UEFI at SeaGL

September 29, 2017 ~ hucktech ~ Leave a comment

If you are the Seattle area, the Seattle GNU Linux Conference (SeaGL, pronounced “Seagull”) is happening shortly. There’re two UEFI talks, one by PreOS Security, and one by System76.

Are you a #SysAdmin who's worried about #security on your #firmware? @penglish_PreOS explains it all: https://t.co/oDO3megjK2 #UEFI #DFIR

— SeaGL (@seagl) September 28, 2017

An interview about my upcoming talk @seagl is live: https://t.co/LnnFPCZ1QU

— Paul English (@penglish_PreOS) September 28, 2017

Are you paranoid enough? We're here to help with that! We've got talks on #malware & #ransomware plus advice on #passwords, #SSH, & #UEFI.

— SeaGL (@seagl) September 29, 2017

https://osem.seagl.org/conferences/seagl2017/program/proposals/374

http://seagl.org/news/2017/09/28/QA-penglish.html

https://preossec.com/

https://system76.com/

https://osem.seagl.org/conferences/seagl2017/program/proposals/326

CVE-2015-7837: RHEL UEFI Secure Boot

September 20, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/security_de/status/910399697986244609

Vulnerability ID 106841
Red Hat Enterprise Linux UEFI Secure Boot privilege escalation

A vulnerability, which was classified as critical, has been found in Red Hat Enterprise Linux (the affected version is unknown). This issue affects an unknown function of the component UEFI Secure Boot. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-269. Impacted is confidentiality, integrity, and availability. The weakness was released 09/19/2017 (oss-sec). The advisory is shared for download at openwall.com. The identification of this vulnerability is CVE-2015-7837 since 10/15/2015. The exploitation is known to be easy. An attack has to be approached locally. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 09/20/2017).[…]

https://tsecurity.de/de/206729/Reverse-Engineering/Exploits/Red-Hat-Enterprise-Linux-UEFI-Secure-Boot-erweiterte-Rechte-CVE-2015-7837/
https://vuldb.com/?id.106841
http://nakedsecurity.com/cve/CVE-2015-7837/
https://cxsecurity.com/cveshow/CVE-2015-7837
http://www.openwall.com/lists/oss-security/2015/10/15/6
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7837
https://www.security-database.com/detail.php?alert=CVE-2015-7837

Comments above seem to incidate a 9/19 update, but I can’t find that, only older messages from 2015-2016. Unclear about current status of this.

Microsoft Azure seeks senior UEFI engineer

September 18, 2017 ~ hucktech ~ Leave a comment

Senior UEFI / FW Development Engineer – CSI / Azure – Cloud Server Infrastructure

The Azure Cloud Server Infrastructure development team (CSI) is seeking a talented FW development engineer with UEFI based BIOS/FW development experience. Candidate will be a member of the MSFT Azure CSI/UEFI FW team and will be responsible for design and development of UEFI FW solutions for MSFT Cloud Platforms. The Senior BIOS/Firmware Developer candidate must have relevant industry experience in the development of UEFI firmware solutions. Candidate must demonstrate skills and experiences from early planning/concept architecture, platform bring-up, UEFI FW features development, board manufacturing support and field issues debug/servicing support.[…]

https://careers.microsoft.com/jobdetails.aspx?jid=320991&job_id=1070474&utm_source=Indeed&show_desc=0

Ecosystem momentum positions Microsoft’s Project Olympus as de facto open compute standard

UEFI-CheckScript: PowerShell script for SCCM/WinPE

September 18, 2017 ~ hucktech ~ Leave a comment

“This Windows PowerShell script can be used in an SCCM task sequence to see if WinPE was booted in UEFI or BIOS mode.”

https://github.com/diablolot53/uefi-checkscript

UefiToolsPkg: making UEFI more useful to system hackers

September 16, 2017 ~ hucktech ~ Leave a comment

Andrei Warkentin has created UefiToolsPkg, readme excerpt below:

This is a Tiano Core (edk2) package with various goodies. The goal was to make the UEFI environment much more useful to system hackers. It may be a reduced environment, but there’s no need for it to remain a crippled one. People make the analogy of UEFI being the 21st century equivalent of DOS, yet DOS was a vastly more useful environment than UEFI is today. Hopefully, one day this will grow into a veritable distribution of software to be productive even without a “real OS” around. Contains: Useful utilities for developers and admins,Ported UNIX tools, Useful libraries for developers, Development tools for Windows/Linux, Other tools around the Web.

