ALT Linux adds packages for UEFI keys and certs

November 28, 2018 ~ hucktech ~ Leave a comment

https://github.com/alt-packages/alt-uefi-keys
https://github.com/alt-packages/alt-uefi-certs
https://en.altlinux.org/Main_Page
https://www.altlinux.org/UEFI

This package contains ALT Linux UEFI SB CA certificate corresponding to the private key that is now used to sign ALT Linux UEFI bootloaders to cope with UEFI SecureBoot regime (aka “Restricted Boot”). This can be enrolled by the user so that ALT shim and subsequent bootloaders are accepted by firmware without Microsoft’s certificates.

PS: ALT Linux Rescue includes an EFI System Partition (ESP) with a few tools, and a boot option to go into UEFI or Linux.

https://en.altlinux.org/Rescue

c-efi: UEFI Reference Specification Protocol Constants and Definitions

November 28, 2018 ~ hucktech ~ 1 Comment

The c-efi project provides the protocol constants and definitions of the UEFI Reference Specification as native C11 code. The scope of this project is limited to those protocol definitions. The protocols are not actually implemented. As such, this project serves as base for any UEFI application that needs to interact with UEFI, or implement (parts of) the UEFI specification. Additionally to providing a C library, this project also serves as documentation base for UEFI programming in C. It provides target-triples for UEFI, bootstrap helpers, and a bunch of documentation how to get started.

https://github.com/c-util/c-efi

https://c-util.github.io/c-efi

Lenovo LEN-24374: Multiple SMM vulnerabilities, CVE-2018-(9083-9084,16089-16092,16094-16096)

November 27, 2018 ~ hucktech ~ 1 Comment

System Management Module Vulnerabilities

Lenovo Security Advisory: LEN-24374
Potential Impact: Privilege escalation
Severity: High
Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2018-9083, CVE-2018-9084, CVE-2018-16089, CVE-2018-16090, CVE-2018-16091, CVE-2018-16092, CVE-2018-16094, CVE-2018-16095, CVE-2018-16096

Summary Description:

A Lenovo security audit of the System Management Module firmware uncovered the following vulnerabilities. SMM networking is disabled by default, and these cannot be exploited until networking is enabled:

CVE-2018-16089: A field in the header of SMM firmware update images is insufficiently sanitized, allowing post-authentication command injection on the SMM as the root user.

CVE-2018-16090: The SMM certificate creation and parsing logic is vulnerable to post-authentication command injection.

CVE-2018-16091: The SMM certificate creation and parsing logic is vulnerable to several buffer overflows.

CVE-2018-9083: The SMM contains weak default root credentials which could be used to log in to the device OS — if the attacker manages to enable SSH or Telnet connections via some other vulnerability.

CVE-2018-9084: If an attacker manages to log in to the device OS, the validation of software updates can be circumvented.

CVE-2018-16092: The FFDC feature includes the collection of SMM system files containing sensitive information; notably, the SMM user account credentials and the system shadow file.

CVE-2018-16094: An internal SMM function that retrieves configuration settings is prone to a buffer overflow.

CVE-2018-16095: The SMM records hashed passwords to a debug log when user authentication fails.

CVE-2018-16096: The SMM web interface for changing Enclosure VPD fails to sufficiently sanitize all input for HTML tags, possibly opening a path for cross-site scripting.

https://support.lenovo.com/pt/fi/solutions/len-24374

see-also:
https://exchange.xforce.ibmcloud.com/vulnerabilities/153003

NVMe adds TCP support

November 27, 2018 ~ hucktech ~ Leave a comment

NVMe/TCP “enables efficient end-to-end NVMe operations between NVMe-oF host(s) and NVMe-oF controller devices interconnected by any standard IP network.” Read the latest #NVMe blog on the new NVMe/TCP Specification: https://t.co/kuykwO4YSU #NVMeoF

— NVM Express, Inc. (@NVMexpress) November 26, 2018

This week the ratified NVMe™/TCP Transport Binding specification has been made available for public download. TCP is a new transport added to the family of existing NVMe™ transports; PCIe®, RDMA, and FC. NVMe/TCP defines the mapping of NVMe queues, NVMe-oF capsules and data delivery over the IETF Transport Control Protocol (TCP). The NVMe/TCP transport offers optional enhancements such as inline data integrity (DIGEST) and online Transport Layer Security (TLS).[…]

