Uncategorized

cellular baseband vulnerability for Nissan/Infinity/BMW/Ford

Advisory (ICSA-17-208-01)
Continental AG Infineon S-Gold 2 (PMB 8876)
ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.
Vendor: Continental AG
Equipment: Infineon S-Gold 2 (PMB 8876)
Vulnerabilities: Stack-Based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer

AFFECTED PRODUCTS: All telematics control modules (TCUs) built by Continental AG that contain the S-Gold 2 (PMB 8876) cellular baseband chipset are affected. The S-Gold 2 (PMB 8876) is found in the following vehicles: <see full announcement for list of Nissan, Infinity, BMW, Ford, etc models.>

An attacker with a physical connection to the TCU may exploit a buffer overflow condition that exists in the processing of AT commands. This may allow arbitrary code execution on the baseband radio processor of the TCU. A vulnerability in the temporary mobile subscriber identity (TMSI) may allow an attacker to access and control memory. This may allow remote code execution on the baseband radio processor of the TCU.

Mickey Shkatov, Jesse Michael, and Oleksandr Bazhaniuk of the Advanced Threat Research Team at McAfee have reported the vulnerabilities.

https://ics-cert.us-cert.gov/advisories/ICSA-17-208-01

https://github.com/HackingThings/Publications/tree/master/2017

https://github.com/HackingThings/CAN-Bus-Arduino-Tool

 

Standard
Uncategorized

CHIPSEC for ARM: to be released at Black Hat

I nearly missed this CHIPSEC announcement in the below Black Hat abstract. Exciting.

Blue Pill for Your Phone
By Oleksandr Bazhaniuk & Yuriy Bulygin

In this research, we’ve explored attack surface of hypervisors and TrustZone monitor in modern ARM based phones, using Google Nexus 5X, Nexus 6P, and Pixel as primary targets. We will explain different attack scenarios using SMC and other interfaces, as well as interaction methods between TrustZone and hypervisor privilege levels. We will explore attack vectors which could allow malicious operating system (EL1) level to escalate privileges to hypervisor (EL2) level and potentially install virtualization rootkit in the hypervisor. We will also explore attack vectors through SMC and other low level interfaces, interactions between TrustZone and hypervisor (EL2) privilege levels. To help with further low level ARM security research, we will release ARM support for CHIPSEC framework and new modules to test issues in ARM based hypervisors and TrustZone implementations, including SMC fuzzer.

https://www.blackhat.com/us-17/briefings.html#blue-pill-for-your-phone

Standard
Uncategorized

SyScan360 Seattle

https://www.syscan360.org/

Standard
Uncategorized

CHIPSEC talk at OPCDE 2017

Exploring Your System Deeper
 Oleksandr Bazhaniuk – Intel – United States

You wanted to explore deep corners of your system but didn???t know how? System boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors. You could discover if any of these have known vulnerabilities, configured insecurely or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective are the platform security defenses: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation… Or maybe you just want to explore hardware and firmware components your system has. CHIPSEC framework can help you with all of that. Since releasing it three years ago at CanSecWest 2014 significant improvements have been made in the framework – from making it easy to install and use to adding lots of new security capabilities. We’ll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities, testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images and more.

 

http://www.opcde.com/speakers.html

Standard
Uncategorized

Yuriy and Oleksandr at REcon

Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems
By: Yuriy Bulygin, Oleksandr Bazhaniuk

Previously, we discovered a number of vulnerabilities in UEFI based firmware including software vulnerabilities in SMI handlers that could lead to SMM code execution, attacks on hypervisors like Xen, Hyper-V and bypassing modern security protections in Windows 10 such as Virtual Secure Mode with Credential and Device Guard. These issues led to changes in the way OS communicates with SMM on UEFI based systems and new Windows SMM Security Mitigations ACPI Table (WSMT). This research describes an entirely new class of vulnerabilities affecting SMI handlers on systems with Coreboot and UEFI based firmware. These issues are caused by incorrect trust assumptions between the firmware and underlying hardware which makes them applicable to any type of system firmware. We will describe impact and various mitigation techniques. We will also release a module for open source CHIPSEC framework to automatically detect this type of issues on a running system.

https://recon.cx/2017/brussels/talks/baring_the_system.html

https://firmwaresecurity.com/2017/01/05/yuriy-to-speak-at-recon-brussels/

 

 

Standard
Uncategorized

CHIPSEC training at REcon

The Intel CHIPSEC team doesn’t give training often, so when they do, it is worth mentioning.

Like last year, CHIPSEC will be offering training at REcon!

A variety of attacks targeting system firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, OS loaders and secure booting. This training will detail and organize objectives, attack vectors, vulnerabilities and exploits against various types of system firmware such as legacy BIOS, SMI handlers and UEFI based firmware, mitigations as well as tools and methods available to analyze security of such firmware components. It will also detail protections available in hardware and in firmware such as Secure Boot implemented by modern operating systems against bootkits. The training includes theoretical material describing a structured approach to system firmware security analysis and mitigations as well as many hands-on exercises to test system firmware for vulnerabilities. After the training you should have basic understanding of platform hardware components and various types of system firmware, security objectives and attacks against system firmware, mitigations available in hardware and firmware. You should be able to apply this knowledge in practice to identify vulnerabilities in BIOS and perform forensic analysis of the firmware.

https://recon.cx/2016/training/trainingfirmware.html

Standard
Uncategorized

BIOS analysis presentation at Analyze 2016

Analyze 2016 takes place in March in San Francisco. It is a “Security community event for malware and exploit analysis research”. Amongst the presentations is one on BIOS analysis by two of the Intel Advanced Threat Research (ATR) team!

Talks:
Tom Bennett – Whose RAT Is It Anyways?
Aaron Shelmire – Sections, Segments, and Functions, oh my! Hashing your way to analytical shortcuts.
Edward Miles – Making sense of ProGuard’s mess
Oleksandr Bazhaniuk/Yuriy Bulygin – Different methods of BIOS analysis: Static, Dynamic and Symbolic execution
Darren Spruell – Malicious Traffic Distribution: Tactics and Response
Rick Wesson – Static Malware Analysis on GPUs
Chip McSweeney – DGA Antivenom: Stopping new configurations before analysis
Jing Xie – Risks of iOS Remote Hot-Patching
Alexander Matrosov – Distributing the reconstruction of IR for large scale malware analysis
http://www.analyze.cc/Waylon Grange – Wherefore by their crypto ye shall know them
Armin Buescher – Sanzoku APT

http://www.analyze.cc/

Standard