Ulf on Total Meltdown at SEC-T

If you aren’t in Sweden, it appears there may be live streaming of the presentation! There are multiple other firmware presentations as well!

https://www.sec-t.org/talks/

https://www.sec-t.org/schedule/

 

 

Total Meltdown for Windows 7: follow-up

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1038

PCILeech3 and Memory Process File System released!

Targets 64-bit Intel systems running Windows.

http://blog.frizk.net/2018/03/memory-process-file-system.html

https://github.com/ufrisk/pcileech

PCILeech: updated with new FPGA bitstream design

PCILeech FPGA contains software and HDL code for FPGA based devices that may be used together with the PCILeech Direct Memory Access (DMA) Attack Toolkit. Using FPGA based devices have many advantages over using the USB3380 hardware that have traditionally been supported by PCILeech. FPGA based hardware provides full access to 64-bit memory space without having to rely on a kernel module running on the target system. FPGA based devices are also more stable compared to the USB3380. FPGA based devices may also send raw PCIe Transaction Layer Packets TLPs – allowing for more specialized research.

https://github.com/ufrisk/pcileech-fpga
https://github.com/ufrisk/pcileech/

PCILeech FPGA released!

PCILeech FPGA contains software and HDL code for FPGA based devices that may be used together with the PCILeech Direct Memory Access (DMA) Attack Toolkit. Using FPGA based devices have many advantages over using the USB3380 hardware that have traditionally been supported by PCILeech. FPGA based hardware provides full access to 64-bit memory space without having to rely on a kernel module running on the target system. FPGA based devices are also more stable compared to the USB3380. FPGA based devices may also send raw PCIe Transaction Layer Packets TLPs – allowing for more specialized research. For information about PCILeech itself please check out the PCILeech project.

https://github.com/ufrisk/pcileech-fpga

 

Ulf: Attacking UEFI over DMA

Attacking UEFI:
Unlike macs many PCs are likely to be vulnerable to pre-boot Direct Memory Access (DMA) attacks against UEFI. If an attack is successful on a system configured with secure boot – then the chain of trust is broken and secure boot becomes insecure boot. If code execution is gained before the operating system is started further compromise of the not yet loaded operating system may be possible. As an example it may be possible to compromise a Windows 10 system running Virtualization Based Security (VBS) with Device Guard. This have already been researched by Dmytro Oleksiuk. This post will focus on attacking UEFI over DMA and not potential further compromises of the system.[…]

https://github.com/ufrisk/pcileech

http://blog.frizk.net/2017/08/attacking-uefi.html

 

PCILeech 2.0 released

https://github.com/ufrisk/pcileech

 

PCIleech progress continues…

 

https://github.com/ufrisk/pcileech

Attacking UEFI Runtime Services

Ulf has an informative new article (and video) about attacking UEFI Runtime Services on Linux-based systems using PCILeech:

Attackers with physical access are able to attack the firmware on many fully patched computers with DMA – Direct Memory Access. Once code execution is gained in UEFI/EFI Runtime Services it is possible to use this foothold to take control of a running Linux system. The Linux 4.8 kernel fully randomizes the physical memory location of the kernel. There is a high likelyhood that the kernel will be randomized above 4GB on computers with sufficient memory. This means that DMA attack hardware only capable of 32-bit addressing (4GB), such as PCILeech, cannot reach the Linux kernel directly. Since the EFI Runtime Services are usually located below 4GB they offer a way into Linux on high memory EFI booting systems. Please see the video below for an example of how an attack may look like. […]

Full post:

http://blog.frizk.net/2017/01/attacking-uefi-and-linux.html

 

PCIleech -vs- Apple Mac OS X

It appears Mac OS X 10.12.2 has some firmware-related security updates, with some defense against PCILeech:

http://blog.frizk.net/2016/12/filevault-password-retrieval.html
https://github.com/ufrisk/pcileech

 macOS FileVault2 Password Retrieval

“macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches. Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable. Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!
[…]
Recovering the password is just one of the things that are possible unless the security update is applied. Since EFI memory can be overwritten it is possible to do more evil …
[…]
December 13th: Apple released macOS 10.12.2 which contains the security update. At least for some hardware – like my MacBook Air.
[…]”

Look at recent Tweets from Xeno Kovah, he has multiple posts with information about the 10.12.2 update:

https://twitter.com/XenoKovah/

Firmware passwords:
https://support.apple.com/en-us/HT202796
https://support.apple.com/en-us/HT204455
https://support.apple.com/en-us/HT203409

I’ll admit, I didn’t find any firmwaer information in their release:
https://support.apple.com/en-us/HT207423

more info on PCI Leech

 DMA attacking over USB-C and Thunderbolt 3
I just got an Intel NUC Skull Canyon that has an USB-C port capable of Thunderbolt 3. Thunderbolt is interesting since it’s able to carry PCI Express which is Direct Memory Access (DMA) capable. I have previously demonstrated how it is possible to DMA-attack macs over Thunderbolt 2 in my DEF CON talk “Direct Memory Attack the Kernel”. To attack my MacBook Air in the DEF CON demo I used a Sonnet Echo ExpressCard Thunderbolt 2 to ExpressCard adapter together with a PCILeech ExpressCard. I also got a Thunderbolt 3 to Thunderbolt 2 adapter from Startech and I wanted to try it on the NUC to see if it’s possible to use it for DMA attacks, or if Thunderbolt has been secured. […]

http://blog.frizk.net/2016/10/dma-attacking-over-usb-c-and.html

 

PCI Leech

 

https://github.com/ufrisk

Does not appear to be a public Github project yet.