Welcome NVMe™/TCP to the NVMe-oF™ Family of Transports

https://nvmexpress.org/wp-content/uploads/NVM-Express-over-Fabrics-1.0-Ratified-TPs.zip

http://git.infradead.org/nvme.git/shortlog/refs/heads/nvme-tcp

https://review.gerrithub.io/c/spdk/spdk/+/425191/

Amazon.com announces Firecracker: a Secure, Open Source microVM

November 27, 2018 ~ hucktech ~ 1 Comment

Introducing Amazon EC2 A1 Instances powered by new Arm-based AWS Graviton processors. #reInvent https://t.co/vhjHFPo9Hy pic.twitter.com/ndxzmx2Xm7

— Amazon Web Services (@awscloud) November 27, 2018

And the one more thing … Firecracker. An open source VMM for multi-tenant serverless computing https://t.co/Q8tE8NpgKy @AWSreInvent

— Deepak Singh (@mndoci) November 27, 2018

https://github.com/firecracker-microvm/firecracker/blob/master/SPECIFICATION.md

https://aws.amazon.com/blogs/opensource/firecracker-open-source-secure-fast-microvm-serverless/

Breaking into the (Digital) BitBox

November 27, 2018 ~ hucktech ~ Leave a comment

Report on (now fixed) vulnerabilities I found in the @ShiftCryptoHQ BitBox (formerly known as the Digital Bitbox) https://t.co/y8Melx5e0r

— ✨ saleem ✨ (@saleemrash1d) November 26, 2018

Saleem Rashid
Breaking into the (Digital) BitBox
Nov 26, 2018

In this post, I am going to discuss the security issues I discovered in a hardware wallet known as BitBox, formerly known as “Digital Bitbox”. It is important to note that I have not audited the device, and these issues were found from a preliminary look at the device. Note that, while I intended to quote BitBox’s own descriptions of the fixes, they denied me permission to do so. However, they assure me that they will be publishing their own report which I trust will help fill in the gaps.[…]

https://saleemrashid.com/2018/11/26/breaking-into-bitbox/

see-also:

https://digitalbitbox.com/ (aka https://shiftcrypto.ch/ )

Seattle-area open source firmware presentation this December

November 26, 2018 ~ hucktech ~ Leave a comment

If you’re in the Seattle area and want to see Vincent Zimmer of Intel give a recap of his presentations at the Platform Security Summit and the Open Source Firmware Conference, attend the December DC206 Meeting, the monthly Seattle-area DEF CON user group:

What: December Seattle Locksport and DC206 Meeting
When: Dec 16th (3rd Sundays), 11:00am-~4:00pm
Where: Black Lodge Research
Who: (Vincent, Noah, Zach, Dune, Panic, and the DC206 community)

Open Source IA Firmware
by
Vincent Zimmer, Intel Corp.

Provide highlights on the open source firmware ecosystem, including
details from the Platform Security Summit[1] and Open Source Firmware
Conference[2].

[1] https://www.platformsecuritysummit.com/
[2] https://osfc.io/

Vincent Zimmer @vincentzimmer is a sr. principal engineer at Intel
Corporation. He leads the UEFI Security Subteam of the UEFI Forum.

Full announcement:
https://www.dc206.org/?p=278

How to determine if a Mac has the Apple T2 security chip

November 26, 2018 ~ hucktech ~ Leave a comment

Here’s an article that describes how you can check if an Apple system is T2-based or not:

Does your Mac have Apple T2 Security Chip? Here’s how to find out!

EFI-roller: EFI signing utility, Linux bash script

November 26, 2018 ~ hucktech ~ Leave a comment

efi-roller is a simple script to help sign EFI images. It creates the needed keys and helps you keep track of what to sign.

https://github.com/Foxboron/efi-roller

SCAT: (Signaling Collection and Analysis Tool): parses Qualcomm and Samsung baseband messages

November 25, 2018 ~ hucktech ~ Leave a comment

SCAT – Handy tool to parse DIAG messages from Qualcomm and Samsung baseband phones. You can view 2G/3G/4G singling messages interactions. Handy tool to poke into mobile devices and cellular networks. https://t.co/ZmKIws8cPJ #security #cellular #tools Proud @fgsect release.

