lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADxeqvCmF-LpL+bDUX=meigKUV+v_QmdJcXFY2uUcgqyjihfhg@mail.gmail.com>
Date: Thu, 13 Aug 2015 19:44:30 +0100
From: Kevin Beaumont <kevin.beaumont@...il.com>
To: Jerome Athias <athiasjerome@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

Hi - just with regards to this, the CERT advisory is for a slightly
different issue.  The software Lenovo were delivering in this case has
known security issues (including updating purely over http)..

But it just goes to show, bundling software into the BIOS/UEFI
firmware can go wrong, pretty much as soon as the issue is
highlighted.

On 13 August 2015 at 07:47, Jerome Athias <athiasjerome@...il.com> wrote:
> Some more info
>
> https://www.us-cert.gov/ncas/current-activity/2015/08/12/Lenovo-Service-Engine-LSE-BIOS-Vulnerability
>
>
> 2015-08-12 14:44 GMT+03:00 Kevin Beaumont <kevin.beaumont@...il.com>:
>> PRECURSOR
>>
>> There will be debate about if this is a vulnerability.  It affects a
>> majority of user PCs -- including all Enterprise editions of Windows,
>> there is no way to disable it, and allows direct code execution into
>> secure boot sequences.  I believe it is worth discussing.
>>
>> SCOPE
>>
>> Microsoft documented a feature in Windows 8 and above called Windows
>> Platform Binary Table.  Up until two days ago, this was a single Word
>> document not referenced elsewhere on Google:
>>
>>  http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us
>>
>> This feature allows a BIOS to deliver the payload of an executable,
>> which is run in memory, silently, each time a system is booted.  The
>> executable code is run under under Session Manager context (i.e.
>> SYSTEM).
>>
>> This technique is being used by Lenovo and HP to silently deliver
>> software, even after systems are completely wiped.  This issue came to
>> light in this forum thread:
>> http://arstechnica.com/civis/viewtopic.php?p=29551819#p29551819
>>
>> Additionally, the code is injected and executed in Windows after the
>> Windows kernel has booted - meaning hard drives are accessible.  In a
>> HP document - http://h10032.www1.hp.com/ctg/Manual/c03857419.pdf page
>> 18 - they reference they use Windows Platform Binary Table to inject
>> their code into encrypted systems (e.g. BitLocker) (!!!!).
>>
>> MITIGATIONS
>>
>> It is not possible to disable this functionality.  If you can gain
>> access to the BIOS, you can inject code into the Windows boot sequence
>> using the documentation linked above.  The BIOS delivered PE code is
>> not countersigned by Microsoft.
>>
>> Microsoft say: "If partners intentionally or unintentionally introduce
>> malware or unwanted software though the WPBT, Microsoft may remove
>> such software through the use of antimalware software.  Software that
>> is determined to be malicious may be subject to immediate removal
>> without notice."
>>
>> However, you are relying on Microsoft being aware of attacks.  Since
>> the code is executed in memory and not written to disk prior to
>> activation, Windows Defender does not even scan the executed code.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