Uncategorized

ME Analyzer 1.16.3 released

ME Analyzer Features:
Supports all Engine firmware generations (ME 1 – 11, TXE 1 – 3 & SPS 1 – 4)
Supports all types of file images (Engine Regions, SPI/BIOS images etc)
Detection of Family, Version, SKU, Date, Revision, Platform etc info
Detection of Production, Pre-Production, ROM-Bypass, MERecovery etc Releases
Detection of Region (Stock/clean or Extracted/dirty), Update etc Types
Detection of Security Version Number (SVN), Version Control Number (VCN) & PV
Detection of firmware’s Flash Image Tool platform configuration for ME 11 & up
Detection of Intel SPI Flash Descriptor region’s Access Permissions
Detection of whether the imported Engine firmware is updated
Detection of unusual Engine firmware (Corrupted, Compressed, OEM etc)
Detection of multiple Engine regions in input file, number only
Detection of special Engine firmware BIOS GUIDs via UEFIFind
Detection of unique mobile Apple Macintosh Engine firmware SKUs
Advanced detection & validation of Engine region’s firmware Size
Ability to analyze multiple files by drag & drop or by input path
Ability to unpack all Engine x86 firmware (ME >= 11, TXE >= 3, SPS >= 4)
Ability to detect & categorize firmware which require attention
Ability to validate Engine region’s $FPT checksums & entries counter
Ability to detect various important firmware problems and corruptions
Supports SoniX/LS_29’s UBU, Lordkag’s UEFIStrip & CodeRush’s UEFIFind
Reports all firmware which are not found at the Engine Repository Database
Reports any new, unknown, problematic, incomplete etc Engine firmware images
Features command line parameters to enhance functionality & assist research
Features user friendly messages & proper handling of unexpected code errors
Shows colored text to signify the importance of notes, warnings & errors
Open Source project licensed under GNU GPL v3, comment assisted code

https://github.com/platomav/MEAnalyzer/commits/master
https://github.com/platomav/MEAnalyzer

 

 

Standard
Uncategorized

Reversing Intel ME’s ROMP module

Reverse-engineering the Intel Management Engine’s ROMP module
Youness Alaoui, Hardware enablement developer

Last month, while I was waiting for hardware to arrive and undergo troubleshooting, I had some spare time to begin some Intel ME reverse engineering work. First, I need to give some shout out to Igor Skochinsky, a Hex-Rays developer, who had been working on reverse engineering the Intel ME for a while, and who has been very generous in sharing his notes and research on the ME with us, which is going to be a huge help and cut down months of reverse engineering and guesswork. Igor was very helpful in getting me to understand the bits that didn’t make sense to me. The first thing I wanted to try and reverse was the ROMP module. It is one of the two modules that me_cleaner doesn’t remove, and given how small it is (less than 1KB of code+data), I thought it would be a good starting point. Turns out my hunch was right, as I finished reverse engineering that module after only a couple of days.[…]

https://puri.sm/posts/reverse-engineering-the-intel-management-engine-romp-module/

https://github.com/kakaroto/purism-playground

Standard
Uncategorized

Intel AMT story, continued

A little bit more (warning: a few of these are related to Intel ME hardware, not Intel AMT firmware):

Rumor has it that OpenAMT can also be used for AMT detection:
https://sourceforge.net/p/openamt/wiki/Home/

AMT advisory from ASUS:
https://www.asus.com/News/uztEkib4zFMHCn5r

http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-8-2017/

https://community.rapid7.com/community/nexpose/blog/2017/05/11/on-the-lookout-for-intel-amt-cve-2017-5689

http://www.govinfosecurity.com/intels-amt-flaw-worse-than-feared-a-9901

Is Intel’s Management Engine Broken?

 

Standard
Uncategorized

Intel AMT story, continued

https://www.us-cert.gov/ncas/current-activity/2017/05/07/Intel-Firmware-Vulnerability

https://github.com/CerberusSecurity/CVE-2017-5689

https://github.com/chipsec/chipsec/issues/212

https://support.lenovo.com/us/en/product_security/len-14963

http://en.community.dell.com/support-forums/laptop/f/3518/p/20011922/20995860

http://en.community.dell.com/techcenter/extras/m/white_papers/20443914

http://en.community.dell.com/techcenter/extras/m/white_papers/20443937

https://support.hp.com/us-en/document/c05507350

https://community.qualys.com/thread/17263-qids-or-scanning-advice-for-intel-amt-sa-00075

https://www.tenable.com/sc-dashboards/intel-sa-00075-detection

https://www.tenable.com/blog/intel-amt-vulnerability-detection-with-nessus-and-pvs-intel-sa-00075

https://vuldb.com/?id.100794

Intel AMT chip bug suspected backdoor, but likely coding error
[…]Some researchers accused the vulnerability of being a backdoor. Tatu Ylonen, the inventor of the Secure Shell protocol told SC Media Charlie Demerjan, the researcher who spotted the flaw, claims to have been in discussions over bug with Intel for years urging them t to fix it. “If his claim is true (I have no reason to doubt it but have no independent evidence), then it begins to sound very much like a backdoor,” Demerjan said. “I mean, if someone knows their product has a vulnerability that undermines the security of pretty much every enterprise server in the world and most security tools, wouldn’t they want to disclose it to the government, one of their biggest customers?”[…]

https://www.scmagazine.com/intel-amt-flaw-likely-just-coding-error/article/655449/

[…]What is clear, however, is that this flaw (which has existed for more than 9 years) truly is somewhere between nightmarish and apocalyptic. Taking no action is not an option.

http://www.securityweek.com/exploitable-details-intels-apocalyptic-amt-firmware-vulnerability-disclosed

Standard
Uncategorized

Intel ME: based on Minix?

“[…]In addition, when we looked inside the decompressed vfs module, we encountered the strings “FS: bogus child for forking” and “FS: forking on top of in-use child,” which clearly originate from Minix3 code. It would seem that ME 11 is based on the MINIX 3 OS developed by Andrew Tanenbaum :)[…]”

http://blog.ptsecurity.com/2017/04/intel-me-way-of-static-analysis.html

http://www.minix3.org/

 

Standard