Category: Uncategorized

Spring 2018 UEFI Forum plugfest presentations uploaded

~ hucktech ~ Leave a comment

* State of the UEFI – Mark Doran (UEFI Forum President)
* An Introduction to Platform Security – Brent Holtsclaw and John Loucaides (Intel)
* Firmware Security: Hot Topics to Watch – Dick Wilkins (Phoenix Technologies, Ltd.)
* UEFI Updates, Secure firmware and Secure Services on Arm – Dong Wei and Matteo Carlini (Arm)
* The State of ACPI Source Language (ASL) Programming – Erik Schmauss (Intel)
* Implementing MicroPython as a UEFI Test Framework – Chris McFarland (Intel)
* UEFI and the Security Development Lifecycle – Tim Lewis (Insyde)
* Attacking and Defending the Platform – Erik Bjorge and Maggie Jauregui (Intel)
* Microsoft Security Features and Firmware Configurations – Scott Anderson, Jeremiah Cox and Michael Anderson (Microsoft)
* Dynamic Tables Framework: A Step Towards Automatic Generation of Advanced Configuration and Power Interface (ACPI) & System Management BIOS (SMBIOS) Tables – Sami Mujawar (Arm)
* Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates to Windows Update (WU) – Bret Barkelew, Keith Kepler, and Michael Anderson (Microsoft)
* Embedded Development Kit 2 (EDK2): Platforms Overview – Leif Lindholm (Linaro)
* Enabling Advanced NVMe Features Through UEFI – Zachary Bobroff (AMI)

https://uefi.blogspot.com/2018/04/spring-2018-uefi-plugfest-presentations.html

http://www.uefi.org/learning_center/presentationsandvideos

I expect videos on Youtube shortly after PDFs have become available.

INTEL-SA-00116: Intel® 2G Firmware Update for Modems using ETWS

~ hucktech ~ 1 Comment

Intel ID: INTEL-SA-00116
Product family: Intel® XMM71xx, Intel® XMM72xx, Intel® XMM73xx, Intel® XMM74xx, Sofia 3G, Sofia 3G-R, and Sofia 3G-RW
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: Apr 04, 2018

Buffer overflow in ETWS processing module Intel® XMM71xx, XMM72xx, XMM73xx, XMM74xx and Sofia 3G/R allows remote attacker to potentially execute arbitrary code via an adjacent network. In late February 2018, external security researchers identified and disclosed to Intel a security vulnerability affecting Intel® 2G Modem firmware. The vulnerability affects Intel® 2G Modem products where the Earthquake Tsunami Warning System (ETWS) feature is enabled in Modem firmware. Devices equipped with an affected modem, when connected to a rogue 2G base station where non-compliant 3GPP software may be operational, are potentially at risk. Intel is making firmware updates available to device manufacturers that protect systems from this vulnerability. End users should check with their device manufacturers and apply any available updates as soon as practical. Intel would like to thank Dr. Ralph Phillip Weinmann and Dr. Nico Golde from Comsecuris for reporting CVE-2018-3624.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00116&languageid=en-fr

 

AHCI BIOS Security Extension

~ hucktech ~ Leave a comment

This software is useful if:
* you have a (probably self-encrypting) hard disk / solid state drive that supports the (S)ATA SECURITY command set
* you want to boot from this drive.
* your motherboard’s BIOS does not support asking the user for a hard disk password at startup
* you don’t want to buy a new motherboard.
* the hard disk controller of your motherboard supports AHCI.

http://www.tb-kaiser.de/ahci_sbe/

https://github.com/TobiasKaiser/ahci_sbe

Matthew Garret on the Linux Kernel Lockdown Patch, and UEFI

~ hucktech ~ Leave a comment

Re: Kernel Lockdown Patch:

Linus on UEFI and Kernel Lockdown patch

Linux kernel lockdown patch

Background for Kernel Lockdown patch

Linux Kernel lockdown

Linux Kernel lockdown

Matthew Garret of Google has a new blog post that gives some background on this patch, w/r/t UEFI:

https://mjg59.dreamwidth.org/50577.html

EdkiiShellTool: debug tools for UEFI

~ hucktech ~ Leave a comment

Wow, this has existed for a while and I didn’t know about it. Multiple very useful UEFI Shell tools!

