lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 15 Aug 2015 20:06:29 +0100
From: Pedro Ribeiro <pedrib@...il.com>
To: Stefan Kanthak <stefan.kanthak@...go.de>
Cc: Kevin Beaumont <kevin.beaumont@...il.com>,
  bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

On 12 August 2015 at 18:33, Stefan Kanthak <stefan.kanthak@...go.de> wrote:
> "Kevin Beaumont" <kevin.beaumont@...il.com> wrote:
>
> [...]
>
>> Microsoft documented a feature in Windows 8 and above called Windows
>> Platform Binary Table.
>
> Cf. <http://www.acpi.info/links.htm> where WPBT is linked to
> <http://go.microsoft.com/fwlink/p/?LinkId=234840> alias
> <https://msdn.microsoft.com/en-US/library/windows/hardware/dn550976>
>
>> Up until two days ago, this was a single Word
>> document not referenced elsewhere on Google:
>>
>>
> http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us
>>
>> This feature allows a BIOS to deliver the payload of an executable,
>> which is run in memory, silently, each time a system is booted.  The
>> executable code is run under under Session Manager context (i.e.
>> SYSTEM).
>
> This sort of feature is NOT new: with Windows 2003 Microsoft introduced
> the loading of "virtual OEM device drivers" during Windows setup, see
> <https://support.microsoft.com/en-us/kb/896453>
>
> AFAIK at least HP and Dell used this method to deploy [F6] drivers
> embedded in their BIOS.
>
> [...]
>
> stay tuned
> Stefan Kanthak
>

One more reason to use Linux, although it sucks to have BIOS level
backdoors like this.
Looks like Lenovo issued updates for the affected systems, and
thankfully no (business) Thinkpads are affected:
https://support.lenovo.com/us/en/product_security/lse_bios_notebook

Regards,
Pedro

Powered by blists - more mailing lists