Jailbreaking Subaru StarLink (CVE-2018-18203)

[…]To root any 2017+ Subaru StarLink head unit, an attacker needs the following to generate valid update images:

1. A Subaru head unit with serial and USB port access.
2. The encryption keys for the update files.
3. An official update. These seem to be available for most platforms in many different ways. Without the official update, the ISO signature check will fail and the install will not continue to the stage where the QNXCNDFS files are written.
4. Physical access to the vehicles USB ports.[…]

https://nvd.nist.gov/vuln/detail/CVE-2018-18203

https://github.com/sgayou/subaru-starlink-research/blob/master/doc/README.md

Jailbroken head unit

“UEFI Reading Book GRUB” (in Japanese)

https://translate.google.com/translate?hl=en&sl=jp&tl=en&u=https://retrage01.hateblo.jp/entry/2019/04/13/121833

https://techbookfest.org/event/tbf06/circle/65580001

https://efi-book.github.io/

https://booth.pm/ja/items/1037661

Excerpting Google Translate of this Japanaese web page:

We will distribute the new edition ” UEFI Reading Book GRUB ” as “Marine Soft Matter” in the technical textbook 6 to be held at Ikebukuro Sunshine City on April 14, 2019. The previously published ” UEFI Reader Basic Edition Linux Edition” will be separated as the basic edition and distributed as ” UEFI Reader Linux Edition”. The placement destination is “U 27”.
UEFI reading book GRUB ed.

” UEFI Reader Basic edition Linux edition” (hereinafter referred to as ” Linux edition”) distributed in the last technical book 5 was read by many people, despite being the first coterie of ocean soft matter I would like to thank you at this place. In ” Linux “, we tracked the boot process on EFI stub at source code level. However, many Linux distributions often use the GRUB bootloader, which has not covered the boot process in a typical Linux environment. So in this document we will look at GRUB startup and Linux startup in a UEFI environment. However, Linux startup itself is not covered here because of space limitations.

Orange Slice: A research kernel and hypervisor attempting to get fully deterministic emulation with minimum performance cost

Orange Slice is a research kernel and hypervisor with an end goal of creating a deterministic hypervisor. This will be developed almost entirely in my free time, and will probably move slow. However I will try to stream almost all dev for this project, such that people can ask questions and hopefully learn a thing or two about kernel and hypervisor development! This deterministic hypervisor is going to be designed from the start for fuzzing. Having determinism in a hypervisor would allow us to never have an issue with reproducing a bug, regardless of how complex the bug is. However as a hypervisor we will benefit from the performance of hardware-accelerated virtualization. The end goal is a deterministic hypervisor, capable of booting Windows and Linux, with less than a 5x performance slowdown to achieve instruction-and-cycle level determinism for cycle counts and interrupt boundaries.

https://github.com/gamozolabs/orange_slice

 

redfish-finder: utility to parse dmidecode output for Host Management Controllers, and setup canonically named access to them

I just learned about redfish-finder, a Redfish discovery tool for Linux. It maps your BMC NIC to the name redfish-localhost. When the Spring 2019 UEFI Forum Plugfest slides and videos are uploaded, there’s a presentation that talks about this tool. It is in the latest version of Fedora. Hopefully coming soon to other distros….

https://github.com/nhorman/redfish-finder

DMTF DASH tests updated

DMTF Redfish might be taking over the server market, and IPMI may’ve frozen their spec, but it appears DMTF DASH isn’t dead yet, they just updated their tests, and made the latest version (dated 2018?) available, and it looks like devices from AMD, Lenovo, and Dell are on the list:

https://www.dmtf.org/content/dmtf-releases-dash-conformance-test-suite-update
https://www.dmtf.org/conformance/dash
https://www.dmtf.org/standards/dash
https://www.dmtf.org/content/dash-cts-2018-0

 

Paged Out! new zine calls for papers

A new zine is calling for content for their first issue. I’m hoping this’ll be like Phrack and POC||GTFO, but who knows…

https://gynvael.coldwind.pl/?lang=en&id=707

https://pagedout.institute/?page=cfp.php

GRUB 2.04-rc1 released

Quoting LinuxJournal:

“[…]GRUB 2.04-rc1 has been released. Phoronix reports that after nearly two years of development, this release will bring tons of changes, including “supporting multiple early initrd images, support for the F2FS file-system, a verifier framework, RISC-V support, UEFI Secure Boot shim support, Btrfs Zstd improvements, Btrfs RAID5/RAID6 support, Xen PVH support, UEFI TPM 1.2/2.0 support, and a lot of other work.[…]”

http://git.savannah.gnu.org/cgit/grub.git/

https://www.linuxjournal.com/content/grub-204-rc1-released-mozilla-designing-better-security-messages-back-door-discovered

https://www.phoronix.com/scan.php?page=news_item&px=GRUB-2.04-Release-Candidate

The Death Metal Suite: a toolkit designed to exploit Intel AMT’s legitimate features

