About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

When “secure” isn’t secure at all- 843

Martin Smolár - WeLiveSecurityPosted 3 Years Ago
  • UEFI is the modern boot manager used on a plethora of devices. UEFI has a few different concepts for implementations:
    • Boot and Runtime Services. Application and driver initial entry points. Include the installation of protocols, memory allocation and more.
    • Variables: Store various configuration data; they are made up of a name, GUID and a value. These can have attributes for read and write permissions.
  • The System Management Mode (SMM) is a highly privileged mode of execution, commonly called ring -2. It is used for power management, special OEM code and secure firmware updates. It has hardware protected memory called SMRAM. To enter this mode, a special SMI interrupt is called.
  • How is SMM interrupt handlers and secure boot protections protected? Two main things:
    • BIOS Control Registers. Whether the BIOS space can be written to or not.
    • Protected Range Registers (PR0-PR4). Used for thigns such as allows SPI flash writes, SMM code configurations and other things.
  • The vulnerabilities in the post are simple in concept but deep into the secure boot rabbit hole. The first and second bugs are access control problems. By setting UEFI variables with specific values, security features can be entirely disabled on boot. For instance, the driver SecureBackDoorPeim will check for the variable name cE! to be set, bypassing all checks. Yikes!
  • The final vulnerability was an SMM issue. SMI interrupts have specific function handlers being used. So, of course, these must be secure when taking input from a user. One of the handlers has a built in read/write primitive. By abusing this, the entire contents of the SMRAM can be read/written or SPI flash can be written to.
  • Overall, this write up was quite thorough with the description of the bugs, how they were found and the background on these issues. The bugs themselves were quite simple but I loved the context behind the bugs.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed