William reviews Plato’s ME Analyzer tool

November 6, 2018 ~ hucktech ~ Leave a comment

William has a review of ME Analyzer:

https://www.basicinputoutput.com/2018/11/intel-me-resourcesme-analyzer.html

Dell PowerEdge BIOS failure with Intel ME

October 25, 2018 ~ hucktech ~ Leave a comment

Did updating your #PowerEdge BIOS fail, then succeed when you tried a second time? This could be why: https://t.co/LCLDiusUC8 pic.twitter.com/FOUgjUy8U3

— Dell Cares PRO (@DellCaresPRO) October 24, 2018

https://www.dell.com/support/article/us/en/19/sln309027/dell-poweredge-14g-bios-update-fails-on-the-first-attempt-second-attempt-works?lang=en

[…]For servers with greater than 24 days of power on time since the last AC power cycle, the first BIOS update will fail because the Intel Management Engine (ME) fails to enter recovery mode for the BIOS update.[…]

Non-Dell OEMs: please also add this to your QA cycle. 🙂

ME Analyzer v1.70.0 released

October 12, 2018 ~ hucktech ~ Leave a comment

ME Analyzer v1.70.0 adds full parsing & unpacking of all Intel CSE ME/TXE/SPS File Systems (MFS/AFS) based on the amazing initial research by @_Dmit. MEA can now show the FS state and log all low-level details. General CSE firmware analysis also improved. https://t.co/Snttp8fULE pic.twitter.com/txmx6Pyl2d

— Plato Mavropoulos (@platomaniac) October 11, 2018

ME Analyzer v1.70.0 adds full parsing & unpacking of all Intel CSE ME/TXE/SPS File Systems (MFS/AFS) based on the amazing initial research by @_Dmit. MEA can now show the FS state and log all low-level details. General CSE firmware analysis also improved.

https://github.com/platomav/MEAnalyzer

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

October 3, 2018 ~ hucktech ~ Leave a comment

Our new paper "Intel ME Manufacturing Mode: obscured dangers" about SPI write-protection bypass in Apple MacBook. https://t.co/PTswfwJBZA [ru]https://t.co/G2l3nzuhSD [en]

— Maxim Goryachy (@h0t_max) October 2, 2018

Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability CVE-2018-4251 https://t.co/lJ8XTN6sKs #MacBook #Intel #IntelME

— PT Security (@PTsecurity_UK) October 2, 2018

http://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html

One of the interesting things about https://t.co/SHusekPfJn is the reference to ExitBootServices() – it sounds like there's an expected contract between the OS boot environment and the firmware, but that contract is entirely undocumented

— Matthew Garrett (@mjg59) October 3, 2018

Additionally, 𝙴𝚡𝚒𝚝𝙱𝚘𝚘𝚝𝚂𝚎𝚛𝚟𝚒𝚌𝚎𝚜() is useful for rootkits to know when it is time to exfiltrate the FileVault password, although that contract is also undocumented. pic.twitter.com/Z6hUGvOslC

— Trammell Hudson ⚙ (@qrs) October 3, 2018

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

September 13, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/12/intel-releases-17-security-advisories/ and

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys https://t.co/mVDNknGXlU #IntelME

— PT Security (@PTsecurity_UK) September 12, 2018

http://blog.ptsecurity.com/2018/09/intel-me-encryption-vulnerability.html

Intel ME JTAG PoC for INTEL-SA-00086

August 27, 2018 ~ hucktech ~ Leave a comment

Ready to uncover Intel ME background? Use our PoC to activate JTAG and dump ME ROM https://t.co/PXDCrssolB

— Mark Ermolov (@_markel___) August 27, 2018

Almost year has passed since we reported the INTEL-SA-00086 vulnarability and we have published JTAG activation PoC for Intel ME. You can use JTAG for researching ME core (via DbC debug cable). Step-by-step instructions at https://t.co/TWbgEbrmNm pic.twitter.com/9lCJPYfLBF

