13

Recently the ThinkPwn firmware vulnerability has been disclosed, with a proof of concept and a quite long explanation. However, can anyone explain in layman's terms (without requiring extensive knowledge on how firmware works) what this allows an attacker to do?

Also, it seems that this vulnerability is also present in an HP Pavillon computer and probably many others, yet I can't see its usefulness there as these machines don't seem to have any firmware signature checks anyway, so you could already write a malicious firmware without needing this exploit to overwrite protected regions of it.

André Borie
  • 12,706
  • 3
  • 39
  • 76

2 Answers2

6

what this allows an attacker to do?

It allows an attacker to execute arbitrary code in System Management Mode (SMM), a highly privileged execution mode of x86 processors. This mode is transparent to the Operating System (OS) and it is more privileged than any other mode. If an attacker can execute code in SMM, it basically owns the platform/computer (more powerful than any other rootkit in the kernel of your OS).

It is worth noting that such vulnerability has a requirement: you need kernel privileges in order to trigger a System Management Interrupt (SMI), to execute the exploit.

There is two approaches for the attacker:

  • It can overwrite the firmware flash storage and disable some security features at boot. Then, even if you erase the content of your hard disk, or buy another one it can reinfect the OS without any problem. Furthermore, detecting or removing the malware from the firmware will be a hard task since it controls one of the early piece of code executing on the computer. However, a measured boot using a Trusted Platform Module (TPM) chip could detect the modification of the firmware flash and that some security features are disabled at boot, because the measurements made (cryptographic hashes) are not genuine. Such detection is possible if the measured boot process is properly implemented by the vendor. The measurement process relies on a core root of trust where the first component measuring the next one is trusted. Hence, if this first component is the firmware contained in the flash, the attacker can fake the measurements without being detected.
  • It can be stealthy and just overwrite the code executed in SMM, located in SMRAM, without modifying the flash. This way it controls the code executed in SMM and can monitor or modify the behavior of the OS. The stealthiness comes from the fact that if the computer is rebooted, there is no traces of the attack in the flash (since everything was in RAM). Lots of computers, however, do not reboot that often (e.g. servers), hence the attacker does not need to reinfect the machine to still have control over it.
Ronny
  • 1,098
  • 8
  • 12
4

In layman's term, as requested, I think this vulnerabiliy can be simply boiled down to particular case of privilege escalation attack. It follows the same way, and pursue the same goal (and such attacks against SMM are not new: two other occurrences were presented at the Black Hat conference in 2008 and 2015).

How it works: it works by injecting arbitrary code into a software running with higher privileges. Here the originality is that the vulnerable software does not run inside the OS, but outside of it: in a firmware.

What it achieves: you can do a privilege escalation for several purposes:

  • Access data which should not be reachable. For instance Windows 10 seems to rely on a virtualization-based technology to store some credentials out of the whole OS reach. This exploit gives you an even higher privilege level and therefore grants you access to all such protected data.
  • Hide yourself from lower privileged code. All anti-virus solutions are running at best at the OS kernel privilege level. By elevating above this level you can create more furtive software which will not be detectable using any conventional mean.
  • Execute otherwise unauthorized actions. Any actions possible at lower layers remain possible here too, but with the advantage that you have precedence over the OS (for instance you can install an hidden network service: the OS will never be aware of the packets sent and received by such backdoor). New actions may also become possible, but they will most likely be platform-dependent. At the end what you get is some kind of malicious version of Intel's Management Engine, the only limitation is that your code is bound to the platform's main CPU, for instance:
    • It may not be able to run while the machine is turned off (this may not be true however if your machine is put to sleep, if you enable features like wake-on-lan, or if the backdoor enabled such features, or it replaced the genuine power-off by a simulated one),
    • It may not access other processors like TPM internal processor, unless the TPM chip is actually emulated on the main CPU as it is the case for ARM's TrustZone (used notably by Android), or if the trust level thus acquired opens access to new communication channels unavaible to the OS.
WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104