and discuss mitigations. So if you find this channel interesting their paper is well worth a read. […]

Covert Shotgun

Analysis of MSI’s NTIOlib

September 28, 2016 ~ hucktech ~ Leave a comment

More handy drivers signed. So we should just use these for our helper on Windows. Why bother with all this test signing, rebooting, F7… https://t.co/J1qh4nyYHZ

— CHIPSEC (@CHIPSEC) September 26, 2016

MSI ntiolib.sys/winio.sys local privilege escalation https://t.co/BFbPWEheWu

— ReWolf (@rwfpl) September 25, 2016

MSI ntiolib.sys/winio.sys local privilege escalation:
So, it seems that not only ASUS drivers allows unprivileged reading and writing to physical memory. Just a few months ago I was looking at the drivers that are loaded on my machine, and I found small MSI driver called NTIOLib_X64.sys. Out of curiosity I’ve looked at it in IDA and it turned out that it has almost the same functionality as the ASMMAP/ASMMAP64 ASUS drivers. I’ve tried to contact MSI through various different channels, but I haven’t really get past their customer support, so I’m not sure if anyone from the development team is aware of this design flaw. After almost 4 months I decided to publish my findings here. […]

http://blog.rewolf.pl/blog/?p=1630

Microsoft working on a “BIOS to UEFI feature” ?

September 28, 2016 ~ hucktech ~ Leave a comment

Microsoft Ignite is happening. This comment was made by a presumed attendee which is interesting, but I don’t understand it:

Microsoft working on a Bios to UEFI feature, should be in the next technical preview #MDT #win10 #msignite #scugdk #nice

— Kent Agerlund (@agerlund) September 27, 2016

I don’t see anything on the agenda that could be related to this feature, AFAICT nothing on UEFI or BIOS in any abstracts.

https://myignite.microsoft.com/videos?q=Secure%20Boot

https://myignite.microsoft.com/sessions?q=firmware

If anyone has more information, please leave a Comment.

UEFI firmware patch for VMware workstation

September 28, 2016 ~ hucktech ~ Leave a comment

The earlier post on this was when the project was a new project with no code. They have code now, which consists of a few shell scripts and a patch to linux/driver.c. Presume this is unofficial. 🙂

“This is a program to patch VMware Workstation 12 kernel modules and to sign them using a X.509 key and enrolling the key in the system UEFI firmware.”

https://github.com/hashhar/vmware-module-patch

VMware UEFI firmware key patch

OSQuery ported to Windows

September 27, 2016 ~ hucktech ~ Leave a comment

osquery for Windows is out! Really proud of the work that Andy Ying and Artem Dinaburg put in to make this happen. https://t.co/7N92nL1ADY

— Dan Guido (@dguido) September 27, 2016

https://twitter.com/tomchop_/status/780796081546330113

#Facebook releases Osquery #Security Tool for Windows (Also Avaible for #Linux and Mac Os X) https://t.co/6OKSJAoJRP pic.twitter.com/E8N8tU77Da

— The Hacker News (@TheHackersNews) September 27, 2016

Windows network security now easier with osquery

https://thehackernews.com/2016/09/osquery-security-tool.html

https://osquery.io/