Multiple BIOS implementations permit unsafe SMM function calls to memory locations outside of SMRAM

ronjor · Mar 20, 2015

Original Release date: 20 Mar 2015 | Last revised: 20 Mar 2015

Description

Multiple BIOS implementations permit unsafe System Management Mode (SMM) function calls to memory locations outside of SMRAM. According to Corey Kallenberg of LegbaCore:
Click to expand...

http://www.kb.cert.org/vuls/id/631788

Gullible Jones · Mar 20, 2015

Ouch ouch ouch.

A local, authenticated attacker may be able to execute arbitrary code in the context of SMM and bypass Secure Boot. In systems that do not use protected range registers, an attacker may be able to reflash firmware.
Click to expand...

This means that, on a vulnerable computer, an attacker with access to userspace memory may be able to completely bypass OS security.

I'm hoping this attack is not easy to pull off; if it is, older hardware that uses BIOS may become a liability. Which makes me rather unhappy, because I like reusing BIOS-era machines.

ronjor · Mar 21, 2015

Hacking BIOS Chips Isn’t Just the NSA’s Domain Anymore

Kim Zetter Security 03.20.15
The ability to hack the BIOS chip at the heart of every computer is no longer reserved for the NSA and other three-letter agencies. Millions of machines contain basic BIOS vulnerabilities that let anyone with moderately sophisticated hacking skills compromise and control a system surreptitiously, according to two researchers.
Click to expand...

http://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine-secure-operating-systems/

Gullible Jones · Mar 21, 2015

Just wonderful. Glad my main workstation uses EFI. As for the rest, well, now might be a good time to stock up on cheap ARM boards...

wat0114 · Mar 21, 2015

No concerns whatsoever on my end, even with my older hardware. Anyone breaking into my home will most likely be some junkie looking to steal and pawn off whatever possible to address his next fix. I've got literally nothing of value to anyone, especially Government or law enforcement agencies stored on my computers.

As for the phishing vector, I don't fall for those.

Veeshush · Mar 21, 2015

I've been wondering about UEFI BIOSes myself for a while now, sure they look and work great, but an uEFI BIOS is an OS on its own, and as such rather vulnerable. At the security conference CanSecWest, security researchers Corey Kallenberg and Xeno Kovah revealed that even an unskilled person could use an implant called LightEater to infect a vulnerable system in mere moments.

An unpatched BIOS can easily be infected with malware or a virus. Motherboards from companies like Gigabyte, Acer, MSI, HP and Asus are at risk, especially if you are not updating your BIOS on a regular basis towards the latest revision (and let's be frank here, who does ?).

As betanews writes the following on the topic, Introducing the vulnerability, Kallenberg and Kovah said:

So you think you're doing OPSEC right, right? You're going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn't care! BIOS malware doesn't give a ****

The malware can be used to infect huge numbers of systems by creating SMM (System Management Mode) implants which can be tailored to individual BIOSes with simple pattern matching. A BIOS from Gigabyte was found to be particularly insecure.

We didn't even have to do anything special; we just had a kernel driver write an invalid instruction to the first instruction the CPU reads off the flash chip, and bam, it was out for the count, and never was able to boot again.

The vunerability is something that has already been exploited by the NSA, but the researchers are encouraging businesses and governments to take the time to install BIOS patches that plug the security hole.
Click to expand...

http://www.guru3d.com/news-story/lighteater-malware-attacks-uefi-bioses.html

http://betanews.com/2015/03/21/ligh...-places-millions-of-unpatched-bioses-at-risk/

Gullible Jones · Mar 21, 2015

@wat0114: "local, authenticated attacker" also includes a remote attacker with access to a local program's memory space, and the privileges of a local user. Mandatory access control might contain it. A limited user account would provide no protection.

(And we've been over this at least a few times.)

wat0114 · Mar 21, 2015

Gullible Jones said: ↑

@wat0114:

(And we've been over this at least a few times.)
Click to expand...

Yes, I know. Still no concern of mine. My flat screen tv's will fetch greater value than anything my computers have to offer, including the data that resides on them.

lotuseclat79 · Mar 23, 2015

'Voodoo' Hackers: Stealing Secrets From Snowden's Favorite OS Is Easier Than You'd Think.

The Snowden leaks have taught us much about the tactics employed by the NSA and GCHQ, from brazen malware attacks to more esoteric dark arts, such as infecting low-level pieces of computer code. Correspondingly, research into more surreptitious activities targeting the guts of modern systems has often been overshadowed by studies of more obvious attacks. Yet such high-tech techniques pose a more severe risk. They can, for instance, allow agencies to spy on Tails, the Linux-based secure operating system favored by Snowden. And they’re not as difficult to exercise as many would imagine. They can totally obliterate the privacy of even the most careful computer user.

That will be the message of Corey Kallenberg and Xeno Kovah when they present research on easy-to-find BIOS-level vulnerabilities at the CanSecWest conference in Vancouver this week.
Click to expand...

-- Tom

lotuseclat79 · Mar 23, 2015

Automating remote BIOS attacks

Legbacore's upcoming "digital voodoo" presentation will reveal an automated means of discovering BIOS defects that are vulnerable to remote attacks, meaning that your computer can be compromised below the level of the OS by attackers who do not have physical access to it.
Click to expand...

-- Tom

142395 · Mar 24, 2015

lotuseclat79 said: ↑

Automating remote BIOS attacks
Click to expand...

The article doesn't gives much details, but it just means they can search for what BIOS you use and if they want to attack BIOS still they need to intrude by other remote exploit, right?

Gullible Jones · Mar 24, 2015

@lotuseclat79: ... And I have to ask: is it really too much to keep a lid on this until some countermeasures are developed? I mean, I know putting it out there will put pressure on hardware manufacturers, etc. but in the mean time we might start seeing BIOS exploits in the wild, which would be a serious problem for everyone. Do we really need that? Is it really helpful for everyone and their script kiddie cousin to know how to bypass all OS security on x86?

Yeah, sometimes I have serious misgivings about the way some security researchers work.

@142395: Possibly. There are already BIOS-level backdoors (c.f. LoJack Computrace) that could provide access on some machines to start with. Even failing that, exploits against desktop client programs are a dime a dozen.

142395 · Mar 25, 2015

Gullible Jones said: ↑

@142395: Possibly. There are already BIOS-level backdoors (c.f. LoJack Computrace) that could provide access on some machines to start with. Even failing that, exploits against desktop client programs are a dime a dozen.
Click to expand...

Well, I too know some actual BIOS rootkits, but I thought they need intrusion by other way. But I'm not sure if remote BIOS exploit is possible.

Log in or Sign up

Multiple BIOS implementations permit unsafe SMM function calls to memory locations outside of SMRAM

ronjor Global Moderator

Gullible Jones Registered Member

ronjor Global Moderator

Gullible Jones Registered Member

wat0114 Registered Member

Veeshush Registered Member

Gullible Jones Registered Member

wat0114 Registered Member

lotuseclat79 Registered Member

lotuseclat79 Registered Member

142395 Guest

Gullible Jones Registered Member

142395 Guest

Log in or Sign up

Multiple BIOS implementations permit unsafe SMM function calls to memory locations outside of SMRAM

ronjor Global Moderator

Gullible Jones Registered Member

ronjor Global Moderator

Gullible Jones Registered Member

wat0114 Registered Member

Veeshush Registered Member

Gullible Jones Registered Member

wat0114 Registered Member

lotuseclat79 Registered Member

lotuseclat79 Registered Member

142395 Guest

Gullible Jones Registered Member

142395 Guest

Useful Searches