Attacks Against Windows PXE Boot Images

February 13, 2018 ~ hucktech ~ Leave a comment

[BLOG] Attacks Against Windows PXE Boot Images https://t.co/d0BzClZp36
Super useful, thanks @thomas_elling!

— Scott Sutherland (@_nullbind) February 13, 2018

Attacks Against Windows PXE Boot Images
Thomas Elling
February 13th, 2018

If you’ve ever run across insecure PXE boot deployments during a pentest, you know that they can hold a wealth of possibilities for escalation. Gaining access to PXE boot images can provide an attacker with a domain joined system, domain credentials, and lateral or vertical movement opportunities. This blog outlines a number of different methods to elevate privileges and retrieve passwords from PXE boot images. These techniques are separated into three sections: Backdoor attacks, Password Scraping attacks, and Post Login Password Dumps. Many of these attacks will rely on mounting a Windows image and the title will start with “Mount image disk”.[…]

https://blog.netspi.com/attacks-against-windows-pxe-boot-images/

https://docs.microsoft.com/en-us/sccm/osd/plan-design/security-and-privacy-for-operating-system-deployment

Microsoft driver security checklist

February 8, 2018 ~ hucktech ~ Leave a comment

Nota bene! https://t.co/j6bgyLyHO9

— Jay (Jeremiah) Cox (@int0x6) February 8, 2018

We updated our Driver security guidance with a driver security checklist, which can help developers to eliminate known security flaws before their drivers are released https://t.co/YFwBBUw3Ph

— Microsoft Threat Intelligence (@MsftSecIntel) February 7, 2018

Driver security checklist
01/26/2018
Don Marshall

This article provides a driver security checklist for driver developers to help reduce the risk of drivers being compromised.[…]

https://docs.microsoft.com/en-us/windows-hardware/drivers/driversecurity/driver-security-checklist

a bit more on Spectre/Meltdown

January 23, 2018 ~ hucktech ~ Leave a comment

Agreed the fences, in a word, suck…The hope is that we can have faith in the QSpectre switch but it's going to be a hard thing to prove. Also if you're writing assembly you're on your own

— OSR (@OSRDrivers) January 23, 2018

Meltdown and Spectre: What about drivers?

https://github.com/iadgov/Spectre-and-Meltdown-Guidance

https://github.com/hannob/meltdownspectre-patches

https://github.com/hackingportal/meltdownattack-and-spectre

https://kb.netgear.com/000053240/Security-Advisory-for-Speculative-Code-Execution-Spectre-and-Meltdown-on-Some-ReadyNAS-and-ReadyDATA-Storage-Systems-and-Some-Connected-Home-Products-PSV-2018-0005

Microsoft C mitigations for Spectre: /Qspectre

January 16, 2018January 16, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/apardoe/status/953054508984156160

https://blogs.msdn.microsoft.com/vcblog/2018/01/15/spectre-mitigations-in-msvc/

NVidia symbol server for Windows binaries

January 16, 2018 ~ hucktech ~ Leave a comment

Microsoft’s debugger stores symbols in sidecar files separate from the executable. They are stored on the Microsoft Symbol Server. For third party symbols, things are not as good. NVidia has improved things for their drivers, though:

Symbol server for nvidia driver binaries. https://t.co/qtU4GfKee7

— Yuriy O'Donnell 🇺🇦 (@YuriyODonnell) January 12, 2018

https://developer.nvidia.com/nvidia-driver-symbol-server

https://msdn.microsoft.com/en-us/library/windows/desktop/ee416588(v=vs.85).aspx
https://support.microsoft.com/en-us/help/311503/use-the-microsoft-symbol-server-to-obtain-debug-symbol-files
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/microsoft-public-symbols

See-also:

AFAIK, Mozilla was the first open source project to setup a symbol server:
https://developer.mozilla.org/en-US/docs/Mozilla/Using_the_Mozilla_symbol_server

https://gpuopen.com/amd-driver-symbol-server/
https://support.citrix.com/article/CTX118622

Firmware update for Fuji X-T1 devices

http://www.symbolsource.org/Public/Home/VisualStudio
https://nuget.smbsrc.net/
https://github.com/electron/electron/blob/master/docs/development/setting-up-symbol-server.md
https://area.autodesk.com/blogs/the-3ds-max-blog/debug_symbol_server_for_3ds_max_2012/
https://www.chromium.org/developers/how-tos/debugging-on-windows

Windows adds TXT-supported MLE to boot security

January 3, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/944286540984827904

Interesting to hear that Microsoft has added TXT support alongside MLE. Sorry, no more info on it than above tweet….