[…]Death Metal is a toolkit designed to exploit AMT’s legitimate features, as the AMT framework’s functionality, designed for innocent system administration purposes, inadvertently allows these features to be used by hackers for surreptitious persistence. This is because many of the legitimate features violate the expectations of sysadmins and endpoint protection software. I liken AMT to “lolbins,” which is a short form of “living off the land binary,” but instead of operating at a software level, Death Metal operates from a hardware level. With the Death Metal suite, we are essentially misusing and abusing mainstream commercial functionality in unexpected ways. Within the information security community, attacks against AMT itself are not news; however, Death Metal will introduce new ways to begin attacking the AMT framework in a practical, red-team fashion.[…]

https://github.com/Coalfire-Research/DeathMetal/blob/master/README.md

https://www.coalfire.com/The-Coalfire-Blog/April-2019/The-Death-Metal-Suite

4 security advisories from Intel

INTEL-SA-00239
Intel® NUC Advisory
A potential security vulnerability in system firmware for Intel NUC may allow escalation of privilege, denial of service, and/or information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00239.html

INTEL-SA-00238
Intel® Core Processors Memory Mapping Advisory
A potential security vulnerability in some microprocessors may allow information disclosure.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00238.html

INTEL-SA-00236
Intel® Graphics Performance Analyzer for Linux Advisory
A potential security vulnerability in Intel® Graphics Performance Analyzer for Linux may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00236.html

INTEL-SA-00201
Intel® Media SDK Advisory
A potential security vulnerability in Intel® Media SDK may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00201.html

Bushwacking your way around a bootloader (U-Boot)

 

Bushwacking your way around a bootloader
Rebecca (.bx) Shapiro

Even when you have access to some binary’s source code, it can still be challenging to un- derstand said software. In this talk, I will discuss the techniques and tools I developed in order to understand and navigate the pile of code that is the open-source Das U-Boot bootloader. The tools I developed do not rely on proprietary software and instead make use of free and powerful debugging tools such as Capstone, Unicorn, and the GDB Python plugin API. My approach strives to highlight the temporal and mechanical connections that exist between higher-level behaviors and regions of the code base/binary by instrumenting, tracing, and analyzing all memory writes with respect to the software’s current execution path. This technique allows us to develop and test our understanding of the relationships between code and objects (data structures and/or regions of memory). I will discuss how these tools and techniques can be used to identify and distinguish between different phases of U-Boot execution (including distinct phases of initialization and relocation) and then show how such information can be used to design a coarse-grained memory region-based access control policy.

https://kernelcon.org/agenda#bushwacking

https://typedregions.com/kernelcon-bx.pdf

LeachAgent: related tool for PCILeech

The LeechAgent is a 100% free open source endpoint solution geared towards remote physical memory acquisition and analysis on Windows endpoints in Active Directory environments. The LeechAgent provides an easy, but yet high performant and secure, way of accessing and querying the physical memory (RAM) of a remote system. Mount the remote memory with MemProcFS as an easy point-and-click file system – perfect for quick and easy triage. Dump the memory over the network with PCILeech. Query the physical memory using the MemProcFS Python API by submitting analysis scripts to the remote host! Do all of the above simultaneously.[…]

http://blog.frizk.net/2019/04/LeechAgent.html

Nikolaj summarizes UEFI 2.8 spec changes in 9 tweets

Re: https://firmwaresecurity.com/2019/04/04/uefi-2-8-released/

Nikolaj is right on schedule with his analysis of the changes in this spec. Click on the below tweet, there are about a series of 9 tweets with his highlights of the UEFI 2.8 spec:

 

Eclypsium: Firmware Needs to Be Part of Your Incident Response Playbook

Eclypsium has a new whitepaper that talks about IR and firmware.

https://eclypsium.com/2019/04/02/firmware-needs-to-be-part-of-your-incident-response-playbook/

Samsung: Knox Deep Dive: Knox Verified Boot

3 Apr 2019
Knox Deep Dive: Knox Verified Boot
By Phil (Programmer Writer)

With the most recent Knox 3.3 version release, the Samsung Knox team is pleased to introduce Knox Verified Boot. Knox Verified Boot (KVB) is a new solution that both extends and enhances Android Verified Boot (AVB). While AVB only checks the integrity of the kernel and platform components, KVB extends those checks to also cover the earlier bootloaders. This provides a more comprehensive guarantee a device is booting using properly signed components that are all from the same expected build. KVB performs the same type of validations as the existing Trusted Boot mechanism, but it is able to do so before the device kernel is booted, and thus provides the same data protection guarantees earlier. KVB component checks are conducted in the bootloader, and validations are made before system services are even started to help provide an even higher level of data protection. KVB is supported on Samsung S10 and above devices running the Android P operating system or later.

https://seap.samsung.com/content/knox-deep-dive-knox-verified-boot