— Maxim Goryachy (@h0t_max) August 27, 2018

Vulnerability INTEL-SA-00086 allows to activate JTAG for Intel Management Engine core. We developed our JTAG PoC for the Gigabyte Brix GP-BPCE-3350C platform. Although we recommend that would-be researchers use the same platform, other manufacturers’ platforms with the Intel Apollo Lake chipset should support the PoC as well (for TXE version 3.0.1.1107).[…]

https://github.com/ptresearch/IntelTXE-PoC

Intel-SA-00118: Intel Converged Security Management Engine (Intel CSME) 11.x issue

July 11, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/07/11/intel-releases-a-dozen-new-security-advisories/

In an effort to continuously improve the robustness of the Intel® Converged Security Management Engine (Intel® CSME), Intel has performed a security review of its Intel® CSME with the objective of continuously enhancing firmware resilience. As a result, Intel has identified security vulnerabilities that could potentially place affected platforms at risk.[…]

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00118.html

PS: I guess ME is now CSME now?

Apple fixed firmware vulnerability found by Positive Technologies

June 14, 2018 ~ hucktech ~ Leave a comment

Apple fixed firmware vulnerability found by Positive Technologies https://t.co/Bp2vg0zqU0

— Nicolas Krassas (@Dinosn) June 14, 2018

June 14, 2018
The vulnerability allowed exploiting a critical flaw in Intel Management Engine and still can be present in equipment of vendors that use Intel processors. Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.[…]

http://blog.ptsecurity.com/2018/06/apple-fixed-vulnerability-founde-by-PT-experts.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4251
https://support.apple.com/en-us/HT208849

PT Security: new Intel ME research

June 4, 2018 ~ hucktech ~ Leave a comment

Our (with @_Dmit & @_markel___ ) new presentation about security keys in ME11 and DLMP partition which allows to get a main ME secret. #CONFidence_news #IntelME https://t.co/iCnyqMgrGY

— Maxim Goryachy (@h0t_max) June 4, 2018

Positive Technologies' researchers Dmitry Sklyarov and Maxim Goryachy gave a technical talk about security keys genealogy and obfuscation in #IntelME at @CONFidence_news Krakow (https://t.co/tvz2kyuNHb). Presentation slides are available on GitHub: https://t.co/NcmCqZa4kg

— PT Security (@PTsecurity_UK) June 4, 2018

https://github.com/ptresearch

Click to access Intel%20ME%20Security%20keys%20Genealogy%2C%20Obfuscation%20and%20other%20Magic.pdf

Fruct20: UEFI BIOS and Intel ME attack vectors and vulnerabilities

May 4, 2018 ~ hucktech ~ Leave a comment

UEFI BIOS and Intel Management Engine Attack Vectors and Vulnerabilities
Alexander Ogolyuk, Andrey Sheglov, Konstantin Sheglov
Saint Petersburg National Research University of Information Technologies, Mechanics and Optics
St. Petersburg, Russia

We describe principles and implementation details of UEFI BIOS attacks and vulnerabilities, suggesting the possible security enhancement approaches. We describe the hidden Intel Management Engine implementation details and possible consequences of its security possible discredit. Described breaches in UEFI and Intel Management Engine could possibly lead to the invention of “invulnerable” malicious applications. We highlight the base principles and actual state of Management Engine (which is a part of UEFI BIOS firmware) and its attack vectors using reverse engineering techniques.

From conclusion:
* Disable all SMM code (if possible by patching or other methods)
* Disable any external firmware components (PCI boot)
* Disable S3 Bootscript (after sleep mode)
* SMI transaction Monitor extensive usage (to find malicious SMI calls)
* Enable Secure Boot mode
* Enable BIOS password
* Extensive reverse engineering of vendor’s firmware samples to find and report vulnerabilities
* Code reviews (of open sourced UEFI based systems like Tiano-Core)

Click to access Ogo.pdf

https://www.fruct.org/program20

Click to access FRUCT20_Program.pdf

ME Analyzer 1.48.0 released

April 6, 2018 ~ hucktech ~ Leave a comment

ME Analyzer v1.48.0 is out with CSME 12 "FWUpdate" (FWU) region Type detection. CSME 12 firmware support should now be fully implemented. https://t.co/Snttp8fULE pic.twitter.com/MAHQ9wvCWo

— Plato Mavropoulos (@platomaniac) April 5, 2018

It seems that Intel CSME 11.8.50.3460 fixes some CVEs which are still set to Reserved: CVE-2018-3627, CVE-2018-3628, CVE-2018-3629, & CVE-2018-3632. They should't be that important though based on the +2 firmware VCN increase.

— Plato Mavropoulos (@platomaniac) April 4, 2018

https://github.com/platomav/MEAnalyzer

Intel ME crypto info (in Russian)

March 23, 2018 ~ hucktech ~ Leave a comment

Some information about Intel ME cryptography implementation [rus]. https://t.co/2xrE9Nr8vN

— Maxim Goryachy (@h0t_max) March 23, 2018

https://github.com/ptresearch/IntelME-Crypto

Intel updates for INTEl-SA-0068 and INTEL-SA-00088

February 8, 2018 ~ hucktech ~ Leave a comment

Intel updates the advisory pages:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

https://www.thurrott.com/hardware/151902/intel-issues-first-corrected-firmware-fixes-cpu-security-flaws

PTSecurity: how to run code in Intel ME

January 18, 2018 ~ hucktech ~ Leave a comment

Как взломать выключенный компьютер или выполнить код в #Intel ME https://t.co/q0X1hebEIQ #IntelME #Security

— PositiveTechnologies (@ptsecurity) January 18, 2018

Thursday, January 18, 2018
How to hack a disabled computer or run code in Intel ME
At the recent Black Hat Europe conference, Positive Technologies researchers Mark Ermolov and Maxim Goryachy spoke about the vulnerability in Intel Management Engine 11 , which opens up access to most of the data and processes on the device. This level of access also means that any attacker exploiting this vulnerability, bypassing traditional software-based protection, will be able to conduct attacks even when the computer is turned off. Today we publish in our blog the details of the study.[…]

http://blog.ptsecurity.ru/2018/01/intel-me.html

https://translate.google.com/translate?hl=en&sl=ru&u=http://blog.ptsecurity.ru/2018/01/intel-me.html

ME Analyzer 1.42.0 released

January 14, 2018 ~ hucktech ~ Leave a comment

ME Analyzer v1.42.0 is out! Quite a big update. Added support for CSME 12.0, CSE Layout Table (LT) v1.6 – v1.7, BPDT v2 – v3, FPT v2.1 & CSE Extensions 17, 22 & 20 R2. Improved CSE Ext 3, 14, 15, 16 & 20 R1. Added CSE unpacking of CSE LT, BPDT, FPT, UTOK UTFL & Instance ID info. pic.twitter.com/xNlW7GLGEt

— Plato Mavropoulos (@platomaniac) January 13, 2018

Added FPT, BPDT & CSE LT partition overlap check. Also CSE partition Size, Hash, OEM/FIT config & Out of Bounds module detection. Improved CPD entry count and ME 8+ FPT & BPDT entry display (-dfpt). Fixed bugs at CSE unpacking, S-BPDT & Manifest detection. https://t.co/Snttp8fULE pic.twitter.com/i4O0shtBs0

— Plato Mavropoulos (@platomaniac) January 13, 2018

https://github.com/platomav/MEAnalyzer

F-Secure: new Intel AMT security issue

January 12, 2018 ~ hucktech ~ Leave a comment

NEW RESEARCH: Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptopshttps://t.co/gYJrFoyxL1 https://t.co/Z8oJhpoBc7

— F-Secure (@FSecure) January 12, 2018

Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops

Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops
Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds.