From Wikipedia: Numerous server platforms include Intel TXT, and TXT functionality is leveraged by software vendors including HyTrust, PrivateCore, Citrix, Cloud Raxak, and VMware. Open-source projects also utilize the TXT functionality; for example, tboot provides a TXT-based integrity system for the Linux kernel and Xen hypervisor.

The mysterious case of the Linux Page Table Isolation patches

January 2, 2018 ~ hucktech ~ Leave a comment

WordPress chokes on this Tumbler.com-based document; please click on the URLs in the below tweets to reach article.

.@anders_fogh Thoughts on https://t.co/TeshRPMCMN vs. https://t.co/YwZk0Nj6ZZ vs. https://t.co/uYsQeXNChq ?

— Chris Evans (@scarybeasts) January 1, 2018

https://twitter.com/revskills/status/947894765126934528

Is there a serious, undisclosed, CPU bug out there?https://t.co/iM3Oq9ilA3 pic.twitter.com/XMEq4XY618

— Dan Luu (@danluu) January 1, 2018

The mysterious case of the Linux Page Table Isolation patches

tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.

See-also: https://firmwaresecurity.com/2017/12/07/tu-graz-story-on-rowhammer/

Sysdream article on using PCILeech to attack Windows

December 25, 2017 ~ hucktech ~ Leave a comment

Nice article by Sysdream on using PCIleech to attack Windows DMA.

Merry christmas from our lab, with this article on DMA attack against Windows: https://t.co/Y3GIkRPsww #infosec #dma #pcileech

Thanks @UlfFrisk !

— SysDream (@sysdream) December 22, 2017

Thanks, Awesome read about how to roll your own signatures to your advantage 😈 As mentioned, FPGA DMA is the way of the future – hope to present some upcoming news at #34c3

— Ulf Frisk (@UlfFrisk) December 22, 2017

https://sysdream.com/news/lab/2017-12-22-windows-dma-attacks-gaining-system-shells-using-a-generic-patch/

https://youtu.be/H3nWuAQtJg4

Microsoft adds more enterprise security features to Windows 10

December 22, 2017December 22, 2017 ~ hucktech ~ Leave a comment

This is HUGE. Kernel Control Flow Guard, HVCI, Hyper Guard and bunch of other goodness are now available on non-Enterprise Windows SKUs. Turn it on, now. https://t.co/lxtUzClE5Z

— David Weston (DWIZZZLE) (@dwizzzleMSFT) November 28, 2017

Any Windows 10 device that includes Hyper-V hypervisor can now turn on HVCI, a powerful mitigation against kernel exploits. This method uses a WDAC/config CI audit policy to enable HVCI. https://t.co/7mbmjojQ8A

— Jeffrey Sutherland (@j3ffr3y1974) November 28, 2017

UPDATE: If you clean install RS4+ and have compatible hardware VBS/HVCI is now automatically enabled!! This means the Windows kernel now enforces by default: Kernel code integrity, runtime ACG, and control flow integrity via VBS. Huge for Windows security. Checkout WIP builds! https://t.co/b1L93EyhCv

— David Weston (DWIZZZLE) (@dwizzzleMSFT) December 21, 2017

Enable virtualization-based protection of code integrity
11/28/2017
Contributors: Brian Lich Justinha Nick Brower Jason Gerend Jeffrey Sutherland

Virtualization-based protection of code integrity (herein referred to as Hypervisor-protected Code Integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see Troubleshooting for remediation steps.[…]

https://docs.microsoft.com/en-us/windows/device-security/enable-virtualization-based-protection-of-code-integrity

VisualUEFIShell

December 3, 2017 ~ hucktech ~ Leave a comment

“Create and debug UEFI Shell EFI_APPLICATION using VS2017”

https://github.com/JoaquinCono/VisualUEFIShell

not to be confused with VisualUEFI:

https://github.com/ionescu007/VisualUefi

Note to both authors: Please support VSCode, not just Visual Studio, that is free and works on other OSes where UEFI is also used.

