Thursday, September 3, 2015

EFI/UEFI and OSX link dump

Firmware/EFI and Kernel/OS level issues link dump:

long running bug (fixed?)
http://newosxbook.com/articles/PST2.html

twitter account for osx/efi security person: https://twitter.com/osxreverser

OSX kernel mem leak: https://github.com/ud2/advisories/tree/master/osx/cve-2015-3780
malicious ntfs image dos: https://github.com/ud2/advisories/tree/master/osx/cve-2015-5763

read osx physical memory, including bios, kernel, and possibly smm: https://github.com/gdbinit/readphysmem
exploit using this info: https://github.com/gdbinit/diagnostic_service2

info aobut twpn: http://blog.qwertyoruiop.com/?p=69
twpn: https://github.com/kpwn/tpwn

OSX rootkit detection and prevention:

Rootpipe: https://twitter.com/diodesign/status/630553369078149120
http://www.opensource.apple.com/source/gdb/gdb-1705/src/gdb/macosx/macosx-nat-dyld.c
https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Patrick%20Wardle/
updated preso from defcon: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Patrick%20Wardle%20-%20UPDATED/

thunderstrike 2: https://trmm.net/Thunderstrike2_details
http://legbacore.com/Research_files/ts2-blackhat.pdf

somehting about pwning ios devices, firmware, something something:
https://github.com/planetbeing/xpwn
lightweight version: https://github.com/sektioneins/xpwntool-lite

tons of good resources on this site: https://reverse.put.as/2015/08/07/writing-bad-lamware-for-os-x/
their github: https://github.com/Gdbinit/
https://reverse.put.as/archives/


EFI:
EDK II visual studio stuff https://github.com/ionescu007/VisualUefi
thread about said tool: https://twitter.com/aionescu/status/632594173414129664


https://github.com/LongSoft/UEFITool
UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images.
It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes.

hypervisor stuff:
https://twitter.com/adulau/status/631366664265842688 - small enough to bypass and interfere with patchguard https://github.com/tandasat/Sushi

trustzone fuzzer: https://github.com/laginimaineb/fuzz_zone

bootloader walkthrough: http://www.cs.dartmouth.edu/~bx/blog/2015/09/03/a-toure-of-bootloading.html


Friday, July 10, 2015

Updating the bios on a Lenovo Thinkpad T440s

I like not having to worry about web pages flipping adjacent bits in memory (http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html), so I wanted to update my bios. I didn't want to use the Windows update utility (not running windows) or Lenovo crapware system update center that's on windows, so I went the route of the bootable USB.

From a Ubuntu system running FDE on a Lenovo Thinkpad 440s, I did the following:
Downloaded this: http://support.lenovo.com/us/en/downloads/ds035967
More or less followed directions here: http://www.lenzg.net/archives/358-Updating-the-BIOS-on-my-ThinkPad-T440-without-Windows-or-a-DVD-Drive.html

If you do have windows and don't want to shut down, here's how to query your Lenovo Bios version number using powershell (should work on any version of powershell, definitely 2.0+):
(Get-WmiObject -class "Win32_bios" -namespace "root\CIMV2" -computername ".").SMBIOSBIOSVersion

Here's how to query if you're on ubuntu (and probably other linuxes):
$ sudo dmidecode -s bios-version

Unlike the tutorial linked above, my steps for creating the bootable USB are a little simpler, mostly because the tool, "geteltorito" is installed by default in Ubuntu.

How to update:
Step 1: Create the bootable USB:
**Note, this assumes your usb is /dev/sdb1

$ geteltorito -o bios.img gjuj13us.iso
$ sudo dd if=bios.img of=/dev/sdb1

Done, USB should now be bootable.

Updating the Bios with the bootable USB
Then I shutdown, crossed my fingers, and booted from the USB (f12 brings up the boot media selection menu while booting if you haven't disabled that in Bios).

If you don't care about details and just want to finish, select #2, next, Y, yes, yea, sure, do the thing, reboot without removing media, wait for flashing to happen, remove bootable usb, reboot, done.

Detailed version:

When the usb loads, I have three options:

1. Read this first. This actually is pretty darn confusing and didn't really make sense the instructions are in Engrish, or were written by a drunk person.

2. "update system program". This does what I'm here for.
<Y>, yes, I want to continue

Don't remove USB, press <Enter>

System reboots into USB again

Flashing takes about a minute or two, then reboots. I removed the flash drive while it was counting down and it rebooted happily into my disk encryption prompt, then into my OS.

Option 3 was to manually change your serial number. I didn't have a need for this as far as I'm aware. I kind of want to make it "SKYNET" though.

Next
I'm going to enable boot protection, TXTmode, and security auditing on Bios and other strings and then will post an update on updating the bios when all that complication is added to the process. My next bios update should be considerably more complicated.

Let me know if anyone had issues with this method. Your bios image may be different than mine if your computer is not the T440s.