VisualUEFI udpated

October 2, 2017 ~ hucktech ~ Leave a comment

Happy to report that VisualUEFI (https://t.co/uPKFeocOH5) has now been fully updated, including OpenSSL 1.1.0e and full SecureBoot support! pic.twitter.com/r6Q9VA3KF9

— Alex Ionescu (@aionescu) October 2, 2017

The latest EDK-II sources are used, no longer with any custom OpenSSL changes — we pull directly from both repositories.

— Alex Ionescu (@aionescu) October 2, 2017

With the latest SDL 2.0 compiled QEMU binaries, the UI slowdowns (unbearable before at high resolutions) are totally gone. It's *FAST*.

— Alex Ionescu (@aionescu) October 2, 2017

https://github.com/ionescu007/VisualUefi

Windows UEFI & ACPI Development

UEFI-CheckScript: PowerShell script for SCCM/WinPE

September 18, 2017 ~ hucktech ~ Leave a comment

“This Windows PowerShell script can be used in an SCCM task sequence to see if WinPE was booted in UEFI or BIOS mode.”

https://github.com/diablolot53/uefi-checkscript

Clarification of new Windows UEFI/SMM security feature

September 7, 2017 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/09/05/new-windows-uefi-security-protections-deciphered/

Here’s authoritative information from Jeremiah Cox of Microsoft:

Supporting Yuriy's comment, "SMM Security Mitigations 1.0" is the WSMT bit attesting SMM buffer validation is an allow list rather than deny

— Jay (Jeremiah) Cox (@int0x6) September 5, 2017

Supporting Dmytro's comment "UEFI Code Readonly" -> "VBS enablement of NX protection for UEFI runtime services" https://t.co/kcnzhX51ME

— Jay (Jeremiah) Cox (@int0x6) September 5, 2017

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/device-guard-and-credential-guard

Someone at Microsoft: please write a Technical Support KB article based on Jeremiah’s tweets.

new Windows UEFI security protections deciphered

September 5, 2017 ~ hucktech ~ Leave a comment

Microsoft added some new UEFI protections to Windows, but it is not well-documented, so the firmware security researcher community is guessing at what it does:

https://twitter.com/mattifestation/status/904849903934873600

I believe that "UEFI Code Readonly" means EPT enforced R-X permissions for code sections of runtime phase UEFI drivers

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) September 5, 2017

This is likely UEFI "protection flags" from WSMT. See here https://t.co/2iOoELk20G (slide 75) and WSMT spec https://t.co/aRs84cPjB2

— Yuriy Bulygin (@c7zero) September 5, 2017

"SMM security mitigations" prob indicates that UEFI fixed unprotected SMM comm buffer pointer vulns https://t.co/6Z9cyvIuVL (slides 53-76)

— Yuriy Bulygin (@c7zero) September 5, 2017

"Readonly UEFI code" probable indicates that UEFI has write protections enabled in SPI flash on that system (not sure abt NVRAM)

— Yuriy Bulygin (@c7zero) September 5, 2017

SigThief: PE signature tool

September 4, 2017 ~ hucktech ~ Leave a comment

Hello again! I'm releasing SigThief, Stealing Signatures and Making One Invalid PE Signature at a Time, on github: https://t.co/rRehhSL72q

— Josh Pitts (@ausernamedjosh) September 1, 2017

I’ve noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It’s a mess. So I’m releasing this tool to let you quickly do your testing and feel free to report it to vendors or not. In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. Of course it’s not a valid signature and that’s the point![…]

https://github.com/secretsquirrel/SigThief

Rufus: insecure online behavior

August 30, 2017August 31, 2017 ~ hucktech ~ Leave a comment

[[update: see: https://github.com/pbatard/rufus/commit/c3c39f7f8a11f612c4ebf7affce25ec6928eb1cb ]]

VU#403768: Akeo Consulting Rufus fails to update itself securely https://t.co/0o9ZKFu6BZ

— CISA Cyber (@CISACyber) August 29, 2017

Vulnerability Note VU#403768
Akeo Consulting Rufus fails to update itself securely

