lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <02a401cd5887$61484d50$23d8e7f0$@com>
Date: Mon, 2 Jul 2012 14:17:53 -0500
From: "Adam Behnke" <adam@...osecinstitute.com>
To: <bugtraq@...urityfocus.com>
Subject: Malicious Code Execution in PCI Expansion ROM

The malicious code in x86/x64 firmware can potentially reside in many
places. One of them is in the PCI expansion ROM. In the past, the small
amount of memory during PCI expansion ROM execution acted as a hindrance to
malicious code. The limited space for code and data limited the possible
tasks that could be carried out by such malicious codes. However, this
article explains how a malicious PCI expansion ROM might exploit a
little-known BIOS memory management interface to break through the memory
"barrier," thus creating a potentially more complex threat. The discussion
in this article is limited to PCI expansion ROM conforming to PCI firmware
revision 3.1 specification.

This newly "discovered" larger memory footprint enables a malware creator to
place (at least) a simple file system infector inside the PCI expansion ROM
(a compressed one). During PCI expansion ROM execution, the compressed file
system infector could have the memory it requires through memory allocation
with the PMM functions, provided that the BIOS implemented PMM-which is most
likely the case in the last 3 to 5 years. Another issue is that a malware
creator might abuse the presence of the "permanent" memory allocated for PCI
expansion ROM through the pmmAllocate() function by using the permanent
memory flag during the call to pmmAllocate().Additionally, a rogue but
simple network "interceptor" code might be possible given the jump in the
memory footprint, and if the interceptor hides in the "permanent" memory, it
could be troublesome.

View here: http://resources.infosecinstitute.com/pci-expansion-rom/ to read
the full article and walkthrough at InfoSec Institute. 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