Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

October 3, 2018 ~ hucktech ~ Leave a comment

Our new paper "Intel ME Manufacturing Mode: obscured dangers" about SPI write-protection bypass in Apple MacBook. https://t.co/PTswfwJBZA [ru]https://t.co/G2l3nzuhSD [en]

— Maxim Goryachy (@h0t_max) October 2, 2018

Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability CVE-2018-4251 https://t.co/lJ8XTN6sKs #MacBook #Intel #IntelME

— PT Security (@PTsecurity_UK) October 2, 2018

http://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html

One of the interesting things about https://t.co/SHusekPfJn is the reference to ExitBootServices() – it sounds like there's an expected contract between the OS boot environment and the firmware, but that contract is entirely undocumented

— Matthew Garrett (@mjg59) October 3, 2018

Additionally, 𝙴𝚡𝚒𝚝𝙱𝚘𝚘𝚝𝚂𝚎𝚛𝚟𝚒𝚌𝚎𝚜() is useful for rootkits to know when it is time to exfiltrate the FileVault password, although that contract is also undocumented. pic.twitter.com/Z6hUGvOslC

— Trammell Hudson ⚙ (@qrs) October 3, 2018

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

September 13, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/12/intel-releases-17-security-advisories/ and

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys https://t.co/mVDNknGXlU #IntelME

— PT Security (@PTsecurity_UK) September 12, 2018

http://blog.ptsecurity.com/2018/09/intel-me-encryption-vulnerability.html

Intel ME JTAG PoC for INTEL-SA-00086

August 27, 2018 ~ hucktech ~ Leave a comment

Ready to uncover Intel ME background? Use our PoC to activate JTAG and dump ME ROM https://t.co/PXDCrssolB

— Mark Ermolov (@_markel___) August 27, 2018

Almost year has passed since we reported the INTEL-SA-00086 vulnarability and we have published JTAG activation PoC for Intel ME. You can use JTAG for researching ME core (via DbC debug cable). Step-by-step instructions at https://t.co/TWbgEbrmNm pic.twitter.com/9lCJPYfLBF

— Maxim Goryachy (@h0t_max) August 27, 2018

Vulnerability INTEL-SA-00086 allows to activate JTAG for Intel Management Engine core. We developed our JTAG PoC for the Gigabyte Brix GP-BPCE-3350C platform. Although we recommend that would-be researchers use the same platform, other manufacturers’ platforms with the Intel Apollo Lake chipset should support the PoC as well (for TXE version 3.0.1.1107).[…]

https://github.com/ptresearch/IntelTXE-PoC

Apple fixed firmware vulnerability found by Positive Technologies

June 14, 2018 ~ hucktech ~ Leave a comment

Apple fixed firmware vulnerability found by Positive Technologies https://t.co/Bp2vg0zqU0

— Nicolas Krassas (@Dinosn) June 14, 2018

June 14, 2018
The vulnerability allowed exploiting a critical flaw in Intel Management Engine and still can be present in equipment of vendors that use Intel processors. Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.[…]

http://blog.ptsecurity.com/2018/06/apple-fixed-vulnerability-founde-by-PT-experts.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4251
https://support.apple.com/en-us/HT208849

PT Security: new Intel ME research

June 4, 2018 ~ hucktech ~ Leave a comment

Our (with @_Dmit & @_markel___ ) new presentation about security keys in ME11 and DLMP partition which allows to get a main ME secret. #CONFidence_news #IntelME https://t.co/iCnyqMgrGY

— Maxim Goryachy (@h0t_max) June 4, 2018

Positive Technologies' researchers Dmitry Sklyarov and Maxim Goryachy gave a technical talk about security keys genealogy and obfuscation in #IntelME at @CONFidence_news Krakow (https://t.co/tvz2kyuNHb). Presentation slides are available on GitHub: https://t.co/NcmCqZa4kg

— PT Security (@PTsecurity_UK) June 4, 2018

https://github.com/ptresearch

Click to access Intel%20ME%20Security%20keys%20Genealogy%2C%20Obfuscation%20and%20other%20Magic.pdf

PTSecurity: how to run code in Intel ME

January 18, 2018 ~ hucktech ~ Leave a comment

Как взломать выключенный компьютер или выполнить код в #Intel ME https://t.co/q0X1hebEIQ #IntelME #Security

— PositiveTechnologies (@ptsecurity) January 18, 2018

Thursday, January 18, 2018
How to hack a disabled computer or run code in Intel ME
At the recent Black Hat Europe conference, Positive Technologies researchers Mark Ermolov and Maxim Goryachy spoke about the vulnerability in Intel Management Engine 11 , which opens up access to most of the data and processes on the device. This level of access also means that any attacker exploiting this vulnerability, bypassing traditional software-based protection, will be able to conduct attacks even when the computer is turned off. Today we publish in our blog the details of the study.[…]

http://blog.ptsecurity.ru/2018/01/intel-me.html

https://translate.google.com/translate?hl=en&sl=ru&u=http://blog.ptsecurity.ru/2018/01/intel-me.html

parseMFS: scripts for parsing Intel ME MFS/MFSB partition and extracting contained files