FdtDump: dump system device tree to storage
AcpiDump: dump system ACPI tables to storage
AcpiLoader: load system ACPI tables from storage
ShellPlatVars: set UEFI Shell variables based on platform configuration
MemResv: create new memory map entries
RangeIsMapped: validates ranges in the memory map
GopTool: Check and manipulate EFI_GRAPHICS_OUTPUT_PROTOCOL instances
tinycc: port of TinyCC to UEFI

There’s at least one other UEFI ‘distribution’ project on Github, mostly non-usable, I forget the name at the moment. If I had some spare time, I’ve been wanting to do something like this, still looking to find the spare time… 😦 The next logical step is to include FPMurphy’s UEFI Utilities:

https://github.com/fpmurphy/UEFI-Utilities-2016

UEFI driver dev presentation

September 14, 2017 ~ hucktech ~ Leave a comment

Elvis Teixeira has a presentation on UEFI driver development, slides are available here:

https://github.com/elvismt/presentations

UEFI Firmware Rootkits: Myths and Reality: video online

September 10, 2017 ~ hucktech ~ Leave a comment

The video "The UEFI Firmware Rootkits: Myths and Reality" from #BHASIA released! Include demo from docx to SMM 🙂 https://t.co/pvz5rLU1kN

— Alex Matrosov (@matrosov) September 10, 2017

Click to access BHASIA_2017_final.pdf

UEFI Firmware Rootkits: Myths and Reality

Black Hat Asia: The UEFI Firmware Rootkits: Myths and Reality

new UEFI tutorial

September 10, 2017 ~ hucktech ~ Leave a comment

There is a new tutorial on UEFI, for C programmers. It is only 1 day old, and not yet finished:

https://github.com/safayetahmedatge/efitutorial

rust-uefi64: Rust UEFI bootloader

September 8, 2017 ~ hucktech ~ Leave a comment

rust-uefi64:
Rust UEFI crate (64-bit only) for bootloaders and operating systems.
This crate is for supporting UEFI applications such as bootloaders and operating systems.
THIS IS EARLY DAYS, and in particular I have not tested or otherwise used this crate yet myself!

https://github.com/mikedilger/rust-uefi64

Clarification of new Windows UEFI/SMM security feature

September 7, 2017 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/09/05/new-windows-uefi-security-protections-deciphered/

Here’s authoritative information from Jeremiah Cox of Microsoft:

Supporting Yuriy's comment, "SMM Security Mitigations 1.0" is the WSMT bit attesting SMM buffer validation is an allow list rather than deny

— Jay (Jeremiah) Cox (@int0x6) September 5, 2017

Supporting Dmytro's comment "UEFI Code Readonly" -> "VBS enablement of NX protection for UEFI runtime services" https://t.co/kcnzhX51ME

— Jay (Jeremiah) Cox (@int0x6) September 5, 2017

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/device-guard-and-credential-guard

Someone at Microsoft: please write a Technical Support KB article based on Jeremiah’s tweets.

new Windows UEFI security protections deciphered

September 5, 2017 ~ hucktech ~ Leave a comment

Microsoft added some new UEFI protections to Windows, but it is not well-documented, so the firmware security researcher community is guessing at what it does:

https://twitter.com/mattifestation/status/904849903934873600

I believe that "UEFI Code Readonly" means EPT enforced R-X permissions for code sections of runtime phase UEFI drivers

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) September 5, 2017

This is likely UEFI "protection flags" from WSMT. See here https://t.co/2iOoELk20G (slide 75) and WSMT spec https://t.co/aRs84cPjB2

— Yuriy Bulygin (@c7zero) September 5, 2017

"SMM security mitigations" prob indicates that UEFI fixed unprotected SMM comm buffer pointer vulns https://t.co/6Z9cyvIuVL (slides 53-76)

— Yuriy Bulygin (@c7zero) September 5, 2017

"Readonly UEFI code" probable indicates that UEFI has write protections enabled in SPI flash on that system (not sure abt NVRAM)

— Yuriy Bulygin (@c7zero) September 5, 2017

dbxparser: PowerShell script to parse UEFI DBX blacklist

September 3, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/mattifestation/status/904401354256334849

dbxparser.ps1 is a PowerShell script that: dumps SHA256 hashes of blacklisted UEFI bootloaders from the ‘dbx’ UEFI variable.

