PeiBackdoor: new UEFI payload/backdoor tool

August 28, 2016 ~ hucktech ~ 1 Comment

Dmytro Oleksiuk (aka Cr4sh) has created a new UEFI security researcher tool: PeiBackdoor, which hooks into the init code of UEFI. (PEI is the Pre-uEfi-Init phase, before all the UEFI protocols are in place, the init code of UEFI.) It uses Capstone, and requires Windows.

I made another small backdoor/infector for UEFI compatible firmwares, this time for PEI phase https://t.co/tihRxIjZsF

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 28, 2016

Main use case — reverse engineering and manipulations with platform configuration of your own PC, so, hardware programmer is needed

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 28, 2016

PEI stage backdoor for UEFI compatible firmware

This project implements early stage firmware backdoor for UEFI based firmware. It allows to execute arbitrary code written in C during Pre EFI Init (PEI) phase of Platform Initialization (PI). This backdoor might be useful for low level manipulations with the target platform configuration when the most of the platform configuration registers are not locked yet. […]

PEI backdoor project includes:

* PeiBackdoor.py – Python program that allows to infect raw flash images or individual UEFI PEI drivers with the backdoor code.
* PeiBackdoor_IA32.efi, PeiBackdoor_IA32.pdb – 32-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = IA32.
* PeiBackdoor_X64.efi, PeiBackdoor_X64.pdb – 64-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = X64.
* PeiBackdoor.inf – PEI backdoor project configuration for EDK2 build environment.
* config.h – PEI backdoor build options.
* payload.c – Put your own PEI stage code into this source file and call it from Payload() function.
* src/ – Rest of the PEI backdoor code.

PeiBackdoor.py is using Capstone engine and pefile Python libraries, you need to install them with pip install capstone pefile command.
[…]

https://github.com/Cr4sh/PeiBackdoor

Intel Joule

August 27, 2016 ~ hucktech ~ Leave a comment

“Today during the Intel Developer Forum (IDF) opening keynote, Intel CEO Brian Krzanich introduced the Intel® Joule™ compute module, a high-performance developer platform with support for Intel® RealSense™ depth-sensing cameras, targeted at Internet of Things (IoT) developers, entrepreneurs and established enterprises. […] The Intel Joule platform enables people to rapidly prototype a concept and then take it into production in a fraction of the time and development cost. Intel Joule is a high performance system-on-module (SOM) in a tiny, low-power package thus making it ideal for computer vision, robotics, drones, industrial IoT, VR, AR, micro-servers and other applications that require high-end edge computing. The Intel Joule module is available in two models – 570x and 550x. The Intel Joule 570x developer kit is available for sale at the 2016 Intel Developer Conference in San Francisco, and will begin shipping in September through Intel reseller partners.”

I’m still reading the docs, not sure what firmware it has, and if developers have ability to revise it. If you know, please leave a Comment. Suggested price is US$379.

https://software.intel.com/en-us/articles/joule-vs-edison
https://software.intel.com/en-us/intel-joule-getting-started
https://software.intel.com/en-us/iot/hardware/joule
https://software.intel.com/en-us/articles/what-is-joule-module
https://software.intel.com/en-us/iot/hardware/joule/dev-kit
http://ark.intel.com/products/series/96419/Intel-Joule-Kits

Click to access intel-joule-fact-sheet.pdf

https://newsroom.intel.com/chip-shots/make-amazing-things-happen-iot-entrepreneurship-intel-joule/

CHIPSEC ported to Apple Mac OS X!

August 27, 2016 ~ hucktech ~ Leave a comment

Wow, CHIPSEC is ported to Mac OS X! This is great news for Mac owners! CHIPSEC requires a native kernel driver to support CHIPSEC’s HAL. Before this, there was only Linux and Windows HAL drivers for CHIPSEC, so Mac OS X users had to reboot with a Linux-based distro which had CHIPSEC (eg, LUV-live). Live use aside, this also probably means you’ll be able to use CHIPSEC on OS X for offline analysis of blobs.

CHIPSEC now natively supports Mac OSX (Alpha version) thanks to @tweksteen https://t.co/GLbja9w1Ft

— CHIPSEC (@CHIPSEC) August 26, 2016

OSX Driver for Chipsec. This driver is currently in alpha release. It is not signed and you will need to disable the System Integrity Protection to load it. It is only compatible with x86_64 kernels, that is any release >= 10.7. How to:
1. (optional) Build the Driver using Xcode (chipsec.xcodeproj)
2. Turn the System Integrity Protection off: see
    https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html
3. Reboot and load the driver
   # kextutil chipsec.kext
4. Within the source/tool directory, run:
   # python chipsec_util.py spi info
   # python chipsec_util.py spi dump rom.bin
5. Unload the driver

https://github.com/chipsec/chipsec/blob/master/source/drivers/osx/README

https://github.com/chipsec/chipsec/pull/69

https://github.com/chipsec/chipsec/commit/b00c037101523212725c60d35f3f70b168a44e1c