December 18, 2017 ~ hucktech ~ Leave a comment

New tool for parsing MFS partition by @_Dmit https://t.co/JJoIUnjWHb

— Maxim Goryachy (@h0t_max) December 18, 2017

Intel ME File System Explorer

This repository contains Python 2.7 scripts for parsing MFS/MFSB partition and extracting contained files.

https://github.com/ptresearch/parseMFS

Tanenbaum responds to Intel about Minix-based ME

November 7, 2017 ~ hucktech ~ 1 Comment

Intel ME running Minix is in the news again…

An Open Letter to Intel

[…]I knew that Intel had some potential interest in MINIX 3 several years ago when one of your engineering teams contacted me about some secret internal project and asked a large number of technical questions about MINIX 3, which I was happy to answer. I got another clue when your engineers began asking me to make a number of changes to MINIX 3, for example, making the memory footprint smaller and adding #ifdefs around pieces of code so they could be statically disabled by setting flags in the main configuration file.[…]

Yours truly,
Andrew S. Tanenbaum

http://www.cs.vu.nl/~ast/intel/

https://en.wikipedia.org/wiki/Andrew_S._Tanenbaum

http://www.minix3.org/

https://firmwaresecurity.com/2017/05/07/intel-me-based-on-minix/

Where there’s a JTAG, there’s a way: obtaining full system access via USB

October 20, 2017 ~ hucktech ~ Leave a comment

Our article "Where There's A Jtag <…>" about undocumented CPU probe mode and Intel DCI (JTAG for CPU/PCH)https://t.co/Szo8Z45tbU

— Maxim Goryachy (@h0t_max) October 20, 2017

WHERE THERE’S A JTAG, THERE’S A WAY: OBTAINING FULL SYSTEM ACCESS VIA USB
Maxim Goryachy and Mark Ermolov
Everyone makes mistakes. These words are certainly true for developers involved in low-level coding, where such common tools as print debugging and software debuggers run into limits. To solve this problem, hardware developers use in-circuit emulators or, if available on the target platform, the JTAG debugging interface (IEEE1149.1 [1]). Such debugging mechanisms first appeared in the 1980s [2]. Over time, microchip vendors extended the functionality of these interfaces. This allowed developers to obtain detailed information on power consumption, find bottlenecks in high-performance algorithms, and perform many other useful tasks. Hardware debugging tools are also of interest to security researchers. These tools grant low-level system access and bypass important security protections, making it easier for researchers to study a platform’s behavior and undocumented features. Unsurprisingly, these abilities have attracted the attention of intelligence services as well.[…]

Click to access Where-theres-a-JTAG-theres-a-way.pdf

ME_Cleaner updated to set HAP bit

August 30, 2017 ~ hucktech ~ Leave a comment

Me-cleaner commit after our paper. Good job!!!https://t.co/f9GGCPd8wn

— Maxim Goryachy (@h0t_max) August 28, 2017

UNTESTED: Set the HAP bit:
Positive Technologies discovered the presence of an undocumented HAP bit in the PCHSTRP0 field of the descriptor which, when set to 1, disables completely Intel ME just after the initialization. This is confirmed both by an analysis of the status of Intel ME after the setting of the bit and by reverse engineering the BUP module.

https://github.com/corna/me_cleaner/commit/350903a695851dda20b2be5d6099b58e377653b7

https://github.com/corna/me_cleaner

https://firmwaresecurity.com/2017/08/28/ptsecurity-on-intel-me/

PTSecurity on Intel ME

August 28, 2017 ~ hucktech ~ Leave a comment

Disabling Intel ME 11 via undocumented mode https://t.co/nZpJR6oRZq

— Frank Denis (@jedisct1) August 28, 2017

Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government’s High Assurance Platform (HAP) program.

Disclaimer: The methods described here are risky and may damage or destroy your computer. We take no responsibility for any attempts inspired by our work and do not guarantee the operability of anything. For those who are aware of the risks and decide to experiment anyway, we recommend using an SPI programmer.[…]

http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

https://github.com/ptresearch/unME11

https://github.com/ptresearch/me-disablement

PTSecurity on Disabling Intel Management Engine

May 21, 2016 ~ hucktech ~ Leave a comment

Disabling Intel ME – How to become the sole owner of your PC – https://t.co/OysNJrLOqK https://t.co/cGSeK6QdNA

— Giuseppe `N3mes1s` (@gN3mes1s) May 21, 2016

N3mes1s points out an article from Maxim Goryachy and Mark Ermolov of PTSecurity, on disabling the Intel Management Engine (ME).

http://ptsecurity.com
https://github.com/ptresearch/

Click to access How%20to%20become%20the%20sole%20owner%20of%20your%20PC.pdf