Darn, Github chokes on Github Gist URLs. Remove the 3 spaces from the below URL, or click on the above Tweet.

https:// gist. github. com/mattifestation/991a0bea355ec1dc19402cef1b0e3b6f

SlickEdit bindings for UEFI

September 3, 2017 ~ hucktech ~ Leave a comment

If you use the SlickEdit editor, there is some support for UEFI here:

https://github.com/wujingbo/SlickEdit-2013-for-edk2

https://hackmd.io/s/HkLsi7Qge#

https://www.slickedit.com/

SisyphOS: UEFI-based Rust kernel

September 3, 2017 ~ hucktech ~ Leave a comment

sisyphos-kernel-uefi-x86_64: UEFI-based Rust kernel

A Rust kernel running on bare UEFI (no separate bootloader). Very early stage. Basically, the eventual goal is to build a non-opinionated microkernel that can load regular ELF64 programs as kernel “modules”. Actually, just fairly conventional processes, except running in kernel space (they are assumed to be written in Rust and reproducible, so that hardware protections are unnecessary, similar but unrelated to Microsoft’s Singularity project). The core micro/nano/whateverkernel will link up the loaded applications with a builtin dynamically linked library that exposes its functionality, moving the responsibility for higher-level problems (such as syscalls) into these loadable binaries, and also allowing simple emulation without virtualization for debugging purposes.[…]

https://github.com/le-jzr/sisyphos-kernel-uefi-x86_64
https://github.com/le-jzr/sisyphos-kernel-uefi-x86_64/wiki/Random-notes

Microsoft Surface seeks UEFI engineer

September 2, 2017 ~ hucktech ~ Leave a comment

Senior Embedded Software Firmware Engineer- Surface

The Surface development team is seeking a talented software development engineer with a strong systems background and experience with hardware and firmware interaction. Job responsibilities will encompass designing and coding drivers, tools and firmware across various technologies in Surface devices within the Surface team as well as with partners to deliver high quality products to market.

A few of the Qualifications:

“High tolerance to ambiguity and ability make progress in the face of it.”

“Ability to quickly ramp-up on complex and unfamiliar code.”

https://careers.microsoft.com/jobdetails.aspx?jid=283564&job_id=1044422

PS: I recently briefly used a Surface Book, USB stopped working after 2 days of use, the only way to get it to work again was to disable UEFI Secure Boot and TPM support. I was expecting a lot more from the modern Microsoft w/r/t hardware QA. I hope the Microsoft OEM unit is also hiring STEs…

CVE-2017-3753: AMI Lenovo UEFI SMM vulnerability

September 2, 2017September 2, 2017 ~ hucktech ~ Leave a comment

Lenovo says scope of AMI issue is “Industry-Wide”, which implies that other Intel/AMI-based OEMs may also have this issue, not just Lenovo.

BIOS SMI Handler Input Validation Failures
CVE Identifier: CVE-2017-3753
Lenovo Security Advisory: LEN-14695
Severity: High
Scope of Impact: Industry-Wide
Last Modified: 08/09/2017

Potential Impact: Execution of code in SMM by an attacker with local administrative access

A vulnerability has been identified in some Lenovo products that use UEFI code developed by AMI. With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V. AMI has supplied a fix for this vulnerability to Lenovo. Users should update the BIOS on affected systems to the latest available version to address this issue.

Security-conscious users should consider the following mitigation steps if an immediate BIOS update is not possible to protect themselves to the fullest extent with the understanding that they DO NOT fix or fully protect against an exploit of this vulnerability:

* Enable Secure Boot on your system
* Disable the boot to UEFI shell
* Disable boot from any source but the primary internal hard drive
* Set a BIOS setup password, so Secure Boot cannot be disabled and the boot to the UEFI shell cannot be re-enabled
* Operate as an unprivileged (non-administrator)

https://nvd.nist.gov/vuln/detail/CVE-2017-3753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3753
https://support.lenovo.com/us/en/product_security/len-14695
AFAICT nothing on the AMI site on this.