Akeo Consulting Rufus fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code on a vulnerable system. Akeo Consulting Rufus 2.16 retrieves updates over HTTP. While Rufus does attempt to perform some basic signature checking of downloaded updates, it does not ensure that the update was signed by a trusted certificate authority (CA). This lack of CA checking allows the use of a self-signed certificate. Because of these two weaknesses, an attacker can subvert the update process to achieve arbitrary code execution. An attacker on the same network as, or who can otherwise affect network traffic from, a Rufus user can cause the Rufus update process to execute arbitrary code. The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:
* Don’t use built-in update capabilities
* Because Rufus does not include the ability to securely install updates, any Rufus updates should be obtained from https://rufus.akeo.ie/ directly, using your web browser.
* Avoid untrusted networks
* Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a MITM attack.

https://github.com/pbatard/rufus

https://rufus.akeo.ie/

http://pete.akeo.ie/

Ulf: Attacking UEFI over DMA

August 30, 2017 ~ hucktech ~ Leave a comment

Attacking UEFI over DMA now supported by PCILeech! 😈https://t.co/ZH917VFSQS https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) August 30, 2017

Attacking UEFI:
Unlike macs many PCs are likely to be vulnerable to pre-boot Direct Memory Access (DMA) attacks against UEFI. If an attack is successful on a system configured with secure boot – then the chain of trust is broken and secure boot becomes insecure boot. If code execution is gained before the operating system is started further compromise of the not yet loaded operating system may be possible. As an example it may be possible to compromise a Windows 10 system running Virtualization Based Security (VBS) with Device Guard. This have already been researched by Dmytro Oleksiuk. This post will focus on attacking UEFI over DMA and not potential further compromises of the system.[…]

https://github.com/ufrisk/pcileech

http://blog.frizk.net/2017/08/attacking-uefi.html

WinDbg updated

August 29, 2017 ~ hucktech ~ Leave a comment

New Blog post! New WinDbg! https://t.co/DeG0dzwhlD

— Andy Luhrs (@aluhrs13) August 28, 2017

The new WinDbgX is finally out! Enjoy it’s awesomeness. Integrated JS/LINQ, ribbons, modernized UI and runs in Centennial. Awesomesauce. https://t.co/I9Hi0juCo5

— Alex Ionescu (@aionescu) August 28, 2017

New WinDbg available in preview!
We are excited to announce a preview version of a brand new WinDbg. We’ve updated WinDbg to have more modern visuals, faster windows, a full-fledged scripting experience, built with the easily extensible debugger data model front and center. I’ll start this by saying that WinDbg Preview is using the same underlying engine as WinDbg today, so all the commands, extensions, and workflows you’re used to will still work just as they did before.

https://blogs.msdn.microsoft.com/windbg/2017/08/28/new-windbg-available-in-preview/

Windbg always had restrictions in what UI widgets it could use, since Windbg was used to debug those same UI widgets (OLE, COM, etc.) and had to work even those widgets did not work.

Booting Windows from USB drive

August 27, 2017 ~ hucktech ~ Leave a comment

Here’s a MSDN blog entry on how to boot Windows via a thumbdrive. It is basically an introduction to Rufus…

Installing Windows with Secure Boot from USB drive
July 18, 2017
by Anders Lybecker

Once and a while I reinstall my machine. It feels nice with a clean slate as I tend to install all kinds of applications that pollutes my machine. A newly installed machine just runs better somehow. My machine needs to be secure, so Secure Boot and encrypted drive via BitLocker is a must. It limits the risk of someone messing with my machine and stealing my data. Here is how…[…]

https://blogs.msdn.microsoft.com/lybecker/2017/07/18/installing-windows-with-secure-boot-from-usb-drive/

http://www.lybecker.com/blog/2017/07/18/installing-windows-with-secure-boot-from-usb-drive/

https://github.com/pbatard/rufus

https://rufus.akeo.ie/

BTW, these days it is pretty rare to see a modern open source GUI tool that is written to use the native Windows Win32 GUI (GDI). These days, most GUIs are written using friendlier GUI frameworks/languages. Rufus is an ‘old school’ Windows tool, no drag-and-drop IDE-generated GUI code… 🙂