CERT/CC VU #817544 : Windows ASLR Vulnerability

November 20, 2017 ~ hucktech ~ Leave a comment

U.S. Department of Homeland Security US-CERT National Cyber Awareness System: Windows ASLR Vulnerability

Original release date: November 20, 2017

The CERT Coordination Center (CERT/CC) has released information on a vulnerability in Windows Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1, and Windows 10. A remote attacker could exploit this vulnerability to take control of an affected system. US-CERT encourages users and administrators to review CERT/CC VU #817544 and apply the necessary workaround until a patch is released.

https://www.us-cert.gov/ncas/current-activity/2017/11/20/Windows-ASLR-Vulnerability

http://www.kb.cert.org/vuls/id/817544

Toms Hardware: Win10 unsupported disk layout UEFI error howto

November 18, 2017 ~ hucktech ~ Leave a comment

Tom’s Hardware – an example of a computer review site that never shows CHIPSEC results 😦 — has a new article on how to fix a common UEFI/Windows problem:

▸ How To Fix @Windows 10 Unsupported Disk Layout UEFI Error https://t.co/JEJUwbdDvU

— Tom's Hardware (@tomshardware) November 17, 2017

How To Fix Windows 10 Unsupported Disk Layout UEFI Error
by Seth Colaner November 17, 2017 at 1:30 PM

A common problem that Windows users have encountered when trying to update Windows 10 is the “Unsupported Disk Layout for UEFI Firmware” error. This error basically means that the partition structure of your hard drive is not supported by the version of Windows 10 that you want to upgrade to. This error can be resolved by creating a Microsoft Reserved Partition (MSR), which is used on Unified Extensible Firmware Interface (UEFI)/GUID Partition Table (GPT) disks. Without getting too technical, we will outline the steps to fix this error when attempting to update.[…]

http://www.tomshardware.com/news/how-to-fix-windows-10-unsupported-disk-layout-uefi-error,35960.html

PS: Tom, please start showing CHIPSEC (and FWTS) results in your reviews, less on what colors the cases come in, and more on what security the HW/FW fails to offer. Thanks!

Intel open sources HAXM, Hardware Accelerated Executation Manager for Mac/Windows

November 16, 2017 ~ hucktech ~ Leave a comment

Intel HAXM (Qemu accelerator for Windows and MacOS) is now open source https://t.co/tqEQMtf6zs https://t.co/NMv8xf5O2L

— Frank ⚡ (@jedisct1) November 15, 2017

Intel Hardware Accelerated Execution Manager (HAXM)

HAXM is a hardware-assisted virtualization engine (hypervisor) that uses Intel Virtualization Technology to speed up IA (x86/ x86_64) emulation on a host machine running Windows or macOS. It started as an Android SDK component, but has recently transformed itself into a general accelerator for QEMU. HAXM can be built as either a kernel-mode driver for Windows or a kernel extension for macOS.[…]

https://github.com/intel/haxm

See-also:

https://01.org/android-ia/q-and-a/what-haxm

https://software.intel.com/en-us/articles/intel-hardware-accelerated-execution-manager-intel-haxm

https://github.com/Nukem9/Haxm

Restart2UEFI: restart UEFI systems to firmware (for Windows)

November 11, 2017 ~ hucktech ~ Leave a comment

This is a new project, a C# GUI that requires Windows and Visual Studio to build. It appears to be a wrapper to the Windows shutdown.exe utility.

https://github.com/spoonieau/Restart2UEFI

Restart2UEFI: Utility’s to restart uefi systems to firmware. An easyer way to get your system to boot to the motherboards firmware interface than going Win’s recovery options, to finding a pappercilp the certain notebooks.