Gcd: A tool to dump GCD data structure, according to PI specification.

HobList: A tool to dump HOB data structure, according to PI specification.

MemoryAttributesDump: A tool to dump Memory Attribute Table and Properties Table, according to UEFI specification.

HstiWsmtDump:  A tool to dump HSTI table and WSMT table, according to Microsoft HSTI and WSMT specification.

EsrtFmpDump: A tool to dump ESRT table and FMP capsule information, according to UEFI specification.

MemoryTypeInfo: A tool to dump EDKII memory type information, according to EDKII implementation.

PerfDump: A tool to dump EDKII performance data, according to EDKII implementation.

PcdDump: A tool to dump PCD information according to PI specification and PCD internal database according to EDKII implementation.

SmmProfileDump: A tool to dump EDKII SMM profile data, according to EDKII implementation.

EdkiiCoreDatabaseDump: Tools to dump EDKII DXE Core, SMM Core, and PEI Core internal data structure, according to EDKII implementation.

https://github.com/jyao1/EdkiiShellTool

 

Linus on UEFI and Kernel Lockdown patch

~ hucktech ~ Leave a comment

This is a fascinating thread to read. Linus does not understand UEFI, he doesn’t understand how his code works on many systems. I get that he wishes UEFI didn’t exist, but many Linux users access Linux via Windows PCs. It is not valid to ignore the boot issues on those systems, especially in a world getting more and more security-aware.

I confess that I sometimes act like Linus as well, I’m ashamed to say. But I’m not responsible for one of the most important open source projects around; if I was I’d try to be a bit more mature to the contributors, lower ratio of UPPERCASE OBSCENETIES per constructive feedback. Linux users who have UEFI-based systems owe a lot of thanks to Matthew and a handful of others, like Peter, …in spite of Linus.

https://lkml.org/lkml/2018/4/3/817

https://lkml.org/lkml/2018/4/4/565

https://lkml.org/lkml/2018/4/3/847

http://vger.kernel.org/majordomo-info.html

Tianocore releases UDK2018

~ hucktech ~ Leave a comment

Tianocore, not the UEFI Forum, has released UDK2018, the latest UEFI Dev Kit, a snapshot of the EDK-II, tied to particular revision of the specs.

https://github.com/tianocore/tianocore.github.io/wiki/UDK2018-Core-Update-Notes

https://github.com/tianocore/tianocore.github.io/wiki/UDK2018-Key-Features

https://github.com/tianocore/tianocore.github.io/wiki/UDK2018

https://github.com/tianocore/edk2/releases/tag/vUDK2018

https://github.com/tianocore-docs/Docs/blob/master/UDK/UDK2018/SecurityPkgNotes.md

 

INTEL-SA-00122: Intel Remote Keyboard Unauthenticated Keystroke Injection

~ hucktech ~ Leave a comment

Intel® Remote Keyboard Unauthenticated Keystroke Injection

Intel ID: INTEL-SA-00122
Product family: Intel® Remote Keyboard
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Apr 03, 2018

Intel has issued a Product Discontinuation notice for Intel® Remote Keyboard and recommends that users of the Intel® Remote Keyboard uninstall it at their earliest convenience.

CVE-2018-3641:
Escalation of privilege in all versions of the Intel® Remote Keyboard allows a network attacker to inject keystrokes as a local user. Intel would like to thank @trotmaster99 for reporting this issue and working with us on coordinated disclosure.

CVE-2018-3645:
Escalation of privilege in all versions of the Intel® Remote Keyboard allows a local attacker to inject keystrokes into another remote keyboard session. Intel would like to thank Mark Barnes for reporting this issue and working with us on coordinated disclosure.

 

INTEL-SA-00087: Unsafe Opcodes exposed in Intel SPI based products

~ hucktech ~ 1 Comment

Unsafe Opcodes exposed in Intel SPI based products
Intel ID: INTEL-SA-00087
Product family: Multiple Generations
Impact of vulnerability: Denial of Service
Severity rating: Important
Original release: Apr 03, 2018

Configuration of SPI Flash in platforms based on multiple Intel CPUs allows a local attacker to alter the behavior of the SPI Flash, potentially leading to a Denial of Service. This issue has been root-caused, and the mitigation has been validated and is available. Intel identified this issue internally. Issue is root-caused, and the mitigation is known and available. To Intel’s knowledge, the issue has not been seen externally. Intel recommends that users always check with their system manufacturer’s support sites to make sure they have the latest, security updates installed.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00087&languageid=en-fr

Intel FSP reverse engineering: finding the real entry point!

