lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Aug 2015 09:47:26 +0300 From: Jerome Athias <athiasjerome@...il.com> To: Kevin Beaumont <kevin.beaumont@...il.com> Cc: bugtraq@...urityfocus.com Subject: Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor Some more info https://www.us-cert.gov/ncas/current-activity/2015/08/12/Lenovo-Service-Engine-LSE-BIOS-Vulnerability 2015-08-12 14:44 GMT+03:00 Kevin Beaumont <kevin.beaumont@...il.com>: > PRECURSOR > > There will be debate about if this is a vulnerability. It affects a > majority of user PCs -- including all Enterprise editions of Windows, > there is no way to disable it, and allows direct code execution into > secure boot sequences. I believe it is worth discussing. > > SCOPE > > Microsoft documented a feature in Windows 8 and above called Windows > Platform Binary Table. Up until two days ago, this was a single Word > document not referenced elsewhere on Google: > > http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us > > This feature allows a BIOS to deliver the payload of an executable, > which is run in memory, silently, each time a system is booted. The > executable code is run under under Session Manager context (i.e. > SYSTEM). > > This technique is being used by Lenovo and HP to silently deliver > software, even after systems are completely wiped. This issue came to > light in this forum thread: > http://arstechnica.com/civis/viewtopic.php?p=29551819#p29551819 > > Additionally, the code is injected and executed in Windows after the > Windows kernel has booted - meaning hard drives are accessible. In a > HP document - http://h10032.www1.hp.com/ctg/Manual/c03857419.pdf page > 18 - they reference they use Windows Platform Binary Table to inject > their code into encrypted systems (e.g. BitLocker) (!!!!). > > MITIGATIONS > > It is not possible to disable this functionality. If you can gain > access to the BIOS, you can inject code into the Windows boot sequence > using the documentation linked above. The BIOS delivered PE code is > not countersigned by Microsoft. > > Microsoft say: "If partners intentionally or unintentionally introduce > malware or unwanted software though the WPBT, Microsoft may remove > such software through the use of antimalware software. Software that > is determined to be malicious may be subject to immediate removal > without notice." > > However, you are relying on Microsoft being aware of attacks. Since > the code is executed in memory and not written to disk prior to > activation, Windows Defender does not even scan the executed code.
Powered by blists - more mailing lists