UEFIDump replaced by UEFIExtract with ‘unpack’ option

October 29, 2018 ~ hucktech ~ Leave a comment

UEFITool is a Qt-based GUI tool that works on Mac/Windows/Linux. In addition to the main Qt-based GUI tool, the project also has a few other command line tools, UEFIExtract, UEFIFind, UEFIDump. And there are two codebases on Github, master and new-engine.

Some of the command line tools have been changing: UEFIDump was a tool that dumped info. UEFIDump is now gone, replaced by UEFIExtract with the “unpack” option (the “dump” option is related).

https://github.com/LongSoft/UEFITool/blob/new_engine/UEFIExtract/uefiextract_main.cpp

UEFIDump/UEFIExtract aside, UEFIFind is also useful to find information:

https://github.com/LongSoft/UEFITool/blob/new_engine/UEFIFind/uefifind_main.cpp

GEF 2018.10 released: GDB Enhanced Features for exploit devs & reversers

October 29, 2018 ~ hucktech ~ Leave a comment

Release of #GDB #GEF 2018.10: Silurian Seeker!

GEF got a new shiny skin, heaps of improvement, new commands, bugfix, speed gain thx to the contrib @wcbowling, @daniellimws , @yrp604, @Grazfather & way more that could fit in a tweet!https://t.co/H6co38kTwN #pwn #re #linux #ctf pic.twitter.com/3Oc3rVSNlx

— crazy rabbidz (@_hugsy_) October 29, 2018

New features:
Support for RISC-V architecture (@dlrobertson )
Brand new skin, designed by our own @Grazfather
New command print-format
New convenience variables / functions ($_pie , $_heap) by @wbowling
Better AARCH64 support
All command outputs are now buffered, so less IO, more perf
“Repeatable” commands are in
PyEnv support (@hazedic)
Ditched Travis-CI for Circle-CI
Glibc Tcache bins support
Colorized hexdump byte (pwntools-like)

Changelog:
Bugfix in x86 EFLAGS parsing
Better and more unit tests
More caching (on key functions, settings, etc.)
Fixed the doc
(ARM) Auto. adjust GEF mode from cspr flag
Bugfix in capstone integration
Fixed minor issues in format-string-helper
Fixed IDA integration, thx @cclauss
And more minor bugfixes, and speed improvement

https://github.com/hugsy/gef

gef-context

BB-Weight-Angr: Angr-based static analysis tool for vusec/vuzzer64 fuzzing tool

October 29, 2018 ~ hucktech ~ Leave a comment

Looks like @vu5ec has updated VUzzer with 64-bit compatibility + a non-IDA plugin! https://t.co/yrFl7E2jid https://t.co/jS7jrJaVcL

— Stefan Nagy (@snagycs) October 28, 2018

https://github.com/ash09/angr-static-analysis-for-vuzzer64

This repository contains a Angr-based static analysis module developed during my internship at VU Amsterdam for their fuzzing tool Vuzzer. It supports both the 32bit and 64bit versions of Vuzzer

see-also:

https://github.com/vusec/vuzzer
https://github.com/vusec/vuzzer64
http://angr.io/

Telemetry: Enhancing Customer Triage of Intel® SSDs

October 28, 2018 ~ hucktech ~ Leave a comment

by Behnam Eliyahu and Monika Sane

Telemetry refers to an umbrella of tools, utilities, and protocols to remotely extract and decode information for debugging potential issues with Intel® SSDs. Telemetry works over industry standard protocols, and eliminates or minimizes the need to remove SSDs from customer systems for retrieving debug logs. Telemetry thus enables host tools, Intel technical sales specialists, (TSS), Intel application engineers (AEs), and Intel engineering teams to better identify and debug performance excursions, exception events and critical failures in Intel® SSDs, without sending the physical drive to Intel for failure analysis. This capability is designed in accordance with NVMe* 1.3 telemetry specifications as well as corresponding ACS 4 SATA definitions (which are common industry standards), and is expected to accelerate debugging of external and internal bug sightings pertaining to Intel® SSDs. The key difference between NVMe and SATA is the fact that there is no controller-initiated capability on SATA drives.[…]

https://itpeernetwork.intel.com/telemetry-enhancing-customer-triage/

See-also:
https://github.com/linux-nvme/nvme-cli/blob/master/Documentation/nvme-telemetry-log.txt
https://github.com/linux-nvme/nvme-cli/blob/master/linux/nvme.h

What’s New In NVMe 1.3

https://nvmexpress.org/resources/specifications/

Sites with sample firmware rom binaries

October 25, 2018 ~ hucktech ~ Leave a comment

I was looking for some UEFI binaries to include in a workshop, and thought I’d make a quick post on the options.