~ hucktech ~ 1 Comment

https://puri.sm/posts/intel-fsp-reverse-engineering-finding-the-real-entry-point/

Reversing? I thought that Purism was an Intel FSP source licensee? Oh well.

Apple to make their own processor, replacing Intel?

~ hucktech ~ Leave a comment

Quoting Bloomberg:

Apple Inc. is planning to use its own chips in Mac computers beginning as early as 2020, replacing processors from Intel Corp., according to people familiar with the plans. The initiative, code named Kalamata, is still in the early developmental stages, but comes as part of a larger strategy to make all of Apple’s devices — including Macs, iPhones, and iPads — work more similarly and seamlessly together, said the people, who asked not to be identified discussing private information. The project, which executives have approved, will likely result in a multi-step transition.

https://www.bloomberg.com/news/articles/2018-04-02/apple-is-said-to-plan-move-from-intel-to-own-mac-chips-from-2020

https://www.theverge.com/circuitbreaker/2018/4/2/17189372/apple-intel-chip-processors-macs-date

https://www.ft.com/content/1c0637da-36a1-11e8-8eee-e06bde01c544

Identifying ESXi boot method & boot device

~ hucktech ~ Leave a comment

Identifying ESXi boot method & boot device
Posted on 01/09/2018 by William Lam

There was an interesting discussion on our internal Socialcast platform last week on figuring out how an ESXi host is booted up whether it is from local device like a disk or USB device, Auto Deploy or even boot from SAN along with its respective boot device? Although I had answered the question, I was not confident that we actually had a reliable and programmatic method for identifying all the different ESXi boot methods, which of course piqued my interest. With a bit of trial and error in the lab, I believe I have found a method in which we can identify the ESXi boot type (Local, Stateless, Stateless Caching, Stateful or Boot from SAN) along with some additional details pertaining to the boot device. To demonstrate this, I have created the following PowerCLI script ESXiBootDevice.ps1 which contains a function called Get-ESXiBootDevice.[…]

https://www.virtuallyghetto.com/2018/01/identifying-esxi-boot-method-boot-device.html

https://github.com/lamw/vghetto-scripts/blob/master/powershell/ESXiBootDevice.ps1

Tim Lewis of Insyde resumes blogging on firmware

~ hucktech ~ Leave a comment

Tim Lewis has been blogging on UEFI for a long time. But took a break, now is resuming:

[…]After some gentle ribbing from colleagues at the UEFI plug-fest in Bellevue, WA, I’ve decided to try to keep track of recent trends in UEFI here again.

His current blog post covers a few topics, including replying to Vincent Zimmer’s recent claims of definitive ways to pronounce UEFI and ACPI:

[…]And for the record, it is U-E-F-I (not YOO-FI or micro-EFI) and A-C-P-I (not AK-PIE). On a side note about competing acronym pronunciations, in the early days of the EISA (Extended ISA) bus architecture, it was pointed out that while English speakers naturally pronounced EISA as EEE-SA and ISA as AY-SA, other European languages had would naturally pronounce it exactly opposite (EISA as AY-SA and ISA as EE-SA).[…]

https://uefi.blogspot.com/2018/04/uefi-notes-cs2ai-uefi-plugfest-and.html

May in Portland: Teardown: new hardware conference by CrowdSupply

~ hucktech ~ Leave a comment

[…] You can think of Teardown as live-action Crowd Supply, but with fewer cardboard boxes and packing peanuts. We’ll be bringing together hardware aficionados from around the world to celebrate, inspect, create, and, of course, tear down hardware. There will be long-time Crowd Supply creators and backers, as well as people we’re meeting for the first time. There will be hardware, art, food, drink, puzzles, workshops, tutorials, talks, music, field trips, and friends. Most of all, there will be ideas and projects to explore and inspire.[…]

