About unchecked management SMM & UEFI Vulnerability Patch About unchecked management Conclusion Bruno Pujos July 16, 2016 Bruno Pujos 1 / 45
Whoami About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno Pujos RE, vulnerability research LSE 2015 Sogeti since Bruno Pujos 2 / 45
About unchecked management About unchecked management SMM & UEFI 1 SMM & UEFI UEFI Vulnerability Patch System Management Mode Conclusion Protections Vulnerabilities Vulnerability 2 Reverse Exploitation Patch 3 Conclusion 4 Bruno Pujos 3 / 45
Agenda About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities SMM & UEFI 1 Vulnerability UEFI Patch System Management Mode Conclusion Protections Vulnerabilities Bruno Pujos 4 / 45
Agenda About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities SMM & UEFI 1 Vulnerability UEFI Patch System Management Mode Conclusion Protections Vulnerabilities Bruno Pujos 5 / 45
UEFI About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities U nified E xtended FI rmware Vulnerability Patch UEFI is based on EFI Conclusion Specification for firmware development Replacing the B asic I nput / O utput S ystem (BIOS) Community e ff ort organized through a forum Bruno Pujos 6 / 45
Time line About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities Vulnerability Patch Conclusion CDP : Columbia Data Product; PCH: Platform Controller Hub; ICH: I / O Controller Hub Bruno Pujos 7 / 45
UEFI specification stages About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities Security (SEC) Phase Vulnerability Pre-EFI Initialization (PEI) Phase Patch Driver Execution Environment (DXE) Phase Conclusion Boot Device Selection (BDS) Phase Runtime (RT) Phase Afterlife (AL) Phase Bruno Pujos 8 / 45
Protocols About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities Drivers communicate using protocols Vulnerability Patch Drivers can declare and requests protocols Conclusion Protocols are defined by GUID They exposed tables containing function pointers, variables, . . . Bruno Pujos 9 / 45
Agenda About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities SMM & UEFI 1 Vulnerability UEFI Patch System Management Mode Conclusion Protections Vulnerabilities Bruno Pujos 10 / 45
SMM About unchecked management SMM & UEFI UEFI System Management Mode Not a ring -2 but an Intel mode Protections Vulnerabilities Switch occurred when System Management Vulnerability Interrupt (SMI) Patch Conclusion Di ff erent address space (SMRAM) but located in physical memory Initialized by the firmware (UEFI) In charge to protect and modify the firmware Should be protected Bruno Pujos 11 / 45
System Management Mode About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities Vulnerability Patch Conclusion Intel Modes Of Operation (Intel V.3 C.2 P.2) Bruno Pujos 12 / 45
SMRAM About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities Vulnerability Patch Conclusion Bruno Pujos 13 / 45
SMM 101 About unchecked management SMM & UEFI UEFI Initialization System Management Mode Protections Vulnerabilities Can be before DXE Vulnerability Change SMBASE Patch Add basic handler Conclusion SMI handler SMI handlers are set mainly during the DXE phase SMI are often (only) triggered by the hardware SMI handlers are in long mode Bruno Pujos 14 / 45
SMM 101 About unchecked management SMM & UEFI SWSMI UEFI System Management Mode Protections SWSMI are SMI using the IOPort 0xb2 (Advanced Vulnerabilities Power Management Control) Vulnerability Patch Standard way to communicate with the UEFI Conclusion Arguments are passed through the registers mov dx, 0xB2 mov ax, SMINumber out dx, ax SMBASE SMBASE chosen by UEFI Must be known for exploitation Bruno Pujos 15 / 45
Agenda About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities SMM & UEFI 1 Vulnerability UEFI Patch System Management Mode Conclusion Protections Vulnerabilities Bruno Pujos 16 / 45
Locking mechanism About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities Preventing corruption Vulnerability Root of trust: SPI Flash Patch Conclusion Specification say: if possible lock the flash Things to lock in reality: SPI Flash SMRAM Bruno Pujos 17 / 45
