18:00
-
19:00
-
19:00
Day 3
UEFI exploitation
We take a look at UEFI platform initialization firmware such as found on many current mainboards like laptops, desktops and servers.
Many security flaws, such as the recently discovered LogoFAIL vulnerability, expose both consumers and organizations to severe risks.
What strategies are there to find such issues, and how do we exploit them?
Exploitation 101
The rough plan is commonly:
- understanding the system/environment
- data structures
- domain specific tools
- manipulating the system/environment
- input; this is our exploit :)
- monitoring the system/environment
- emulators
- probes
- loggers, parsers
Tools
We have prepared a tool to scan memory for EFI data structures: https://github.com/platform-system-interface/ems
Here is a Ghidra plugin to assist: https://github.com/al3xtjames/ghidra-firmware-utils
For inspection and extraction, we can use e.g. Fiedka, the Fiano tool suite's utk
and UEFITool.
References
- https://uefi.org/sites/default/files/resources/Jiewen%20Yao%20-%20SMM%20Protection%20in%20%20EDKII_Intel.pdf
- http://publications.alex-ionescu.com/Recon/ReconBru%202017%20-%20Getting%20Physical%20with%20USB%20Type-C,%20Windows%2010%20RAM%20Forensics%20and%20UEFI%20Attacks.pdf
- https://i.blackhat.com/EU-23/Presentations/EU-23-Pagani-LogoFAIL-Security-Implications-of-Image_REV2.pdf
- https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/
Assembly
location
just meet at the assembly; no idea what else is available