https://www.crowdsupply.com/teardown/portland-2018

GNU/Linux Libre: concerns with microcode being non-Free Software

~ hucktech ~ Leave a comment

The date for this was April 2nd. I checked twice to see if it was April 1st…

[…]Another significant change in this release is that it was pointed out that there were error messages in Linux suggesting users to update x86 CPU microcode. Since such microcode is non-Free Software, such messages don’t belong in GNU Linux-libre. We now have patterns to detect and clean up this sort of message. A number of them were introduced recently, relying on microcode changes to mitigate Spectre and Meltdown problems, but there might be others that go farther back. I haven’t yet made my mind on whether to go back, check and possibly respin such earlier releases.[…]

Finally, to celebrate Easter on this date, I couldn’t help mentioning in this release announcement the Easter Eggs I put in. Let me know if you enjoy the surprises.[…]

https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-4.16-Released

http://lists.gnu.org/archive/html/info-gnu/2018-04/msg00002.html

links of awesome links

~ hucktech ~ Leave a comment

I’m a sucker for lists of resources. PreOS Security is about to release our awesome-firmware shortly. In the mean time, here’s some existing ‘curated links’ of other fun topics:

https://github.com/0x4D31/awesome-threat-detection
https://github.com/aalhour/awesome-compilers
https://github.com/AcalephStorage/awesome-devops
https://github.com/aleksandar-todorovic/awesome-c
https://github.com/apsdehal/awesome-ctf
https://github.com/ashishb/android-security-awesome
https://github.com/aweconf/awesome-conferences-database
https://github.com/briatte/awesome-network-analysis
https://github.com/carpedm20/awesome-hacking
https://github.com/cugu/awesome-forensics
https://github.com/dastergon/awesome-chaos-engineering
https://github.com/dastergon/awesome-sre
https://github.com/dbohdan/compilers-targeting-c
https://github.com/dweinstein/awesome-frida
https://github.com/emijrp/awesome-awesome
https://github.com/enaqx/awesome-pentest
https://github.com/fdivrp/awesome-reversing
https://github.com/fffaraz/awesome-cpp
https://github.com/Hack-with-Github/Awesome-Hacking
https://github.com/HQarroum/awesome-iot
https://github.com/hslatman/awesome-threat-intelligence
https://github.com/InQuest/awesome-yara
https://github.com/jagracey/Awesome-Unicode
https://github.com/jaspergould/awesome-asm
https://github.com/jekil/awesome-hacking
https://github.com/jivoi/awesome-osint
https://github.com/kozross/awesome-c
https://github.com/ksluckow/awesome-symbolic-execution
https://github.com/larsbrinkhoff/awesome-cpus
https://github.com/m4ll0k/Awesome-Hacking-Tools
https://github.com/meirwah/awesome-incident-response
https://github.com/mre/awesome-static-analysis
https://github.com/n1trux/awesome-sysadmin
https://github.com/papers-we-love/papers-we-love
https://github.com/PaulSec/awesome-sec-talks
https://github.com/pFarb/awesome-crypto-papers
https://github.com/phodal/awesome-iot
https://github.com/RichardLitt/awesome-conferences
https://github.com/rossant/awesome-math
https://github.com/rshipp/awesome-malware-analysis
https://github.com/sbilly/awesome-security
https://github.com/secfigo/Awesome-Fuzzing
https://github.com/sectalks/sectalks
https://github.com/sergey-pronin/Awesome-Vulnerability-Research
https://github.com/sobolevn/awesome-cryptography
https://github.com/thibmaek/awesome-raspberry-pi
https://github.com/topics/awesome-list
https://github.com/vinta/awesome-python
https://github.com/vitalysim/Awesome-Hacking-Resources

CNet: How Chromebooks became the go-to laptops for security experts

~ hucktech ~ Leave a comment

[…]Drewry and Liu focused on four key features for the Chromebook that have been available ever since the first iteration in 2010:
sandboxing,
verified boots,
power washing and
quick updates.
These provided security features that made it much harder for malware to pass through, while providing a quick fix-it button if it ever did. “That’s the fundamental difference between how Chrome OS works and how any other computer at the time worked,” Liu said.[…]

https://www.cnet.com/uk/news/how-google-chromebooks-became-the-go-to-laptop-for-security-experts/