Restart2UEFI winforms build ported to UWP. Needs Restart2UEFIHelper.exe in projects win32 dir. Was going to be release on the windows store but due to needing the use of a win32exe and only holding a developer licence. So I was unable to submit and have a compiled App available.

Linux/Windows usage of new Intel instructions

November 10, 2017 ~ hucktech ~ Leave a comment

Jakob Engblom of Intel has 2 blog posts that talk about how modern operating systems use new Intel instructions.

https://software.intel.com/en-us/blogs/2017/10/17/does-software-actually-use-new-instruction-sets

https://software.intel.com/en-us/blogs/2017/11/09/follow-up-how-does-microsoft-windows-10-use-new-instruction-sets

Instrumentation Windows 10 Instructions Total

Dynamic ISA Linux Source

Microsoft adds Time Travel Debugging (TTD) to Windbg

November 7, 2017 ~ hucktech ~ Leave a comment

Time Travel Debugging is now available in WinDbg Preview

We are excited to announce that Time Travel Debugging (TTD) features are now available in the latest version of WinDbg Preview. About a month ago, we released WinDbg Preview which provides great new debugging user experiences. We are now publicly launching a preview version of TTD for the first time and are looking forward to your feedback.[…]

https://blogs.msdn.microsoft.com/windbg/2017/09/25/time-travel-debugging-in-windbg-preview/

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-object-model

Time Travel Debugging is now available in WinDbg Preview https://t.co/E6NT7xERgk pic.twitter.com/WzJEf94n9X

— Windows Blogs (@windowsblog) September 27, 2017

As I hear, TTD has been used at Microsoft internally for years, just now getting this feature out to the public. Though they are not identical in implementation, GDB has had reverse execution for a while.

https://www.gnu.org/software/gdb/news/reversible.html
https://sourceware.org/gdb/onlinedocs/gdb/Reverse-Execution.html
https://sourceware.org/gdb/wiki/ReverseDebug

Microsoft Windows OEM security standards updated

November 6, 2017 ~ hucktech ~ Leave a comment

If you are buying PCs take a look at this security hardware standard my team put together. Silicon matters https://t.co/brXxfyGkYz

— David Weston (DWIZZZLE) (@dwizzzleMSFT) November 5, 2017

Standards for a highly secure Windows 10 device
11/05/2017

These standards are for general purpose desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops. This topic applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. Windows enterprise security features light up when you meet or exceed these standards and your device is able to provide a highly secure experience.[…]

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

It will actually take more than 2 minutes to read this …properly.

DriverMon: Monitor activity of any Windows driver

November 1, 2017 ~ hucktech ~ Leave a comment

First release of DriverMon – monitor any driver (at your own risk 🙂 ): https://t.co/GvSHkEuTCS pic.twitter.com/ZlEe57GlYm

— Pavel Yosifovich (@zodiacon) November 1, 2017

https://github.com/zodiacon/DriverMon

See-also:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/extra-tools
https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tools-for-software-tracing
https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/index-of-windows-driver-kit-tools#tech-all
https://docs.microsoft.com/en-us/sysinternals/downloads/
https://www.osronline.com/section.cfm?section=27
https://github.com/processhacker2/processhacker

Microsoft renames VBS

October 23, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/922539069292400640

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs

It is funny and also sad to see the new MSFT docs include data about how long it’ll take to read the page, for those potential readers who’re worried it’ll be too long to read. “4 minutes to read”. I wonder what the current attention span is, that forces writers to dumb down documents for reduced attention spans of modern readers? 😦

https://blogs.technet.microsoft.com/mmpc/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/

UK gov guidance on automating UEFI Firmware Updates

October 18, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/CysekSentinel/status/920640632271409152

Automating UEFI Firmware updates

In our previous blog post we talked about the state of UEFI firmware running on Windows laptops attached to one of our research networks. In case you don’t recall the conclusion: We were surprised that many of the devices were running out-of-date firmware and decided to investigate ways in which automated UEFI firmware updates could be scaled to meet the needs of an Enterprise. This blog tells the story of what happened next.[…]

https://www.ncsc.gov.uk/blog-post/automating-uefi-firmware-updates