lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Aug 2015 19:45:56 +0100
From: Kevin Beaumont <kevin.beaumont@...il.com>
To: Stefan Kanthak <stefan.kanthak@...go.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

Hi - just with regards to this, the issue of Windows Server 2003
allowing driver injection is only during initial Windows setup.  Just
to be clear the issue I was highlighting is a different beast, as it
is every boot, with file system mounted.

On 12 August 2015 at 18:33, Stefan Kanthak <stefan.kanthak@...go.de> wrote:
> "Kevin Beaumont" <kevin.beaumont@...il.com> wrote:
>
> [...]
>
>> Microsoft documented a feature in Windows 8 and above called Windows
>> Platform Binary Table.
>
> Cf. <http://www.acpi.info/links.htm> where WPBT is linked to
> <http://go.microsoft.com/fwlink/p/?LinkId=234840> alias
> <https://msdn.microsoft.com/en-US/library/windows/hardware/dn550976>
>
>> Up until two days ago, this was a single Word
>> document not referenced elsewhere on Google:
>>
>>
> http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us
>>
>> This feature allows a BIOS to deliver the payload of an executable,
>> which is run in memory, silently, each time a system is booted.  The
>> executable code is run under under Session Manager context (i.e.
>> SYSTEM).
>
> This sort of feature is NOT new: with Windows 2003 Microsoft introduced
> the loading of "virtual OEM device drivers" during Windows setup, see
> <https://support.microsoft.com/en-us/kb/896453>
>
> AFAIK at least HP and Dell used this method to deploy [F6] drivers
> embedded in their BIOS.
>
> [...]
>
> stay tuned
> Stefan Kanthak
>

Powered by blists - more mailing lists