[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Libreboot] Zero-day vulnerability - system management mode arbitrar

From: Duncan Guthrie
Subject: Re: [Libreboot] Zero-day vulnerability - system management mode arbitrary code execution
Date: Thu, 07 Jul 2016 13:47:31 +0100
User-agent: K-9 Mail for Android

Hi all,
The program provided is a UEFI application (and the X200 does not have UEFI 
BIOS firmware) but you can convert the script to run in the shell, one 
suspects. It's probably most valuable for getting round SPI flash chip locks, 
but the problem is that since we can do this malicious software can do it too, 
and probably has been done already. Someone who can run code in userspace, 
perhaps gained through vulnerabilities in the browser (Firefox perhaps) and 
then with a root permission escalation vulnerability in the kernel, could then 
give you the ultimate rootkit in the BIOS, that re-infects the "clean" 
operating system. Then they can scan for private keys in memory and do all 
sorts of crap, and mount keyloggers and botnets; creepy stuff, this. It seems 
security through isolation (Xen hypervisor, as in Qubes OS), microkernels and 
free hardware without BIOS is the way forward.

Is there a way of permanently grounding the flash chip (as opposed to the SPI 
lock, which can be skipped with the Lenovo BIOS update software and anyone who 
knows how) so that only someone with physical access can modify the chip?


On 7 July 2016 06:10:28 BST, Robin Vobruba <address@hidden> wrote:
>that would be very cool!
>(writing just to you here)
>i also have an x200 with lenovo BIOS, so if you manage to do it, and
>post the instructions, i would try it too.
>good luck!
>2016-07-06 2:34 GMT+02:00, Duncan Guthrie <address@hidden>:
>> Hi all,
>> All right, reading the article, it seems one of the given exploits
>> disable SPI flash write-protection mechanisms. This might mean that
>we can
>> install Libreboot/Coreboot without an external flash tool on systems
>> proprietary BIOS.
>> I will read it more carefully, and test this on my Lenovo X200, which
>> proprietary BIOS installed. If it doesn't work one suspects it will
>> refuse access to me. If it does, this is very useful, even if the
>rest of
>> the exploits don't remove ME from recent models.
>> Hope this helps anyone,
>> D.
>> On 6 July 2016 00:52:11 BST, Duncan Guthrie <address@hidden>
>>>Hi all,
>>>Poking around the internet, I happened upon this page:
>>>This is an exploit for System Management Mode of Intel x86 CPUs,
>>>on a number of recent models, including Lenovo ThinkPads, and tested
>>>some other models including an HP Pavilion laptop. This suggests that
>>>this vulnerability exists in a wide range of recent Intel hardware.
>>>page links to this extensive blog post:
>>>What excites me about this is that as we are running code at such a
>>>level, we might in theory be able to bypass the Intel ME signature
>>>checking and similar "protections", and run unsigned BIOS software.
>>>This would be great for Libreboot.
>>>Can anyone else comment on this? I am quite excited at the potential
>>>this, especially as it seems to be able to target many new models of
>>>Intel hardware, perhaps even Intel hardware produced this year, as
>>>Intel, as far as I know, didn't introduce any major design changes
>>>a long time as they did not need to.
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]