Uncategorized

Cr4sh’s DmaHvBackdoor.c: Hyper-V backdoor for UEFI

Cr4sh is having fun with Windows Device Guard:

DmaHvBackdoor.c comments:

Part of UEFI DXE driver code that injects Hyper-V VM exit handler backdoor into the Device Guard enabled Windows 10 Enterprise. Execution starts from new_ExitBootServices() — a hook handler for EFI_BOOT_SERVICES.ExitBootServices() which being called by winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi transfers exeution to previously loaded Hyper-V kernel (hvix64.sys) by calling winload!HvlpTransferToHypervisor(). To transfer execution to Hyper-V winload.efi uses a special stub winload!HvlpLowMemoryStub() copied to reserved memory page at constant address 0x2000. During runtime phase this memory page is visible to hypervisor core at the same virtual and physical address and has executable permissions which makes it a perfect place to store our Hyper-V backdoor code. VMExitHandler() is a hook handler for VM exit function of hypervisor core, it might be used for interaction between hypervisor backdoor and guest virtual machines.

WordPress chokes on Github gist-based URLs, so click on initial Tweet above for URL. Or look for entry that matches date:

Standard
Uncategorized

Dmytro on Apple PCI-E Thunderbolt

Standard
Uncategorized

Dmytro on PCI-E/SMM vulnerability

Dmytro has an interesting 6-part twitter post on PCI-e security:

Standard
Uncategorized

Intel NUC SMM exploit

Intel® Branded NUC’s Vulnerable to SMM exploit
Intel ID:      INTEL-SA-00068
Product family:      Intel® NUC Kits
Impact of vulnerability:      Elevation of Privilege
Severity rating:      Important
Original release:      May 02, 2017
Last revised:      May 02, 2017

Intel is releasing updated BIOS firmware for a privilege escalation issue. This issue affects Intel® NUC Kits listed in the Model Number section below. The issue identified is a method that enables malicious code to gain access to System Management Mode (SMM). A malicious attacker with local administrative access can leverage vulnerable BIOS to execute arbitrary code outside of SMRAM while system is running in System management mode (SMM), potentially compromising the platform. Intel products that are listed below should apply the update. Intel highly recommends updating the BIOS of all Intel® NUC’s to the recommended BIOS or later listed in the table of affected products. Intel would like to thank Security Researcher Dmytro Oleksiuk for discovering and reporting this issue.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00068&languageid=en-fr

Standard
Uncategorized

Dmytro’s Rogue PCI-E device

Wow.

 

https://www.dropbox.com/s/yxgw0bl241hkt3n/pcie_dxe_backdoor_tlp.log?dl=0

Standard
Uncategorized

Intel NUC’s Vulnerable to SMM Exploit

A new Intel Security Center advisory:

Intel® Branded NUC’s Vulnerable to SMM Exploit
Intel ID:      INTEL-SA-00057
Product family:      Intel® NUC Kits
Impact of vulnerability:      Elevation of Privilege
Severity rating:      Important
Original release:      Oct 03, 2016
Last revised:      Nov 15, 2016

Intel is releasing updated BIOS firmware for a privilege escalation issue. This issue affects Intel® NUC Kits listed in the affected products section below. The issue identified is a method that enables malicious code to gain access to System Management Mode (SMM). A malicious attacker with local administrative access can leverage the vulnerable BIOS to gain access to System Management Mode (SMM) and take full control of the platform. Intel products that are listed below should apply the update. Intel highly recommends updating the BIOS of all Intel® NUC’s to the recommended BIOS or later listed in the table of affected products. Intel would like to thank Security Researcher Dmytro Oleksiuk for discovering and reporting this issue.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00057&languageid=en-fr

https://firmwaresecurity.com/2016/10/22/dmytro-takes-on-the-intel-nuc/

Standard