DEF CON 31 - Ringhopper - How We Almost Zero day’d the World

DEF CON 31 - Ringhopper - How We Almost Zero day’d the World - Benny Zeltser, Jonathan Lusky

7 місяців тому

Last year we almost zero-day’d the world with the publication of RingHopper. Now we can finally share some juicy details and invite you for an illuminating journey as we delve into the realm of RingHopper, a method to hop from user-land to SMM.
We will survey the discovery and disclosure of a family of industry-wide vulnerabilities in various UEFI implementations, affecting more than eight major vendors, making billions of devices vulnerable to our attack. Then, we will deep-dive into the innards of SMM exploitation and discuss methods to use and abuse various functionalities and properties of edk2 to gain code execution. We will unveil both our futile and fruitful quests of crafting our way to SMM, and detail both the paths that lead to dead-ends, and the route to success.
We will give a detailed overview of different ways to elevate this kind of attack to user-land both on Windows and Linux by chaining multiple vulnerabilities together.
Finally, we will show RingHopper hopping from user-space to… SMM.

КОМЕНТАРІ: 47

@alexlefevre3555 7 місяців тому

I think what's the most wild to me is the kernel level exploitation after the fact seemed like it was simply an afterthought. Wild stuff. The negative ring spaces seem to have NOT been the answer engineers had hoped.

@JustAnotherAlchemist 6 місяців тому

That threw me back in my chair for a second too... then I looked closer and there is a reason they glossed over that part in the talk. Neither of these are really pure privilege escalation, more social engineering. The Windows privilege escalation requires at least user clicking through a UAC prompt, as the signed BIOS modification software would need to be invoked. The Linux privilege escalation requires that amifldrv kernel module be previously installed by super user/root. And, if installed properly, permissions would be set to deny anyway.

@Sean_neaS 7 місяців тому

I would have given up at each and every setback! I hope this was more fun it sounds like.

@ronminnich 7 місяців тому

"AMI lets us do some pretty amazing things from user space" -- in a talk full of great quotes, that's maybe my favorite. So, would you consider attacking RISC-V OpenSBI?

@bubbleopter 7 місяців тому

basically, if your PC randomly sleeps, just throw it out the window, but first check for passersbys. if you don't have a window, drop the network, disconnect your harddrive, and mobo, and put both into the microwave at 1000w 😂

@boneappletee6416 7 місяців тому

Remember to drill through your HDD after each use. 😊

@sovahc 7 місяців тому

Just zero your ssd and bios. Then reflash, reinstall os and old games from cds, and never connect to the internet.

@volodumurkalunyak4651 7 місяців тому

Wrong. If your PC randomly sleeps, unplug/replug the power cord.

@joshua7551 7 місяців тому

Suddenly feeling vindicated for not trusting sleep states at all for the last 5 years. Between fastboot, Windows fast startup, and sleep states, I had a feeling one of them would have some sort of ACE bug. My work laptop runs Linux so it's not as much of an issue to just shut it down and start it back up when I switch between sites.

@bubbleopter 7 місяців тому

@@sovahc true xD it's that last bit where things start to get all weird. "ooh, lemme connect this to an enormous network of computers and just hope there aren't any mischievous folk online." also is it possible to flash the disk with modified firmware, sorta like b/rootkit type thingamabob?

@n1k0n_ 7 місяців тому

So this is why my laptop got all those sleep mode firmware updates 😬

@fannstwebmaster5494 6 місяців тому

From around 6:00 I was screaming DMA DMA DMA to myself... Fuck I was right 😂😂

@davidmordinson2022 7 місяців тому

Well done, guys👏👏👏 Great one!

@brujua7 7 місяців тому

Great talk, great research! So lucky to have you folks

@RyanHarris77 7 місяців тому

Thank you for citing your meme sources.

@user-jb8nz4ig9n 7 місяців тому

The best talk in Defcon31💪

@GSX-R-lg3ei 7 місяців тому

Race condition chaining from hell, love it.

@dandeeteeyem2170 7 місяців тому

Finally an interesting talk from Def Con 31. I was beginning to lose hope 😅

@Look_What_You_Did 7 місяців тому

Your lack of understanding does not change the complexity of the world around you. IE. Just because you don't get it doesn't' mean it is not worthwhile.

