HITB 2013: New Operational Features and UEFI-bootkits
It is hardly worth reminding that HITB is one of the most famous conferences for security experts. This year it took place in Amsterdam, Holland, Hotel Okura . Officer conference twitter https://twitter.com/HITBSecConf . This year, besides the interesting reports by the writers, the conference included several days of training, which was devoted to the very popular topic of exploitation, including the design of demo exploits, shellcode, heap spray, ROP and others. We want to tell about some interesting reports from this conference.
The cost of two days of training was 1499 eur and the program is really impressive.
')
One of the reports was presented by Nikita Tarakanov (NTarakanov). The report is devoted to the operation of the kernel pool, and for this purpose flaw is used, which is present in all versions of NT, starting from 4.0 and ending with NT 6.2 (Windows 8, Blue) .
Note that the work of Tarjei Mandt (aka kernelpool), which is called “Kernel Pool Exploitation on Windows 7”, has long been one of the most famous on the topic of exploiting the kernel pool. Nikita also refers to this work in his report, as well as to the work of Zhenhua Liu, who presented his report on Black Hat Europe '13.
You can download the material here [zip - PDF + PPT].
Another interesting report called “Dreamboot: A UEFI Bootkit” was announced by Sebastien Kaczmarek. It must be said that this is very timely, because the community has long talked about possible bootkits for the modern BIOS architecture called UEFI, some of the reporters called the date - 2013, apparently they were not mistaken. The report is available here .
Note that not so long ago there was a leak of the source texts of the UEFI firmware from AMI, which contained a private test key.
The source code set also contained detailed explanatory help on the functions, so that it can speed up or enhance the understanding of the operation of the firmware code.
Especially for our post, experts specializing in the analysis of complex threats commented on the topic of UEFI and bootkits.
Aleksandr Matrosov [ESET Senior Security Researcher & Team Lead]:
Erik Loman [Security Solution Architect at SurfRight ]:
Conference materials here .
The cost of two days of training was 1499 eur and the program is really impressive.
')
One of the reports was presented by Nikita Tarakanov (NTarakanov). The report is devoted to the operation of the kernel pool, and for this purpose flaw is used, which is present in all versions of NT, starting from 4.0 and ending with NT 6.2 (Windows 8, Blue) .
Note that the work of Tarjei Mandt (aka kernelpool), which is called “Kernel Pool Exploitation on Windows 7”, has long been one of the most famous on the topic of exploiting the kernel pool. Nikita also refers to this work in his report, as well as to the work of Zhenhua Liu, who presented his report on Black Hat Europe '13.
Kernel Pool allocator plays a significant role. Since Windows 7, Microsoft has been starting to improve the kernel kernel pool allocator. It’s a little bit different. In Windows 8, however, Microsoft has eliminated any corrupted kernel pool corruptions. It is a technique by the artist.
You can download the material here [zip - PDF + PPT].
Another interesting report called “Dreamboot: A UEFI Bootkit” was announced by Sebastien Kaczmarek. It must be said that this is very timely, because the community has long talked about possible bootkits for the modern BIOS architecture called UEFI, some of the reporters called the date - 2013, apparently they were not mistaken. The report is available here .
It is a common effort by Intel. It is interposed between the hardware and the BIOS.
This is a presentation of the Windows 8 x64 version of the UEFI firmware: Dreamboot. Dreamboot has two specific payloads: Privilege escalation and Windows local authentication bypass. It is a bug that comes in the form of a physical attack (i.e., DVD or USB ports). It is also fully functional in virtualized environments like VMWare Workstation or ESX.
The UEFI platforms use the TIC and the security risks. It makes it possible for the UEFI to boot.
Note that not so long ago there was a leak of the source texts of the UEFI firmware from AMI, which contained a private test key.
The source code set also contained detailed explanatory help on the functions, so that it can speed up or enhance the understanding of the operation of the firmware code.
Especially for our post, experts specializing in the analysis of complex threats commented on the topic of UEFI and bootkits.
Aleksandr Matrosov [ESET Senior Security Researcher & Team Lead]:
The most common way to bypass digital signature verification for kernel modules during the OS boot process is to use bootkit functionality. I have already covered in my publications technologies that are used to modify the MBR or VBR. But with the increasing penetration of Win8 and SecureBoot's trusted boot technology, it only spurred security researchers to focus in a different direction. Just yesterday, another DreamBoot bootbit concept for UEFI appeared, which comes in source code and is publicly available. Unlike the variety of BIOS varieties, there is a generally accessible standard for UEFI that developers are trying to adhere to. And if in the case of BIOS modifications for mass attacks, there was a question of compatibility of the developed extension modules, then for UEFI everything is standardized and the future of this kind of mass attacks is quite real.
Erik Loman [Security Solution Architect at SurfRight ]:
For motherboard manufacturers, UEFI is a significant step forward. Compared to the BIOS, UEFI is much easier to use because the code can be written in C. A big step forward compared to the BIOS, for which you can only program in a 16-bit assembler.
In order to use UEFI, manufacturers will have to completely rewrite their BIOS code base, which has been in use for 30 years. So it will take significant time to move from one platform to another. Even today there are many manufacturers that continue to release BIOS instead of UEFI for motherboards. The fact that the growth of the PC market has been slowing down lately will not be good news for UEFI manufacturers.
The fact that resellers like Peter Kleissner, Saferbytes, LEAD82 and Quarkslabs explore the bootkit theme is, in fact, good news for the security industry as a whole. We need to understand where potential vulnerabilities are to prevent intruders from using them, as we have seen in cases with TDL4, Cidox or Gapz. Thus, with the time of the spread of UEFI, attackers will sooner or later also be guided by this platform. So we will be better prepared when this happens.
Conference materials here .
Source: https://habr.com/ru/post/176055/
All Articles