Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The complexity of the firmware supply chain creates the potential for many security vulnerabilities. Additionally, the need to update things ONLY as an authenticated user is complicated in the context of firmware; cryptography is not always easy to do securely.

The vulnerability is within the USB Data handling code. The complexity of the code cannot be secure by design, as they have found 8 CVEs in this location in the past six years. The UsbRt API interface tends to take in pointers that are read, written to or do other things. In CVE-2017-5721, this exact problem was found.

The "patch" (bunny quotes) for this was to use a CRC on the data. Of course, an attacker can simply generate a valid CRC themselves to call this. As a result, the patch from the previous CVE was insufficient, which led to the ability to call arbitrary functions with arbitrary parameters. Yikes!

To prevent this type of bug from being used to, Intel added a protection to NOT allow code from outside of the SMRAM from being executed. This is done in order to prevent a class of vulnerabilities known as System Management Mode (SMM) call out. However, this protection can be bypassed by using a ROP chain, as detailed by Synactiv. The authors of the post claim that ROP chains are simple to create because of how the builds work on UEFI.

Overall, an interesting blog post in an area that most of us never get to look at. I wish the blog post had a lower level of entry, since many of the acronyms and previous research were unknown to me.