Firmware Vault, a unofficial collection of Apple EFI ROMs:
https://github.com/theopolis/uefi-firmware-parser

A new site, from the author of UEFI Firmware Parser:
https://github.com/theopolis/uefi-firmware-samples

The same author wrote uefi-spider, a tool to scrape vendor web sites of their images, but it appears bitrot has taken effect. It’d be nice if someone submitted some patches to update this useful script. It’d be even nicer if someone would maintain a site of crawled binaries, so multiple people don’t have to run the crawler against the sites.

tool review: uefi-spider (and firmware_vault)

The Intel Minnowboard releases include some binaries that can be used for analysis:
https://firmware.intel.com/projects/minnowboard-max

Similar to the Minnowboard releases, the Intel FSP releases includes multiple binaries:
https://github.com/IntelFsp/FSP

Linaro.org should have some ARM images. Tianocore should have some OVMF images, and has ShellBinPkg binaries for Intel and ARM. Tianocore and this site have UEFI OVMF images:
https://www.kraxel.org/repos/
https://github.com/tianocore/edk2/tree/master/ShellBinPkg

If you have other ideas, please leave a Comment on the blog with new URLs. Thanks!

ASUS Z390 Motherboards Automatically Push Software into Windows

October 25, 2018 ~ penglish0 ~ Leave a comment

https://www.techpowerup.com/248827/asus-z390-motherboards-automatically-push-software-into-your-windows-installation

The ASUS UEFI firmware exposes an ACPI table to Windows 10, called “WPBT” or “Windows Platform Binary Table”. WPBT is used in the pre-built OEM industry, and is referred to as “the Vendor’s Rootkit.” Put simply, it is a script that makes Windows copy data from the BIOS to the System32 folder on the machine and execute it during Windows startup – every single time the system is booted. According to the Microsoft WPBT reference, which describes this feature as useful for “anti-theft software”, this binary is a “native, user-mode application that is executed by the Windows Session Manager during operating system initialization.”, which means “before all other programs, with administrative privileges”. This gives pretty much full control over everything, including protected folders and the registry.

Dell PowerEdge BIOS failure with Intel ME

October 25, 2018 ~ hucktech ~ Leave a comment

Did updating your #PowerEdge BIOS fail, then succeed when you tried a second time? This could be why: https://t.co/LCLDiusUC8 pic.twitter.com/FOUgjUy8U3

— Dell Cares PRO (@DellCaresPRO) October 24, 2018

https://www.dell.com/support/article/us/en/19/sln309027/dell-poweredge-14g-bios-update-fails-on-the-first-attempt-second-attempt-works?lang=en

[…]For servers with greater than 24 days of power on time since the last AC power cycle, the first BIOS update will fail because the Intel Management Engine (ME) fails to enter recovery mode for the BIOS update.[…]

Non-Dell OEMs: please also add this to your QA cycle. 🙂

US$50 Dual-Core RISC-V dev board

October 25, 2018 ~ hucktech ~ Leave a comment

This Kendryte KD233 development board features a K210 dual core @risc_v processor and costs only $49.99 on @AnalogLamb. Read more via @cnxsoft: https://t.co/f95pY6OAqS

— RISC-V (@risc_v) October 25, 2018

$50 Kendryte KD233 Board Features K210 Dual Core RISC-V SoC

KD233 K210 AIoT Board – Dual Core 64Bit RISC-V & 8MB RAM

Joanna leaves ITL and Qubes, joins Golem!

October 25, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/09/08/qubes-and-golem/

My farewell to @QubesOS and ITL, announcement of a new job:https://t.co/Qc8PljtQT3

— Joanna Rutkowska (@rootkovska) October 25, 2018

https://www.qubes-os.org/news/2018/10/25/the-next-chapter/

https://golem.network/

I guess I need to start learning about “The Cloud” now. 🙂

BadFish: Redfish-based API tool for managing bare-metal systems

October 25, 2018 ~ hucktech ~ 1 Comment

https://github.com/redhat-performance/badfish

Redfish-based API tool for managing bare-metal systems via the Redfish API

[I’m also posting this so any Redfish exploiters realize that this name is already taken. 🙂 There’s actually a few dozen interesting Redfish tools/libraries that I need to make posts on.]

Reversing ESP8266 Firmware (Part 1)

October 25, 2018 ~ hucktech ~ Leave a comment

Exciting, this is expected to be a 6-part series!