https://github.com/pbatard/rufus/blob/master/src/rufus.c

William reviews RWEverything

August 22, 2017 ~ hucktech ~ Leave a comment

William has a review of RWEverything, a freeware tool for Windows:

http://www.basicinputoutput.com/2017/08/rweverything-yes-everything.html

Home

See-also:

tool mini-review: RWEverything

LLVM can now emit/parse/diff Windows PDBs

August 19, 2017 ~ hucktech ~ Leave a comment

PDBs are the sidecar symbol files for Windows. The spec used to be private, now is public, and now it is great to see Clang supporting them. Last time I looked, GCC does not support them.

LLVM on windows now can emit and parse pdbs, their code will be useful for other tools as well as the only good opensrc reference impl https://t.co/Bw06XHCqYS

— Richard Johnson (@richinseattle) August 19, 2017

https://twitter.com/aionescu/status/898829293714784256

http://blog.llvm.org/2017/08/llvm-on-windows-now-supports-pdb-debug.html

Cr4sh’s DmaHvBackdoor.c: Hyper-V backdoor for UEFI

August 19, 2017August 19, 2017 ~ hucktech ~ Leave a comment

Cr4sh is having fun with Windows Device Guard:

Thanks to UEFI and winload it's quite easy to implement such pre-boot intrusion things in reliable way, see my code snippet for more details

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 18, 2017

Device Guard enabled Win 10 doesn't allows to debug the Hyper-V core, so I'm planning to introspect it from guest VM using this backdoor

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 18, 2017

Btw, winload level backdoors are also convenient for injecting arbitrary code into the VSM secure kernel running in VTL1 pic.twitter.com/GWPd8WGaoJ

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 18, 2017

Also, this HvlpBelow1MbPage constant address thing might work for ASLR/NX bypass during exploitation of Hyper-V kernel vulnerabilities

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 18, 2017

Made an interesting payload for my evil PCI-E device, VM exit handler backdoor for Hyper-V based on UEFI DXE driver: https://t.co/EdALr4RxlN pic.twitter.com/ZGxXsiaDWi

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 18, 2017

Hypervisor introspection from guest VM with the help of DIY Hyper-V backdoor from my previous tweets pic.twitter.com/7oolndxe2M

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 19, 2017

Injecting code into *secure* kernel running in *secure* mode on top of *secure* boot??? OMG, we totally need more of that secure stuff!!! https://t.co/3RXeEvyLB1

— Yuriy Bulygin (@c7zero) August 19, 2017

DmaHvBackdoor.c comments:

Part of UEFI DXE driver code that injects Hyper-V VM exit handler backdoor into the Device Guard enabled Windows 10 Enterprise. Execution starts from new_ExitBootServices() — a hook handler for EFI_BOOT_SERVICES.ExitBootServices() which being called by winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi transfers exeution to previously loaded Hyper-V kernel (hvix64.sys) by calling winload!HvlpTransferToHypervisor(). To transfer execution to Hyper-V winload.efi uses a special stub winload!HvlpLowMemoryStub() copied to reserved memory page at constant address 0x2000. During runtime phase this memory page is visible to hypervisor core at the same virtual and physical address and has executable permissions which makes it a perfect place to store our Hyper-V backdoor code. VMExitHandler() is a hook handler for VM exit function of hypervisor core, it might be used for interaction between hypervisor backdoor and guest virtual machines.

WordPress chokes on Github gist-based URLs, so click on initial Tweet above for URL. Or look for entry that matches date:

Microsoft Windows DMA Guard

August 6, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/865955829177925632

The "DMA Guard" prototype is not a "feature" in RS3. Test hooks have bypasses by design, and it does, so don't depend on unpublished APIs.

— Jay (Jeremiah) Cox (@int0x6) August 6, 2017

https://twitter.com/aionescu/status/893975728957607936

Boot Guard, BIOS Guard, OS Guard… we're in a competition

— Jay (Jeremiah) Cox (@int0x6) August 5, 2017

[…] New Bitlocker features in Windows 10, version 1507:
* DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
[…]

This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security
https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-manage
https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies

Intel Graphics Driver for Windows: DoS vulnerability

August 3, 2017 ~ hucktech ~ Leave a comment

Excerpt of advisory below, see full one for list of drivers impacted.