— Ravishankar Borgaonk (@raviborgaonkar) November 23, 2018

SCAT: Signaling Collection and Analysis Tool

This application parses diagnostic messages of Qualcomm and Samsung baseband through USB, and generates a stream of GSMTAP packet containing cellular control plane messages.

https://github.com/fgsect/scat

MFTEntryCarver: Carve files for MFT entries (eg. blkls output or memory dumps)

November 25, 2018 ~ hucktech ~ Leave a comment

I did some research on carving and parsing old MFT entries from unallocated space and wrote a new tool. Read more at https://t.co/CWNWWwgJdM and let me know what you think. pic.twitter.com/bVTCuDFkw1

— Mathias Fuchs (@mathias_fuchs) November 24, 2018

MFTEntryCarver: Carve files for MFT entries (eg. blkls output or memory dumps). Recovers filenames (long & short), timestamps ($STD & $FN) and data if resident. It will also parse half broken entries as long as at least one $FN entry is ok. There is a more detailed description of how and why I wrote that and how you can use it on my blog (https://www.cyberfox.blog/carving-mft-mftentrycarver-py/). I’m not really a developer but just an DFIR guy. So please excuse the spaghetti code.

https://www.cyberfox.blog/carving-mft-mftentrycarver-py/

https://github.com/cyb3rfox/MFTEntryCarver/

Awesome UEFI

November 25, 2018November 25, 2018 ~ hucktech ~ Leave a comment

There’s awesome-firmware-security, and a uefi.tech, and a few other sites that have links to UEFI/firmware technologies. Now there is a new site, Awesome UEFI:

https://github.com/dwendt/awesome-uefi

See-also:

https://github.com/PreOS-Security/awesome-firmware-security

http://www.uefi.tech/

ZeroNights: Turning your BMC into a revolving door

November 23, 2018 ~ hucktech ~ Leave a comment

Slides of our talk “Turning your BMC into a revolving door” are online https://t.co/ByEt8KKjJB #Zeronights cc: Alex.G @0xf4b @ZeroNights @AirbusSecLab @Synacktiv

— Sn0rkY (@_Sn0rkY) November 21, 2018

Click to access ZERONIGHTS2018-Slides-EN-Turning_your_BMC_into_a_revolving_door-perigaud-gazet-czarny.pdf

LibreTrend’s LibreBox

November 23, 2018 ~ hucktech ~ Leave a comment

It's #BlackFriday The Librebox, the first desktop home computer with #coreboot, has a discount of 150€ for a limited time! Get it here: https://t.co/d8SwD3F5sL pic.twitter.com/mpFdad8igl

— Libretrend (@LibreTrend) November 23, 2018

[…]All the hardware has been selected to be the most powerful and blob-free as possible[…]Intel® Management Engine Neutralized[…]Powered by coreboot[…]

https://libretrend.com/

DEF CON 26 IoT Village videos uploaded

November 22, 2018 ~ hucktech ~ Leave a comment

https://www.iotvillage.org/#dc26_schedule

Ready for a little pre-Thanksgiving info-binge? Please enjoy this playlist of fine videos from the #DEFCON26 #internetofthings Village. Lots of interesting stuff in here.

Watch, share and remember : The 'S' in #IoT stands for 'Security’.@IoTvillage https://t.co/gyEf13rmEM pic.twitter.com/qhTCcdP4PD

— DEF CON (@defcon) November 21, 2018

Meeting C++ 2017 slides/videos uploaded

November 22, 2018 ~ hucktech ~ Leave a comment

[There’s only a few security-centric talks, search for “reliable” and “safer”…]

Meeting C++ 2017 videoshttps://t.co/IjxcWPYJyb #cpp #cplusplus

— Meeting C++ (@meetingcpp) November 22, 2018

Slides are now available here:https://t.co/fQdPzDEhAB #meetingcpp

— Meeting C++ (@meetingcpp) November 16, 2018

https://meetingcpp.com/mcpp/slides/

MinnowBoard Max/Turbot firmware 1.00 released

November 22, 2018 ~ hucktech ~ Leave a comment

New release! MinnowBoard Max/Turbot firmware version 1.00 now available. Source & pre-built binaries available here: https://t.co/PpLneQUiim #firmware #uefi @MinnowBoard pic.twitter.com/2Ncvzeprcp