Genode 17.08 adds UEFI support

August 31, 2017 ~ hucktech ~ Leave a comment

New Genode 17.08 release brings awesome GPU work! You can now play hw-accelerated Quake on various Microkernels https://t.co/F4kF6h80E1 https://t.co/a1dTdoP42T

— Adrian Rueegsegger (@Kensan42) August 30, 2017

17.08 brings Intel-Gen8 GPU multiplexer and OpenGL support, #sel4 6.0 ARM/x86_64, UEFI support, non-blocking VFS https://t.co/sTYQ0KZGFP

— Genode Labs (@GenodeLabs) August 30, 2017

“Analogously to our work on the seL4 and NOVA kernels in this release, we extended our base-hw kernel to become a Multiboot2 compliant kernel. When used together with GRUB2, it can be started on x86 UEFI machines missing legacy BIOS support (i.e., CSM).”

https://genode.org/documentation/release-notes/17.08

Ulf: Attacking UEFI over DMA

August 30, 2017 ~ hucktech ~ Leave a comment

Attacking UEFI over DMA now supported by PCILeech! 😈https://t.co/ZH917VFSQS https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) August 30, 2017

Attacking UEFI:
Unlike macs many PCs are likely to be vulnerable to pre-boot Direct Memory Access (DMA) attacks against UEFI. If an attack is successful on a system configured with secure boot – then the chain of trust is broken and secure boot becomes insecure boot. If code execution is gained before the operating system is started further compromise of the not yet loaded operating system may be possible. As an example it may be possible to compromise a Windows 10 system running Virtualization Based Security (VBS) with Device Guard. This have already been researched by Dmytro Oleksiuk. This post will focus on attacking UEFI over DMA and not potential further compromises of the system.[…]

https://github.com/ufrisk/pcileech

http://blog.frizk.net/2017/08/attacking-uefi.html

Two new Rust/UEFI projects by Jiří Zárevúcky

August 28, 2017 ~ hucktech ~ Leave a comment

Two new Rust/UEFI projects:

rust-efi-app: High-level bindings for writing UEFI applications in Rust. Currently in very early stages. The goal is that the library will make it easy and safe to write an application (e.g. an OS kernel) that is capable of functioning across call to ExitBootServices() without depending on the programmer’s judgement for safety, transparently dealing with issues like memory allocations and console output.

https://github.com/le-jzr/rust-efi-app

rust-efi-types: Autogenerated Rust bindings for UEFI types and methods. Generated using bindgen from the headers distributed with gnu-efi. The headers are included. Only works on x86_64, and I don’t plan to extend it to other platforms, or clean it up in any way, because it’s all just a giant hack so that I don’t have to waste much time on proper bindings at this moment. Eventually, it will outlive its usefulness and be unceremoniously dumped into trash.

https://github.com/le-jzr/rust-efi-types

Booting Windows from USB drive

August 27, 2017 ~ hucktech ~ Leave a comment

Here’s a MSDN blog entry on how to boot Windows via a thumbdrive. It is basically an introduction to Rufus…

Installing Windows with Secure Boot from USB drive
July 18, 2017
by Anders Lybecker

Once and a while I reinstall my machine. It feels nice with a clean slate as I tend to install all kinds of applications that pollutes my machine. A newly installed machine just runs better somehow. My machine needs to be secure, so Secure Boot and encrypted drive via BitLocker is a must. It limits the risk of someone messing with my machine and stealing my data. Here is how…[…]

https://blogs.msdn.microsoft.com/lybecker/2017/07/18/installing-windows-with-secure-boot-from-usb-drive/

http://www.lybecker.com/blog/2017/07/18/installing-windows-with-secure-boot-from-usb-drive/

https://github.com/pbatard/rufus

https://rufus.akeo.ie/

BTW, these days it is pretty rare to see a modern open source GUI tool that is written to use the native Windows Win32 GUI (GDI). These days, most GUIs are written using friendlier GUI frameworks/languages. Rufus is an ‘old school’ Windows tool, no drag-and-drop IDE-generated GUI code… 🙂

https://github.com/pbatard/rufus/blob/master/src/rufus.c