[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libreboot] Zero-day vulnerability - system management mode arbitrar
|
From: |
Duncan Guthrie |
|
Subject: |
Re: [Libreboot] Zero-day vulnerability - system management mode arbitrary code execution |
|
Date: |
Thu, 07 Jul 2016 13:47:31 +0100 |
|
User-agent: |
K-9 Mail for Android |
Hi all,
The program provided is a UEFI application (and the X200 does not have UEFI
BIOS firmware) but you can convert the script to run in the shell, one
suspects. It's probably most valuable for getting round SPI flash chip locks,
but the problem is that since we can do this malicious software can do it too,
and probably has been done already. Someone who can run code in userspace,
perhaps gained through vulnerabilities in the browser (Firefox perhaps) and
then with a root permission escalation vulnerability in the kernel, could then
give you the ultimate rootkit in the BIOS, that re-infects the "clean"
operating system. Then they can scan for private keys in memory and do all
sorts of crap, and mount keyloggers and botnets; creepy stuff, this. It seems
security through isolation (Xen hypervisor, as in Qubes OS), microkernels and
free hardware without BIOS is the way forward.
Is there a way of permanently grounding the flash chip (as opposed to the SPI
lock, which can be skipped with the Lenovo BIOS update software and anyone who
knows how) so that only someone with physical access can modify the chip?
Thanks,
D.
On 7 July 2016 06:10:28 BST, Robin Vobruba <address@hidden> wrote:
>that would be very cool!
>(writing just to you here)
>i also have an x200 with lenovo BIOS, so if you manage to do it, and
>post the instructions, i would try it too.
>good luck!
>
>2016-07-06 2:34 GMT+02:00, Duncan Guthrie <address@hidden>:
>> Hi all,
>> All right, reading the article, it seems one of the given exploits
>can
>> disable SPI flash write-protection mechanisms. This might mean that
>we can
>> install Libreboot/Coreboot without an external flash tool on systems
>with
>> proprietary BIOS.
>> I will read it more carefully, and test this on my Lenovo X200, which
>has
>> proprietary BIOS installed. If it doesn't work one suspects it will
>just
>> refuse access to me. If it does, this is very useful, even if the
>rest of
>> the exploits don't remove ME from recent models.
>> Hope this helps anyone,
>> D.
>>
>> On 6 July 2016 00:52:11 BST, Duncan Guthrie <address@hidden>
>wrote:
>>>Hi all,
>>>Poking around the internet, I happened upon this page:
>>>https://github.com/Cr4sh/ThinkPwn
>>>This is an exploit for System Management Mode of Intel x86 CPUs,
>tested
>>>on a number of recent models, including Lenovo ThinkPads, and tested
>on
>>>some other models including an HP Pavilion laptop. This suggests that
>>>this vulnerability exists in a wide range of recent Intel hardware.
>The
>>>page links to this extensive blog post:
>>>http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html
>>>What excites me about this is that as we are running code at such a
>low
>>>level, we might in theory be able to bypass the Intel ME signature
>>>checking and similar "protections", and run unsigned BIOS software.
>>>This would be great for Libreboot.
>>>Can anyone else comment on this? I am quite excited at the potential
>of
>>>this, especially as it seems to be able to target many new models of
>>>Intel hardware, perhaps even Intel hardware produced this year, as
>>>Intel, as far as I know, didn't introduce any major design changes
>for
>>>a long time as they did not need to.
>>>Thanks,
>>>D.
>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>