With an OS X port of the CHIPSEC HAL, Apple’s OS is starting to catch up with Linux and Windows. I hope Apple paid @tweksteen for the effort, Apple should have done this port long ago. FreeBSD/OpenBSD/NetBSD: time for you to catch up too! 🙂

coreboot adds Intel BootGuard support to Intel ME Tool

August 27, 2016 ~ hucktech ~ Leave a comment

Test if you have a bootguard enabled system easily with https://t.co/BdRsGJjyFd Special thanks to @lynxislazus who did a great work.

— Zaolin (@_zaolin_) August 26, 2016

“util/intelmetool: Add bootguard information dump support:
With this implementation it’s possible to detect the state of bootguard in intel based systems.
Currently it’s WIP and in a testphase. Handle it with care!”

https://review.coreboot.org/#/c/16328/

https://coreboot.org/

Talos creates Intel PT driver

August 26, 2016 ~ hucktech ~ Leave a comment

We have two code releases for you today! Windows Intel Processor Trace Driver https://t.co/FD433CGZpJ and FuzzFlow https://t.co/isTrrvbnNF

— Richard Johnson (@richinseattle) August 25, 2016

Talos Intel PT Driver
This driver implements the Intel Processor Trace functionality in Intel Skylake architecture for Microsoft Windows.
Intel Processor Trace is a high performance hardware supported branch tracing mechanism in Intel Skylake architecure.
[…]

https://github.com/talos-vulndev/TalosIntelPtDriver

https://github.com/talos-vulndev/FuzzFlow

http://www.talosintelligence.com/

CHIPSEC adds blacklist database of UEFI modules

August 22, 2016 ~ hucktech ~ Leave a comment

CHIPSEC 1.2.4 was recently released:

CHIPSEC 1.2.4 released

One new feature is a blacklist database of bad UEFI modules, and a new CHIPSEC security module to test for them, see the modules/tools/uefi/blacklist.py source for more details.

N-1/N new "tools.uefi.blacklist" @CHIPSEC module can search for black-listed EFI binaries in a FW image file or after dumping image from ROM

— Yuriy Bulygin (@c7zero) August 16, 2016

Black-list config in JSON file (https://t.co/Cz1hMSH9hj). So far added HackingTeam's UEFI rootkit binaries to it https://t.co/tFrM0TNeWM

— Yuriy Bulygin (@c7zero) August 16, 2016

https://github.com/chipsec/chipsec/commit/bb9c9963547aae91a416be695c7f8b97fa61a3e8

Look at some of Yuriy’s more recent Twitter posts for a few new features not listed in the previous 1.2.4 release blog post, in addition to this blacklist.

Intel to license ARM tech

August 22, 2016 ~ hucktech ~ Leave a comment

Intel & ARM Announce Historic Licensing Deal https://t.co/ViEWetn61e

— ☼ Jennifer Sunshine (@SecureSun) August 22, 2016

[…] Intel, will now manufacture chips for other companies such as ARM. To be more precise, it will be licensing technology from Britain’s ARM holdings. […]

I wonder what this means for Intel and ARM?? I’ve deleted a few paragraphs of speculation, to save you time, as I have no clue. 🙂

I hope that Intel also releases a version of a RISC-V chip!

http://wccftech.com/intel-manufacture-arm-chips/

ME Analyzer switches from closed-source to open-source

August 22, 2016 ~ hucktech ~ Leave a comment

ME Analyzer is now on GitHub and licensed under GPLv3.
Thanks to plutomaniac for it and for it's ME binaries DB.https://t.co/Bflyyryxff

— Nikolaj Schlej (@NikolajSchlej) August 21, 2016

Great news, the tool “ME Analyzer” — for analyzing the Intel Management Engine (ME) — has switched from closed-source freeware to open source!!

ME Analyzer is now on GitHub and licensed under GPLv3.
Thanks to plutomaniac for it and for it's ME binaries DB.https://t.co/Bflyyryxff

— Nikolaj Schlej (@NikolajSchlej) August 21, 2016

Plutomaniac’s ME Analyzer

Ha,ha Initial plan was to be called "AnalyzeMe", managed to resist the temptation 😛

— Plato Mavropoulos (@platomaniac) August 21, 2016

Intel SGX tutorial, part 3 underway

August 17, 2016 ~ hucktech ~ 1 Comment

If you haven’t seen the Intel SGX tutorial, the first 2 parts are out, and the 3rd part is nearly out:

https://software.intel.com/en-us/articles/introducing-the-intel-software-guard-extensions-tutorial-series
https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-1-foundation
https://software.intel.com/en-us/articles/intel-software-guard-extensions-tutorial-part-2-app-design