Reverse Engineering ESP8266 Firmware (Part 1)https://t.co/QMGAcoeben

— Nicolas Krassas (@Dinosn) October 24, 2018

[…]The challenge was described as follows: We managed to obtain the firmware of an unknown device connected to our wireless access point. We’ve been told it’s connecting to a service and retrieving secrets, but we can’t reach the service. Can you?[…]

Reversing ESP8266 Firmware (Part 1)

https://boredpentester.com/wp-content/uploads/2018/10/recovered_file_updated.zip

Building a Proof of Concept Hardware Implant

SecurePhones.net

October 25, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/tag/copperheados/

I just noticed a new web site show up in my daily searches:

https://securephones.net/

Securephones official distributor of Copperhead OS for Europe and Russia

Implanted Apple Lightning USB cable [at BSidesPDX]

October 24, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/_MG_/status/1054929638621757441

I'll be speaking about hardware implants at @bsidespdx on a panel with @securelyfitz, @joegrand, & @r00tkillah. Sat, Oct 27 at 9:45am. https://t.co/3vZDdK3Vtx

This will be tons of fun. Do I know anyone attending? Come say hi!

— MG (@_MG_) October 18, 2018

I’ll have this cable, and maybe some other toys, at @BSidesPDX this weekend.

Track is: Toolin Up by @realytcracker https://t.co/tXWMKImUGM

— MG (@_MG_) October 24, 2018

https://mg.lol/blog/badusb-cables/

VirtualBox 6.0 Beta 1 released

October 24, 2018October 24, 2018 ~ hucktech ~ Leave a comment

Oracle VM VirtualBox 6.0 Beta 1 now released! Discover here the latest updates and enhancements: @virtualbox #OracleVM https://t.co/w8JYUvuN7K pic.twitter.com/77twmGMMfk

— Oracle Linux (@OracleLinux) October 23, 2018

https://forums.virtualbox.org/viewtopic.php?f=1&t=89946

https://blogs.oracle.com/virtualization/oracle-vm-virtualbox-60-beta-1-released

Hmm, it looks like the ChangeLog is not up-to-date yet, unclear what firmware changes have occured:

https://www.virtualbox.org/wiki/Changelog

AMI updates Aptio’s AMI Firmware Update (AFU), a Secure Update Utility

October 24, 2018 ~ hucktech ~ Leave a comment

[…]AFU still supports older SMM methodologies for older systems, but such methodologies cannot be used when the platform is equipped with modern BIOSes.[…]

https://ami.com/en/tech-blog/ami-firmware-update-afu-tool-a-secure-update-utility-for-aptio-v-uefi-bios-firmware/

Kees Cook on Linux 4.19 security features

October 24, 2018 ~ hucktech ~ Leave a comment

Linux kernel v4.19 was released today and some security things I'm excited about are the L1TF fixes, O_CREAT protection in /tmp, syscall register clearing, even more VLA removals, and the new shift overflow helper: https://t.co/DNmBmPHsCR

— Kees Cook (@kees_cook) October 22, 2018

security things in Linux v4.19

Build Your Own Hardware Implant

October 23, 2018 ~ hucktech ~ Leave a comment

Is it possible your #hardware is spying on you? @KudelskiSec research team member Nicolas Oberli is on a mission to find out how practical it is to do just that https://t.co/P3gX9TtAQ6

— Kudelski Security (@KudelskiSec) October 23, 2018

Bloomberg’s story about an alleged hardware implant […] Several people were pointing out the fact that the BMC (Baseboard Management Controller – the component allowing an out-of-band access to the server) could be tampered with, allowing an implant to control the BMC to gain access to the network card. But how does it work in practice? Let’s see if we can reproduce this.[…]

Build Your Own Hardware Implant

3mdeb: BITS and CHIPSEC as coreboot payloads

October 23, 2018October 23, 2018 ~ hucktech ~ Leave a comment

BITS and CHIPSEC as coreboot payloads: https://t.co/BthTQMjPSH via @YouTube

— 3mdeb (@3mdeb_com) October 23, 2018

3mdeb has a new video showing how to use BITS and CHIPSEC as coreboot payloads.

https://3mdeb.com/

ARM releases EBBR 0.7 spec

October 23, 2018 ~ hucktech ~ Leave a comment

The Embedded Base Boot Requirements (EBBR) specification defines requirements for embedded systems to enable inter-operability between SoCs, hardware platforms, firmware implementations, and operating system distributions. The aim is to establish consistent boot ABIs and behaviour so that supporting new hardware platforms does not require custom engineering work.

https://github.com/ARM-software/ebbr/releases/tag/v0.7

https://github.com/ARM-software/ebbr
https://github.com/ARM-software/ebbr/wiki

see-also:

Embedded Base Boot Requirements (EBBR) – SFO17-508 from Linaro

Click to access Dong_Wei_ARM_Final.pdf

https://www.linaro.org/blog/the-boot-problem/