DoS in Kernel in multiple versions of the Intel Graphics Driver allows local attacker to perform a DoS via an Out of Bounds Read

Intel ID: INTEL-SA-00077
Product family: Mobile, Desktop, Server, Workstation, and Embedded processors based on Intel® Core™ and Atom™ Processors using an affected driver.
Impact of vulnerability: Denial of Service
Severity rating: Moderate
Original release: Jul 31, 2017
Last revised: Aug 01, 2017

Out-of-bounds read condition in older versions of some Intel® Graphics Driver for Windows code branches allows local users to perform a denial of service attack. Intel recommends that users download and upgrade to the latest supported driver. Intel would like to thank Enrique Nissim of IOActive for reporting this issue and working with us on a coordinated disclosure.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00077&languageid=en-fr

Microsoft launches Windows Bounty Program

July 26, 2017 ~ hucktech ~ Leave a comment

Microsoft bounties++! Hyper-V payouts increased up to $250k, WDAG focus area, & a baseline bounty for Windows 10 https://t.co/0ihNnP1xSl

— Matt Miller (@epakskape) July 26, 2017

Announcing the Windows Bounty Program:
Windows 10 represents the best and newest in our strong commitment to security with world-class mitigations. One of Microsoft’s longstanding strategies toward improving software security involves investing in defensive technologies that make it difficult and costly for attackers to find, exploit and leverage vulnerabilities. We built in mitigations and defenses such as DEP, ASLR, CFG, CIG, ACG, Device Guard, and Credential Guard to harden our systems and we continue adding defenses such as Windows Defender Application Guard to significantly increase protection to harden entry points while ensuring the customer experience is seamless. In the spirit of maintaining a high security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017. This will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. We’re also bumping up the pay-out range for the Hyper-V Bounty Program.[…]

https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-bounty-program/

https://aka.ms/BugBounty

Microsoft Windows Defender ATP

June 27, 2017 ~ hucktech ~ Leave a comment

If you're a fan of EMET you'll definitely want to check out Windows Defender Exploit Guard: https://t.co/vJ4hwp8uyk https://t.co/zT61vQEwaw

— Matt Miller (@epakskape) June 27, 2017

What’s new in Windows Defender ATP Fall Creators Update:
When we introduced Windows Defender Advanced Threat Protection (Windows Defender ATP), our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer a set of new prevention capabilities designed to stop attacks as they happen and before they have impact. This means that our service will expand beyond detection, investigation, and response, and will now allow companies to use the full power of the Windows security stack for preventative protection. The stack will be powered by our cloud-based security intelligence, which moves us from a world of isolated defenses to a smart, interconnected, and coordinated defense grid that is more intelligent, simple to manage, and ever-evolving. We will also provide a single pane of glass experience for security professionals. This means that security management (SecMgmt) teams can easily configure a broad set of Windows security stack technologies through an integrated configuration management experience. Security operations (SecOps) teams get full visibility into their Windows endpoint security and a rich toolset to take action using the Windows Defender ATP console. This will not only give companies a full picture of what’s happening on their endpoints, but will also put them in the driver seat to quickly react to threats as they happen. Leveraging our cloud-based security intelligence gives the optics, context, and tools that companies need to quickly investigate and remediate incidents. Here are some highlights of the Windows Fall Creators Update:[…]

https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-defender-atp-fall-creators-update/

https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

Adaptiva Secure 10: BIOS to UEFI

June 22, 2017 ~ hucktech ~ Leave a comment

EXTRA EXTRA! Adaptiva Releases BIOS to UEFI Solution Update to Speed #Windows10 Migrations https://t.co/bEPGoxe2Bq #ConfigMgr #SCCM pic.twitter.com/t7GURPBCGX

— Adaptiva (@adaptiva) June 22, 2017

New registration-required freeware from Adaptiva:

Adaptiva’s free Secure 10 is a complete automation solution for ConfigMgr admins to make the BIOS to UEFI conversion process simple and unattended. With Secure 10, migrations take much less time and no IT staff need to be on-site during the process. Now including support for new MBR2GPT.exe tool for retaining data while making the switch, as well as ConfigMgr 1610+ WinPE boot image pre-staging. Also new: two complete task sequences to save time integrating into your deployments! […] The open solution includes detailed documentation to help SCCM system administrators overcome the complexities of automating the conversion from:

* BIOS to UEFI – Secure 10 automates the conversion process from the legacy BIOS firmware typically used in Windows 7/8 systems to the more powerful Unified Extensible Firmware Interface (UEFI) technology. UEFI is required to enable key enterprise security features available in Windows 10.

* MBR to GPT – Secure 10 now includes support for the MBR2GPT.exe tool, which helps convert the disk layout on a PC from the legacy Master Boot Record (MBR) to GUID Partition Table (GPT). The new tool is the only Microsoft-supported tool to convert a production disk from MBR to GPT without data loss, greatly speeding in-place upgrades to Windows 10.

* WinPE Pre-staging – Microsoft recently introduced the capability to pre-stage a WinPE boot image to a partition from within an SCCM Task Sequence and have that image persist during the conversion from MBR to GPT. Secure 10 supports this capability for refresh/replace scenarios.

https://www.adaptiva.com/blog/2017/adaptiva-releases-bios-uefi-solution-update-speed-windows-10-migrations/

Mike on Windows Config Mgr and Secure Boot

June 12, 2017 ~ hucktech ~ Leave a comment

Mike Terrill has 2 blog posts on Windows Configuration Manager and UEFI Secure Boot:

BIOS and Secure Boot State Detection during a Task Sequence
With all of the security issues and malware lately, BIOS to UEFI for Windows 10 deployments is becoming a pretty hot topic (unless you have been living under a rock, UEFI is required for a lot of the advanced security functions in Windows 10). In addition, with the Windows 10 Creators Update, Microsoft has introduced a new utility called MBR2GPT that makes the move to UEFI a non-destructive process. If you have already started deploying Windows 10 UEFI devices, it can be tricky to determine what state these devices are in during a running Task Sequence. The Configuration Manager Team introduced a new class called SMS_Firmware and inventory property called UEFI that helps determine which computers are running in UEFI in Current Branch 1702. This can be used to build queries for targeting and reports, but it would be nice to handle this plus Secure Boot state (and CSM) during a running Task Sequence. We do have the Task Sequence variable called _SMSTSBootUEFI that we will use, but we need to determine the exact configuration in order to execute the correct steps.[…]

BIOS and Secure Boot State Detection during a Task Sequence Part 1

BIOS and Secure Boot State Detection during a Task Sequence Part 2

CreateUEFIBootableUSB

June 6, 2017 ~ hucktech ~ Leave a comment

If you use Windows and want a PowerShell script to help with boot USB drives, this might be useful for you.

https://github.com/yowko/CreateUEFIBootableUSB

Microsoft WinHEC Taipei 2017

June 2, 2017 ~ hucktech ~ Leave a comment

For developers and product planners, our next WinHEC workshop is June 14 -15 in Taipei. Check out details at https://t.co/UqEJQpc5T8

— WinHEC (@winhec) May 25, 2017

Welcome to WinHEC June 2017 Registration
The Windows Hardware Engineering Community (WinHEC) is where technical experts from around the world, and Microsoft, come together to make Windows great for every customer. Our next WinHEC event is June 14th and 15th in Taipei, Taiwan. The workshop will feature sessions and a lab for developers, product managers and planners to help prepare for Windows 10 S and to showcase the benefits of adopting key hardware features. Presentations will include: Introduction to Universal Drivers, Universal Developer Center for Hardware and Driver Servicing, Driver Flighting end-to-end, Windows Ink, Windows 10 Mixed Reality, Designing and Optimizing for Long Battery Life and Responsive Windows Devices, Windows Hello, and Developer Platform Updates. We will also have a guided, hands-on lab to explore and practice the concepts covered in the Introduction to Universal Driver session.

https://www.microsoftevents.com/profile/form/index.cfm?PKformID=0x19594336ecd