It sounds like part3 is nearly out:

https://software.intel.com/en-us/blogs/2016/08/17/part-3-of-the-intel-software-guard-extensions-tutorial-series-is-coming-soon

CHIPSEC 1.2.4 released

August 15, 2016 ~ hucktech ~ Leave a comment

Chipsec 1.2.4 has been released! There are no release notes, the docs haven’t been updated in the last 6 months, so you have to read the code for any new changes, besides these 3 tweets:

Thanks to @mikhailgorobets we added Hyper-V hypercalls & VMBus protocol fuzzers, VMBus synthetic device fuzzers (generic & kbrd)

— CHIPSEC (@CHIPSEC) August 14, 2016

1.2.4 also added simple/dumb hypervisor agnostic hypercall fuzzer & initial release of Xen specific hypercall tool: https://t.co/7DHjWHxUeK

— CHIPSEC (@CHIPSEC) August 14, 2016

Currently, hypercalls are supported in Windows HVM guests & all types via VMCALL (no things as CPUID, UD faults..) https://t.co/x0tb3uV1bv

— CHIPSEC (@CHIPSEC) August 15, 2016

https://github.com/chipsec/chipsec

https://github.com/chipsec/chipsec/commits/master

Intel UEFI updates for Minnows and Braswell

August 11, 2016 ~ hucktech ~ Leave a comment

Intel has released UEFI updates for the MinnowBoard Max, MinnowBoard Turbot, and Braswell boards:

https://twitter.com/Intel_UEFI/status/763453278436765696

https://twitter.com/Intel_UEFI/status/763121021238910976

Multiple Intel systems have SMM runtime EoP

August 8, 2016 ~ hucktech ~ Leave a comment

See the full announcement for the list of vulnerable products. Regardless of model, it sounds like no fix until early September.

SmmRuntime Escalation of Privilege
Intel ID:     INTEL-SA-00056
Product family:     Intel® Server Board S1200/1400/1600/2400/2600/4600 series
Impact of vulnerability:     Elevation of Privilege
Severity rating:     Important
Original release:     Aug 08, 2016

Intel is releasing mitigations for a privilege escalation issue. This issue affects the UEFI BIOS of select Intel Products. The issue identified is a method that enables malicious code to gain access to System Management Mode (SMM). A malicious attacker with local administrative access can leverage the vulnerable function to gain access to System Management Mode (SMM) and take full control of the platform. Intel products that are listed below should apply the update. Other vendors’ products which use the common BIOS function SmmRuntime may be impacted. To find out whether a product you have may be vulnerable to this issue, please contact your system supplier. Intel highly recommends applying the mitigations. For Intel branded products where a mitigation is still pending, we recommend following good security practices including running with least privilege and keeping security software and operating systems up to date. […]

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00056&languageid=en-fr

BadUSB-ish concern with Intel USB xHCI

August 8, 2016 ~ hucktech ~ Leave a comment

#BadUSB alike in mobile Intel CPUs (Bay Trail, Core 4/5/6th gen)? https://t.co/p0Cus4xTPA pic.twitter.com/LkNVsgF57P

— Solar Designer (@solardiz) August 8, 2016

“USB xHCI may Execute a Stale Transfer Request Block”

https://www.google.com/search?q=%22USB+xHCI+may+Execute+a+Stale+Transfer+Request+Block%22

SGXfun

August 6, 2016 ~ hucktech ~ Leave a comment

slides of our #BHUSA talk on SGXhttps://t.co/06wZn9S685
CLI tools + paper https://t.co/yugxK5ZX1r
Reencryption PoC https://t.co/MKfmvQbfa0

— JP Aumasson (@veorq) August 4, 2016

Click to access sgx_bh16.pdf

https://github.com/kudelskisecurity/sgxfun

parse_enclave.py takes an enclave in binary form and extracts some metadata

parse_quote.py takes a quote in binary form and extracts its fields

parse_sealed.py takes a sealed blob of data and extracts its fields

Rootkits and Bootkits: new chapter available

August 2, 2016 ~ hucktech ~ 1 Comment

An update on this book, the early-access ebook edition has a new chapter on UEFI BIOS vulnerablities — and NoStarch has a 30% off earlybird discount:

No Starch Press: Rootkits and Bootkits

Rootkits and Bootkits has new chapters in Early Access! https://t.co/KKpjHLLeuU pic.twitter.com/8bvV0qHTKs

— No Starch Press (@nostarch) August 2, 2016

no worries, currently we are really in fast track to release it. Also new chapters in ToC like Ch18: UEFI BIOS vulns 😉

— Alex Matrosov (@matrosov) August 2, 2016

https://www.nostarch.com/rootkits

Intel Developer Forum

August 1, 2016 ~ hucktech ~ Leave a comment

IDF is happening later this month in San Francisco, and there are multiple firmware presentations there. I counted about a dozen presentations that focus on UEFI, BIOS, Redfish, and related topics. Use the Search dialog in below URL to find things.