SPI Flash Protection About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities Vulnerability Patch Conclusion Bruno Pujos 18 / 45
SMRAM Protection About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities Vulnerability Patch Conclusion Bruno Pujos 19 / 45
Agenda About unchecked management SMM & UEFI UEFI System Management Mode Protections Vulnerabilities SMM & UEFI 1 Vulnerability UEFI Patch System Management Mode Conclusion Protections Vulnerabilities Bruno Pujos 20 / 45
Vulnerabilities About unchecked management UEFI is ”huge” ( 300 ”drivers”) SMM & UEFI One fail and it is over UEFI System Management Mode Protections Main kind of vulnerabilities: memory corruption Vulnerabilities Vulnerability Almost no memory protection (ASLR, NX. . . ) Patch Conclusion Kinds of vulnerability ”Hardware” Configuration Software Possible targets SMM UEFI Bruno Pujos 21 / 45
SMM attacks About unchecked management Only at runtime SMM & UEFI UEFI System Management Mode Protections Kernel type vulnerabilities Vulnerabilities Vulnerability TOCTOU Patch dereference outside of SMM Conclusion NULL dereference . . . ”Hardware” type vulnerabilities Cache poisoning DMA write . . . Bruno Pujos 22 / 45
Agenda About unchecked management SMM & UEFI Vulnerability Reverse Exploitation Vulnerability Patch 2 Conclusion Reverse Exploitation Bruno Pujos 23 / 45
Agenda About unchecked management SMM & UEFI Vulnerability Reverse Exploitation Vulnerability Patch 2 Conclusion Reverse Exploitation Bruno Pujos 24 / 45
Target: the firmware About unchecked management SMM & UEFI Vulnerability Reverse Exploitation Dump the firmware from a ThinkCentre M92P Patch (9SKT91A) Conclusion Seems to use protocols from EDK (old Intel framework) Contain a lot of references to AMI Extracting the drivers (DXE & PEI) Bruno Pujos 25 / 45
Target: the driver About unchecked management SMM & UEFI Vulnerability Reverse Exploitation Patch Find a driver: SMIFlash.efi Conclusion Looks interesting because Flash and SMM Lets Reverse it! Disclaimer : All functions and variables names are mine. Bruno Pujos 26 / 45
SMIFlash.efi About unchecked management SMM & UEFI Vulnerability Step Reverse Exploitation Initialization Patch SWSMI handler Conclusion Initialization smm_main function Several variables and protocols recuperation Register SwSMI 0x20 to 0x25 with SwSMIDispatchFunction Bruno Pujos 27 / 45
SwSMIDispatchFunction About unchecked management SMM & UEFI Vulnerability Some initialization before a switch by SwSMI Reverse Exploitation Recuperate ECX and EBX from current context Patch Combine both for a pointer on a structure Conclusion ( smiflash_arg ) Structure is pass to some functions in the switch We will interest ourself only with the SwSMI 0x21 struct smiflash_arg { void *addr_buf; // 0x0 int32_t offset_bios; // 0x8 int32_t size; // 0xC char ret; // 0x10 }; Bruno Pujos 28 / 45
SwSMI handler 0x21 About unchecked management SMM & UEFI Simple SwSMI handler swsmi_handler21 Vulnerability Read from the SPI Flash ( ReadFlash )and write the Reverse Exploitation content into the bu ff er Patch addr_buf is the destination Conclusion offset_bios the reading o ff set size the size to read ret a return value Basically a memcpy from SPI Flash to memory struct smiflash_arg { void *addr_buf; // 0x0 int32_t offset_bios; // 0x8 int32_t size; // 0xC char ret; // 0x10 }; Bruno Pujos 29 / 45
Agenda About unchecked management SMM & UEFI Vulnerability Reverse Exploitation Vulnerability Patch 2 Conclusion Reverse Exploitation Bruno Pujos 30 / 45
Exploitation About unchecked management Goal Code execution in SMM SMM & UEFI Vulnerability Vulnerability Reverse Exploitation Patch addr_buf , offset_bios and size are user-control Conclusion There is no check on their value addr_buf is a physical address We can write in SMM where we want and whatever we want as long as it is in the Flash Not a real constraint: every possible byte is in the flash Possibility Write a shellcode Relocate the SMRAM Bruno Pujos 31 / 45
Recommend
More recommend
