PFSExtractor-RS: Rust port of PFSExtractor: extract contents of Dell BIOS update files in PFS format

Nikolaj is learning Rust. He just rewrote one C tool to Rust:

https://github.com/LongSoft/PFSExtractor-RS

Universal-IFR-Extractor

Nikolaj Schlej has a gork of Universal-IFR-Extractor. IFR is the UEFI forms language.

https://github.com/LongSoft/Universal-IFR-Extractor/releases/tag/v0.2

https://github.com/tomrus88/Universal-IFR-Extractor

Security updates for Intel NUC firmware (INTEL-SA-00084)

Intel ID: INTEL-SA-00084
Product family: Intel® NUC Kits
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Oct 06, 2017

This update improves protection against mitigates multiple vulnerabilities related to security features in Intel® NUC system firmware (BIOS). BIOS Administrator and User password bypass: Insufficient protection of password storage in system firmware for NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows local attacker to bypass Administrator and User passwords via access to password storage. SPI Write Protection Bypass: Insecure platform configuration in system firmare for NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows an attacker with physical presence to run arbitrary code via unauthorized firmware modification during BIOS Recovery. SMM Privilege Elevation: Insufficient input validation in system firmware for Intel® NUC systems allows local attacker to execute arbitrary code via manipulation of memory. Boot Guard Bypass: Incorrect policy enforcement in system firmware for Intel® NUC systems allows attacker with local or physical access to bypass enforcement of integrity protections via manipulation of firmware storage. Dangerous SPI Opcode Protections: Insufficient policy enforcement in system firmware for Intel® NUC systems allows attacker with local or physical access to violate integrity or availability of nonvolatile storage for firmware via specially crafted accesses to nonvolatile storage. Intel highly recommends that users update to the latest version. Intel would like to thank Nikolaj Schlaj for reporting CVE-2017-5700 and CVE-2017-5701 and working with us on coordinated disclosure. Intel would like to thank Embedi for reporting CVE-2017-5721 and CVE-2017-5722 and working with us on coordinated disclosure.[…]

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00084&languageid=en-fr

 

 

PFSExtractor: extractor for DellPFS firmware format

https://github.com/LongSoft/PFSExtractor

PFSExtractor v0.1.0 – extracts contents of Dell firmware update files in PFS format
Usage: PFSExtractor pfs_file.bin

Nikolaj on recent UEFI/ACPI spec updates

[[[UPDATE:
William’s blog post on Nikolaj’s comments are more readable than below post:
http://www.basicinputoutput.com/2017/07/uefi-27-courtesy-of-nikolaj.html
]]

Nikolaj has over a dozen tweets showcasing the interesting new features in the latest UEFI and ACPI specs. Click on the above Twitter URL to see the full set.

 

Nikolaj on AMD AGESA/PSP

Nikolaj Schlej made a comment on the recent Snowden/AMD thread. The comment is on Twitter, so it is in multiple messages. I hope that AMD proves him wrong, AMD can change course, so can Intel, if they choose.

William reviews CrScreenshotDxe

William has done another tool review, this time of Nikolaj’s CrScreenshotDxe tool. He does must longer blog posts on tool reviews than me, so it is always nice to see another review from him. 🙂

[…] “Nikolaj did us all a great service by posting this utility on Github.  It was easy to integrate and worked flawlessly.” […]

http://www.basicinputoutput.com/2016/08/the-joy-of-crscreenshotdxe.html

https://github.com/LongSoft/CrScreenshotDxe

https://firmwaresecurity.com/2016/01/04/screenshot-taking-uefi-dxe-driver/

Nikolaj joins Apple!!

WOW!!, Nikolaj joins Apple!! First they hired Legbacore, now Nikolaj!

As well, UEFITool has new maintainers, Alex and Dmytro!!

UEFITool NE A31.0 released

Nikolaj apparently never stops coding. 🙂 Changelog:

New feature release this time: added “Hex view…” action (Ctrl/Cmd + D) and dialog to preview the selected tree item without extracting it to FS. #56

Now the dialog is modal, but if anyone needs to open more than one, it can be implemented later. The feature uses QHexEdit2 library made by Simsys, big thanks.
https://github.com/LongSoft/UEFITool/releases/tag/NE.A31.0
Also see Nikolaj’s comments re: my last post, clarifying Qt usage in UEFITool, which my post was not clear on:
https://firmwaresecurity.com/2016/07/09/uefidump-created-uefitool-and-uefiextract-rewritten/#comments

UEFIDump created, UEFITool and UEFIExtract rewritten

Nikolaj has been rewriting his suite of UEFI tools, so they are no longer dependent on the Qt framework, and uses his new engine “NE” tag. UEFITool (UT NE) no longer requires Qt. UEFIExtract (UE) no longer requires Qt. UEFIFind (UF) still requires Qt, and will be ported later. UEFIDump (UD) is a new tool! Described below. Extract of release notes:

UT NE A30 | UE 0.12.0 | UD 0.1.0
Almost no new features, but massive changes under the hood:
* engine (classes from /common) can now be build without Qt.
* added support for very rare Apple-specific images.
* fixed some quirks with report generation.
* UT and UE binaries rebuilt to include updated engine code.
* UEFIDump utility released, it’s a PoC analog of UEFIExtract, that generates the same report and dumps all leaf items into one .dump folder without hierarchy, “_%03d” suffix is added for duplicated items. The tool is an example of Qt-less engine usage.
* UEFIFind will be ported to non-Qt engine a bit later.

https://github.com/LongSoft/UEFITool/releases/tag/NE.A30
https://github.com/LongSoft/UEFITool/commits/new_engine
https://github.com/LongSoft/UEFITool/tree/new_engine
https://github.com/LongSoft/UEFITool

Nikolaj completes his 4-part NVRAM/UEFI blog series

Nikolaj has completed (?) his 4-part blog series on NVRAM formats in UEFI. Part 4 is on AMI’s NVAR.

https://habrahabr.ru/post/281901/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281901%2F&sandbox=1

Here’s a pointer to the last edition:
https://firmwaresecurity.com/2016/04/16/nikolaj-on-nvram-formats-part-3/

I think that UEFITool NE has another alpha released, with some UI changes.

 

Nikolaj on NVRAM formats, part 3

Nikolaj Schlej already has part 3 on his blog series on NVRAM formats in UEFI! Very long post with lot’s of information!

On NVRAM formats, part 3, about Phoenix SCT formats: FlashMap, EVSA, CMDB and some others common ones.

https://habrahabr.ru/post/281469/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281469%2F&sandbox=1

https://firmwaresecurity.com/2016/04/13/nikolaj-on-nvram-formats-volume-2/

Also it appears he’s also released UEFITool NE alpha 25:
https://github.com/LongSoft/UEFITool/releases/tag/NE.A25

Nikolaj on NVRAM formats, volume 2

Nikolaj has started a series of blog posts on NVRAM formats in UEFI:

First edition is here:
https://firmwaresecurity.com/2016/04/11/nikolaj-on-uefi-nvram-formats/

The second edition is already out:

https://habrahabr.ru/post/281412/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281412%2F&sandbox=1

Looking forward volume 3!

 

Nikolaj on UEFI NVRAM formats

Nikolaj Schlej has written the first of a series of articles on NVRAM file formats:

“NVRAM formats of UEFI-compatible firmwares”

It is in Russian. If you don’t read Russian, there are many C structs and colored screenshots that are self-explanatory, and auto-translators (like Google Translate) work pretty well.

If you’ve not been watching UEFITool NE recently, there have been lots of checkins for NVRAM formats.

https://habrahabr.ru/post/281242/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281242%2F&sandbox=1

Nikolaj is also looking for some NVRAM formats for testing:

UEFITool NE Alpha24 released, seeking NVRAM testers

Nikolaj has updated UEFItool NE again, Alpha 24, with NVRAM support done, and is needing help to test it.

Changes:
* parser for all NVRAM formats known to me, including AMI NVAR, TianoCore VSS (Normal, Authenticated, Apple CRC and _FDC), EVSA and Apple Fsys.
* built with Qt 5.6
* still no editing, because of builder code state

Please test NVRAM parsing, I’m waiting for new GitHub issues. If you know another NVRAM format, please add it to issue #43. Happy testing!

https://github.com/LongSoft/UEFITool/releases/tag/NE.A24

UEFITool NE A32 released

Nikolaj Schlej has released a new version of UEFITool. This is an alpha of a big release, as it adds parsering for UI for all major NVRAM formats.

Please help out Nikolaj and test out this alpha release!

https://github.com/LongSoft/UEFITool/releases/tag/NE.A23

https://github.com/LongSoft/UEFITool

Nikolaj Schlej audits Intel Quark BSP

William Leara of Dell has a new blog post about Nikolaj Schlej’s new blog post analyzing Intel Quark’s BSP:

Another tip of the cap to Nikolaj Schlej, this time for an interesting article where he examined the Intel Quark Board Support Package (BSP) source code with the static source code analyzer PVS-Studio. The Intel Quark is an SoC used in embedded systems applications.  For example, it runs the Intel Galileo family of development boards.  Galileo is a small computer board comparable to the Arduino family of products, and is targeted to maker and educational customers. The BSP is a set of documentation and EDKII source code that allows a developer to build his own bootable firmware image for the Quark. Nikolaj discovered many serious problems, and I found it educational to read through them.  This is helpful so that you can discover the typical mistakes people make in UEFI development, and also so that you won’t make the same mistakes yourself! […]

http://www.basicinputoutput.com/2016/03/nikolaj-schlej-analyzing-intel-galileo.html
https://habrahabr.ru/post/258721/
http://www.viva64.com/en/b/0326/

Nikolaj’s ZeroNights UEFI video online

The video of Nikolaj Schlej from ZeroNights is now online!

Sources and slides are here:
https://firmwaresecurity.com/2015/12/14/nikolaj-uploads-zero-nights-sources/
https://firmwaresecurity.com/2015/11/27/nikolajs-zeronights-presentation-available/