Helsinki, Finland – January 12, 2018: F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally. The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”[…]

Intel ME at CCC

December 26, 2017 ~ hucktech ~ 1 Comment

It appears PTSecurity may have a GUI Debugger for Intel ME??

The “Minix Inside” stickers look great, click on the tweet from frdnd.

Hoping CCC staff does the great job they do ever year and get the videos for these events online quickly! 😉

What about a GUI when debuging Intel ME? If you are intrigued visit our talk at #34c3 (https://t.co/6kHIOuRYJ9) #IntelME #JTAG pic.twitter.com/D9oMGVbX0g

— Mark Ermolov (@_markel___) December 25, 2017

https://twitter.com/frdnd/status/942984718613610496

It seems I forgot to announce it here, so here goes: I'll be speaking at 34c3 in Leipzig with Nicola Corna on Intel ME https://t.co/cJjA7mxhd1

— Igor Skochinsky (@IgorSkochinsky) December 25, 2017

https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8762.html

https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8782.html

PS: Of course, this isn’t all that is happening at CCC. There are multiple other interesting talks, eg:

I'm looking forward to talk about "Public FPGA based DMA Attacking" at the 34th Chaos Communication Congress #34c3 😀 https://t.co/jLttOyrA8V

— Ulf Frisk (@UlfFrisk) November 20, 2017

Intel ME research paper

December 25, 2017 ~ hucktech ~ Leave a comment

Made my paper about the Intel Management Engine into a blog post! Update for version 11 will follow soon. #IntelME https://t.co/3YevUw5MOQ

— cookie (@bitkeks) December 10, 2017

The Intel Management Engine
This blog post is based on a research paper I wrote for university. Although my work was mainly reading and summarising, I hope this article helps to bring some clarification about the details of the ME. At the bottom, you will also find some sources I used. Please be aware that since I wrote this report until June 2017, a new generation of ME was deployed, the one running the Minix microkernel on a x86 coprocessor. Nevertheless–to understand the development and architecture of the whole concept, it’s good to understand the details up from 2009.[…]

https://bitkeks.eu/blog/2017/12/the-intel-management-engine.html

more on Intel-SA-00068 (Intel ME)

December 20, 2017 ~ hucktech ~ Leave a comment

Intel has updated their advisory again, after a week or so, probably worth re-reading:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Pepijn on Apple use of Intel ME

December 15, 2017 ~ hucktech ~ Leave a comment

Interesting, Pepijn Bruienne is looking at new Apple firmware, and how it uses Intel ME.

So it seems I was mistaken in thinking that Apple ships all Macs with Intel ME disabled? A number of recent models actually do have an ME payload in the EFI capsule, seemingly functional. Who knows more about this? pic.twitter.com/Mu3Xx3Acb8

— Pepijn Bruienne 🌲🧀💴 (@bruienne) December 13, 2017

Interestingly the J137.im4p/MacEFI payload that ostensibly will live inside the T2 still has an ME region, version went from 11.6 in 10.13 DR1 to 11.10 in the bridgeOS 2 payload from November.

— Pepijn Bruienne 🌲🧀💴 (@bruienne) December 15, 2017

This tells me:
– Even though full secure boot mode is (still) optional, the T2 is now the first thing that boots, not EFI
– Bricking a Mac due to a bad EFI update is impossible
– This is the new normal. Start thinking about adjusting your #macadmins procedures accordingly. https://t.co/zRv8cbvILV

— Pepijn Bruienne 🌲🧀💴 (@bruienne) December 15, 2017

Also interesting is that the only file the various ME unpacking tools can't decompress is "pavp_mod" since it's encrypted. PAVP is Intel's protected A/V path used for DRM purposes.

— Pepijn Bruienne 🌲🧀💴 (@bruienne) December 13, 2017