— Brian Richardson (on LinkedIn) (@BrianOnChips) November 21, 2018

SUPPORTED (NEW) FEATURES AND CHANGES IN RELEASE:
1. The 64bit BIOS is now functional with Linux and Windows 8.1 Embedded/Windows 10.
2. The 32bit BIOS is now functional with Windows 8.1 Embedded/Windows 10.
3. Supports booting from "SD card", "USB drive" and "SATA".
4. Supports S3 resume for Linux, Windows 8.1 Embedded and Windows 10.
5. Supports S4 resume for Windows 8.1 Embedded and Windows 10.
6. Supports 64bit image GCC build (32bit image GCC build is not supported).
7. Update EDK II core from UDK2015 release to UDK2017.
8. Signed Capsule Update is supported.
9. Supports HTTP and HTTPS boot.
10. Add board UUID support.
11. Fixed the issue that USB device may not be detected at system power-on.
12. Main changes in this release
   1) Add microcode M0130679906 for D1 stepping.
   2) Produce SMBIOS type 1.
   3) Changed manufacture name.
   4) Fixed some open bugs. Please visit the following link for details.
      https://wiki.yoctoproject.org/wiki/Minnow_Bug_Triage

https://firmware.intel.com/projects/minnowboard-max
https://firmware.intel.com/sites/default/files/minnowboard_max-rel_1_00-releasenotes.txt

LinuxFlaw: collection of hundreds of Linux vulnerabilities

November 22, 2018 ~ hucktech ~ Leave a comment

OK I'm not sure how I missed this, but it's great – a collection of more than 300 vulnerabilities in Linux software, *with* test cases to reproduce and a VM environment with the right version of the software installed! https://t.co/511sv9zjKy

— Brendan Dolan-Gavitt (@moyix) November 13, 2018

https://github.com/VulnReproduction/LinuxFlaw

https://www.usenix.org/conference/usenixsecurity18/presentation/mu

As the above Twitter thread shows, see-also:

https://syzkaller.appspot.com/?fixed=upstream

https://syzkaller.appspot.com/

CHIPSEC v1.3.6 released

November 22, 2018 ~ hucktech ~ Leave a comment

New @CHIPSEC release available – CHIPSEC v1.3.6 https://t.co/Lsu8kIu8D8 courtesy of @geekboy15a

— Maggie (@_m46s) November 20, 2018

New or Updated Modules:
Updated memconfig to only check registers that are defined by the platform
Updated common.bios_smi to check controls not registers
Added me_mfg_mode module
Added support for LoJax detection
Updated common.spi_lock test support
Added sgx_check module and register definitions
Updates to DCI support in debugenabled module

New or Updated Functionality:
Added ability for is_supported to signal a module is not applicable
Added 300 Series PCH support
Added support for building Windows driver with VS2017
Added fixed I/O bar support
Updated XML and JSON log rewrite
Updated logger to use python logging support
Added JEDEC ID command
Added DAL helper support
Added 8th Generation Core Processor support
Updated UEFI variable fuzzing code
Added C600 and C610 configuration
Added C620 PCH configuration
Updated ACPI table parsing support
Updated UEFI system table support
Added Denverton (DNV) support
Added result delta functionality
Added ability to override PCH from detected version

See release notes for list of Fixes.

https://github.com/chipsec/chipsec/commits/master

https://github.com/chipsec/chipsec/releases/tag/v1.3.6

BSides Lisbon: Steve Lord: Reverse Engineering Microcontroller Firmware

November 22, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/stevelord/status/1065306403441713153

[…]In this talk I’ll show you how to go from knowing nothing about a microcontroller, to dumping the firmware and reversing the contents. Then I’ll talk a little bit about approaches to exploring the attack surface and some things I’ve learned along the way. […] This talk will only be given at BSides Lisbon and will not be recorded. If you want to see it, you have to come here 🙂

https://www.bsideslisbon.org/speakers/#stevelordTalk

https://www.bsideslisbon.org/schedule/