I'll be at #IDF16 (Aug 16-18) talking about UEFI & Redfish. Plus we'll have robots and stuff. https://t.co/i6BOMZr1fa

— Brian Richardson (on LinkedIn) (@BrianOnChips) August 1, 2016

http://www.intel.com/content/www/us/en/intel-developer-forum-idf/san-francisco/2016/idf-2016-san-francisco-technical-sessions.html

Intel open sources Redfish-based rack

July 31, 2016 ~ hucktech ~ Leave a comment

Intel® Rack Scale Design Is Now Ready for Open Source Development https://t.co/SJ7puGDm9R #redfishAPI

— DMTF (@DMTF) July 28, 2016

[…]Intel Rack Scale Design is the first framework to be based upon and use the Redfish™ industry standard from DMTFOpens in a new window for modern and secure management of scalable platform hardware in the modern data center. The framework allows for dynamic management of compute, memory, PCIe, and storage resources and the pooling of those resources for more efficient use of data center assets. The framework simplifies advanced technology to accelerate the adoption of open, interoperable solutions for tomorrow’s data centers today.[…]

https://github.com/01org/intelRSD

http://www.intel.com/content/www/us/en/architecture-and-technology/rack-scale-design-overview.html

http://itpeernetwork.intel.com/intel-rack-scale-design-now-ready-open-source-development/

Google fork of CHIPSEC

July 30, 2016August 1, 2016 ~ hucktech ~ Leave a comment

[[UPDATE: this tweet from answers my below question:

to be clear for those asking, this is a temporary fork to make it useful as we merge everything upstream

— Darren Bilby (@darrenbilby) July 31, 2016

]]

GRR (Google Rapid Response), a remote live forensics for incident response, has forked CHIPSEC and updated it to work with GRR. I wonder if the CHIPSEC team will fold back these changes into the trunk version of CHIPSEC?

PyPI package of GRR with a fork of CHIPSEC 1.2.3: https://t.co/pQwZJqD1OX @grrresponse @tweksteen

— CHIPSEC (@CHIPSEC) July 30, 2016

https://testpypi.python.org/pypi/grr-chipsec/1.2.3

https://github.com/google/grr

new EDK2-Bugs mailing list and Tianocore bugzilla server

July 21, 2016 ~ hucktech ~ Leave a comment

The TianoCore Bugzilla server is now live – https://t.co/1EbXquxiPn

— tianocore (@tianocore) July 20, 2016

On the EDK2-Devel list, Mike Kenney of Intel announced the creation of the Tianocore Bugzilla Server, and the new EDK2-bugs mailing list, which tracks changes to the bug database. The Tianocore project is going to migrate from the Github bug database to their own Bugzilla-based one. The announcement mentions a special case for UEFI security issues:

There is one special Product type on the Bugzilla server called “Tianocore Security Issues”. If you believe you have discovered a security issue, then you must enter the issue using the “Tianocore Security Issues” Product. The issue will be evaluated to determine if it really is a security issue or not. NOTE: Never any security issue details in email.

For full details, see Mike’s post:
http://article.gmane.org/gmane.comp.bios.edk2.devel/14844

More info:
https://tianocore.acgmultimedia.com
https://lists.01.org/mailman/listinfo/edk2-bugs

Hmm, No posts yet to the new list, at least nothing has been archived, yet there are 39 bugs in the database, I would have expected at least 39 posts in the archives…. The Tianocore Security Advisory list never seemed to work. The Intel Security Advisories list never seemed to work. Let’s hope the EDK2-bugs list works…
https://tianocore.acgmultimedia.com/buglist.cgi?bug_status=__open__&no_redirect=1&order=Importance&query_format=specific
https://lists.01.org/pipermail/edk2-bugs/

AMI_SMI_Dump

July 18, 2016 ~ hucktech ~ Leave a comment

New tool: ami_smi_dump.py:
Extract SW SMI handlers information from SMRAM dump of Skylake based AMI Aptio V firmware.

I made a small tool that extracts SMI handlers information from SMRAM + flash image dumps of AMI Aptio V firmware: https://t.co/2V5Y6k3mhD

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 17, 2016

Updated ami_smi_dump.py, now it can show even more info from SMRAM dump: https://t.co/qTn23vVjtw https://t.co/2V5Y6k3mhD

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 17, 2016

Hmm, WordPress renders Github gist pages to be unviewable. Remove the SPACE character after the TLD in the below URL to make it work. Or click on the links in the Twitter links.

https://gist.github.com /Cr4sh/db43cc6687e737d982d3d1c56472c6b9