@dandeeteeyem2170 7 місяців тому

@@Look_What_You_Did I was thinking in terms of inspiring youngsters to think about how to approach "hacking" philosophically. You don't seriously come here to get serious oh days, do you? Even black hat is losing it's edge thanks to infiltration by gov and corp hacks

@celestialowl8865 7 місяців тому

@@Look_What_You_DidA complete lack of understanding probably would make it considerably less interesting, however.

@dandeeteeyem2170 7 місяців тому

@@Munch473 thanks! After sifting through everything from this year, there's a couple of great ones where the speaker "slipped through the filters". I love talks like Bill Swearingen at Def Con 27. That stuff is useful and in the true spirit of the con IMHO..

@jmax8692 3 місяці тому

Says the idiot who can’t understand the lectures 😂😂

@Ben_EH-Heyeh 6 місяців тому

Exploitation researcher at Mitre wrote a POC SMM Rootkit called Light Eater.

@sjoervanderploeg4340 7 місяців тому

So this is the reason why my machine was in sleep mode after vacation?

@t_r 7 місяців тому

👏👏👏

@theflowpowa42oshow 4 дні тому

is it 420 or 42o?

@ThePlayerOfGames 7 місяців тому

Soooo, every CPU post Core Duo is permanently vulnerable to ring -2 attacks unless we can disable the on chip operating system?

@The-Anathema 7 місяців тому

More or less 'yes', and these aren't the first nor last attacks on the ME (from memory I can think of attacks going at least as far back as '09, and that's just what I can remember from the top of my head). It's a sophisticated piece of technical liability, potentially a backdoor (even if not intended to be one) and definitely a hardware level rootkit (again, even if not intended as one). This is one, among many, reasons why I advocate for a RISC architecture without all this extra complexity, I don't really care which one (there are pros and cons to most of them and it's above my paygrade). I have similar opinions about TPM (Trusted Platform Module -- version 2.0 especially but 1.0 as well to an extent), and AMD's equivalent PSP (I don't remember what their acronym stands for), but that's a topic for another time.

@D3v15H 7 місяців тому

For those who did not listen the talk carefully. This is not an ME attack. This is done entirely on a CPU.

@The-Anathema 7 місяців тому

That is correct, and worth mentioning since this comment thread is a little bit off-topic.

@joemck85 6 місяців тому

Intel ME and AMD PSP are even further up the food chain and their inner workings are invisible to code running in SMM. The very first version of SMM was found on the 386, though I doubt that early revision of it is vulnerable to this particular attack method. Unless I'm mistaken though, this can be at least mostly mitigated with a UEFI update.

@robmorgan1214 7 місяців тому

Dude this s-t's been broken for years. Been pwning smm IN NON ROOT USERSPACE since 2015. SMM is not well written designed etc. Bugs abound. Only issue is persistence... ie you brick the CPU if your scratch pad overflows into something containing a FW patch. It's why i dont trust the "cloud".

@theflowpowa42oshow 4 дні тому

You never trust a cloud 😶‍🌫

@LaLaLand.Germany 7 місяців тому

Can anyone dumb down what´s going on here? I don´t speak nerd. Am I okay with not having Uefi but good, old Bios?

@jsrodman 6 місяців тому

Unless your hardware is deep retro, there's UEFI there, just possibly pretending to be a BIOS.

@LaLaLand.Germany 6 місяців тому

I´ll be deep retro, then. Asus P5K but maxed out. Enough power for what I want and reliable. Hope it never fails...@@jsrodman

@reddragonflyxx657 6 місяців тому

@@LaLaLand.GermanyI'm commenting during the introduction of this talk, but SMM has been supported by x86 processors since the early 1990s. If you go back that far, you'll probably get some security through obscurity, but vendors don't bother writing patches for any security bugs in stuff that old. Anyway, this looks like a local privilege escalation attack. Generally I'd consider a machine compromised by the time that's feasible (unless it's doable from JS, like Spectre was... speaking of which, how are the Meltdown mitigations on your Bearlake processor?) because the attacker generally can do a lot with just normal user permissions on a desktop.