HITB 2013: new features and UEFI-bootkits

It is hardly worth recalling that HITB is one of the most famous conferences for security experts. This year it was held in Amsterdam, Holland, Hotel Okura . Officer Conference Twitter https://twitter.com/HITBSecConf . This year, in addition to interesting reports from the scribes, the conference included several days of training, which was devoted to the very popular topic of exploitation, including designing demo exploits, shell code, heap spray, ROP and others. We want to talk about some interesting reports from this conference.



The cost of two days of training was 1499 eur and the program is really impressive.

One of the reports was presented by Nikita Tarakanov (NTarakanov). The report is dedicated tokernel pool operation technique, and for this , flaw is used, which is present in all versions of NT, starting from 4.0 and ending with NT 6.2 (Windows 8, Blue) .

Note that the work of Tarjei Mandt (aka kernelpool), called "Kernel Pool Exploitation on Windows 7" has long become one of the most famous on the topic of operating the kernel pool. Nikita also refers to this work in his report, as well as to the work of Zhenhua Liu, who presented his report at Black Hat Europe '13.

Kernel Pool allocator plays significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. Tarjei Mandt aka @kernelpool has done a great job in analyzing the internals of the Windows kernel pool allocator and found some great attack techniques, mitigations bypasses etc. In Windows 8 however, Microsoft has eliminated almost all reliable techniques of exploiting kernel pool corruptions. An attack technique by Tarjei needs a lot of prerequisites to be successful and there are a lot of types of pool corruptions where his techniques don't work unfortunately.

You can download the material here [zip - PDF + PPT].



Another interesting report entitled “Dreamboot: A UEFI Bootkit” was announced by Sebastien Kaczmarek. I must say that this is very timely, since the community has long been talking about possible bootkits for the modern BIOS architecture called UEFI, some reservers called the date 2013, apparently they were not mistaken. The report is available here .

Unified Extensible Firmware Interface or UEFI, is the result of a common effort from several manufacturers and industry stakeholders based on an initiative from Intel. It is a new software component or 'middleware' interposed between the hardware and the operating system designed to replace the traditional aka old BIOS.

This presentation is a study of the overall architecture of UEFI from a security point of view with a focus on a bootkit implementation for Windows 8 x64 which exploits the UEFI firmware: Dreamboot. Dreamboot has two specific payloads: Privilege escalation and Windows local authentication bypass.DreamBoot comes in the form of a bootable ISO, to use preferably as part of a physical attack (i.e. when the attacker has physical access to the machine peripherals: DVD or USB ports). It is also fully functional in virtualized environments like VMWare Workstation or ESX.

The presentation also describes how to develop for UEFI platforms using Tianocore SDK and the new security risks its deployment implies. The Windows boot process and its evolution from BIOS to UEFI implementation will be covered and all bootkit implementation details explained.

Note that not so long ago there was a leak of AMI firmware UEFI sources, which contained a private test key.



The source code set also contained a detailed explanatory help for the functions, so that this might speed up or enhance the understanding of the functioning of the firmware code.

Especially for our post, the UEFI and bootkits topic was commented by experts specializing in the analysis of complex threats.

Aleksandr Matrosov [ESET Senior Security Researcher & Team Lead]:

The most common way to bypass digital signature verification for kernel modules during the boot process is to use the bootkit functionality. I have repeatedly covered in my publications technologies that are used to modify MBR or VBR. But with the increasing penetration of Win8 and trusted boot technology, SecureBoot only spurred security researchers to focus in the other direction. Just yesterday, another DreamBoot bootkit concept for UEFI appeared, which is delivered in source and is in the public domain. Unlike the many varieties of BIOS, there is a generally accessible standard for UEFI that developers are trying to adhere to. And if in the case of the BIOS for mass modification attacks the question arose of compatibility of the developed extension modules,

Erik Loman [Security Solution Architect at SurfRight ]:

For motherboard manufacturers, UEFI is a significant step forward. Compared to BIOS, UEFI is much easier to use, since the code can be written in C. A big step forward compared to the BIOS, for which you can only program in 16-bit assembler.
In order to use UEFI, manufacturers will have to completely rewrite their BIOS code base, which has been used for 30 years. So it will take a significant amount of time to move from one platform to another. Even today, there are many manufacturers who continue to release BIOS instead of UEFI for motherboards. The fact that PC market growth has been slowing down lately will not be good news for UEFI manufacturers.
The fact that resellers like Peter Kleissner, Saferbytes, LEAD82, and Quarkslabs are exploring bootkits is, in fact, good news for the security industry as a whole. We need to understand where potential vulnerabilities are located in order to prevent malicious users from using them, as we saw in the cases of TDL4, Cidox, or Gapz. Thus, with the spread of UEFI, attackers will sooner or later also be guided by this platform. So we will be better prepared when this happens.

Conference materials are here .