Transcription
Mark ErmolovMaxim GoryachyHow to Hack a Turned-OffComputer, or RunningUnsigned Code inIntel Management Engine0
We Are Going To Reveal an Intel ME vulnerability (CVE-2017-5705,6,7)allowing arbitrary code execution Emphasize the dangers of such bugs in digitally signedfirmware Show how we bypassed built-in exploitationmitigations Disclose architecture flaws in Intel ME1
Who is Mark ErmolovSystem programmer interested in securityaspects of hardware, firmware, and low-level systemsoftware. Currently researching inner workings ofIntel platforms (PCH, IOSF, iGPU).@ markelmermolov{at}ptsecurity.com2
Who is Maxim GoryachySystem and embedded developer and securityresearcher. Interested in cryptography, virtualizationtechnologies, reverse engineering, and hardware.@h0t maxmgoryachy{at}ptsecurity.com3
Our Research TeamMaxim GoryachyMark ErmolovTapping into the CoreIntel DCI SecretDmitry SklyarovIntel ME: Flash File System ExplainedIntel ME: The Way of theStatic Analysis4
Agenda 5Intel Management Engine 11 overviewKnown public vulnerabilitiesPotential attack vectorsVulnerabilityBypassing mitigationPossible exploitation vectorsDemo
Intel Management Engine 11Overview6
Intel ME 117 Excluding publications such as Dr. Ruan’s book [PSTR14], MEis a partially documented Intel technology with proprietaryfirmware Root of trust for multiple security features such as PAVP, PTTand Boot Guard Has full access to many Intel hardware devices Has hardware capabilities for interception of some useractivity An integral component for all stages of the platformoperating cycle
Intel ME 11 Design 8Independent 32-bit processor core (x86)Running own modified MINIXHas a built-in Java machine [IMS14]Interacts with CPU/iGPU/USB/DDR/PCI/.Works when main CPU is powered down (M3 mode)Starter code is burned in non-reprogrammable ondie memory
Intel ME 11 – Related Technologies Intel Active Management Technology Intel Protected Audio Video Path Intel Platform Trust Technology Intel Software Guard Extensions [PSTR14] Intel Boot Guard .9
Intel ME 11 – Related TechnologiesPAVPSGXME 11BootGuard10AMTPTTfTPM
Known Public Vulnerabilities11
Known Public VulnerabilitiesRing-3 rootkit (Q35) [IRR09]Silent Bob is Silent(CVE-2017-5689)[ASM17]AMT 6.0AMT 11.0AMT 1.0200520092010Security evaluation of Intel’s ActiveManagement Technology [SMT10]1220152017
Known Public Vulnerabilities Alexander Tereshkin and Rafal Wojtczuk of Invisible ThingsLab: Introducing Ring-3 Rootkits (code execution) Vassilios Ververis of the Royal Institute of Technology: SecurityEvaluation of Intel’s Active Management Technology(AMT authentication bypass) Dmitriy Evdokimov, Alexander Ermolov, and Maksim Malyutinof Embedi: Silent Bob is Silent (AMT authentication bypass)13
Over the past 12 years, only onevulnerability allowing execution ofarbitrary code on ME has been found!14
Now we have two of them!15
Potential attack vectors(ways to impact)16
How we can impact Intel ME 17Local communication interface (HECI)Network (vPro only)IPMI/MCTPHost memory (UMA)Firmware SPI layoutInternal file system
HECI Main interface for communication between host andME Represented as PCI device Transports dozens of ME service protocols Undocumented; some protocol formats can be found incoreboot MEBx and BIOS use HECI to set up ME Used by Intel tools for updating and manufacture-lineconfiguring18
Network (vPro only) ME implements various industry-standard protocols(IP, HTTP, WPA2, KERBEROS) Has built-in full-fledged web and VNC servers Complete platform control is exposed in XML-basedWSMAN protocol Most functionality is in one large module (AMT)19
UMACurrently UMA is encrypted by AES with integritychecking via unknown cyclic redundancy code20
Firmware SPI Layout Has complex structure We found bugs in parsing procedures of signeddata (not exploitable if you don’t have Intel’sprivate key)evil Firmware code is generally not vulnerable to“evil SPI flash” attack21
Internal Flash File System (MFS)Have you attendedIntel ME: Flash File System Explainedby Dmitry Sklyarov? ;)22
Potential attack vectors(which modules?)23
Access Control Model Process is a subject of access control A process has statically defined access rights User and groups identity for file system access List of allowed hardware resources List of allowed kernel syscalls24
Architecture Problems A process with permission to create newprocesses can spawn one more privilegedthan itself Access to some internal devices completelybreaks the security model25
Modules With High Privileges 26“ROM”RBEKERNELBUPLOADMGRPM
BUP is very tempting27
BUP Overview First user-mode process Exists on all platforms Has access to security-sensitive hardware (e.g.,DMA controller) Can create new processes Performs early platform initialization Can bypass MFS protection (via SPI controller) Builds basic configuration for all other processes28
BUP: More Reasons 29One of the largest modulesDuplicates a lot of other modules’ functionalityProcesses large amount of configuration dataInteracts with the host via HECI
Trace Hub Initializationvoid cdecl bup init trace hub(){int err; // eaxsigned int npk reg idx; // ebxunsigned int bytes read; // [esp 0h] [ebp-350h]unsigned int file size; // [esp 4h] [ebp-34Ch]int si features[5]; // [esp 8h] [ebp-348h]int ct data[202]; // [esp 1Ch] [ebp-334h] 808 bytesint cookie; // [esp 344h] [ebp-Ch]cookie gRmlbCookie;memset(si features, 0, 0x14u);bytes read 0;file size 0;if ( !(getDW sel(0xBF, 0xE0u) & 0x1000000)&& !bup get si features(si features)&& !bup dfs get file size("/home/bup/ct", &file size) ){if ( file size ){LOBYTE(err) bup dfs read file("/home/bup/ct", 0, ct data, file size, &bytes read);npk reg idx 0;if ( !err ){while ( npk reg idx HIWORD(ct data[1]) ){if ( HIBYTE(ct data[2 * npk reg idx 2]) 1 )putDW sel(0xB7, ct data[2 * npk reg idx 2] & 0xFFFFF, ct data[2 * npk reg idx 3]);if ( HIBYTE(ct data[2 * npk reg idx 2]) 2 )putDW sel(0xBF, ct data[2 * npk reg idx 2] & 0xFFFFF, ct data[2 * npk reg idx 3]); npk reg idx;}bup switch tracer(0xB7, 0xBFu);}}}if ( gRmlbCookie ! cookie )sys fault();30}
The Vulnerabilityvoid cdecl bup init trace hub(){.int ct data[202]; // [esp 1Ch] [ebp-334h] 808 bytesint cookie; // [esp 344h] [ebp-Ch]cookie gRmlbCookie;.if ( !(getDW sel(0xBF, 0xE0u) & 0x1000000)&& !bup get si features(si features)&& !bup dfs get file size("/home/bup/ct", &file size) ){if ( file size ){LOBYTE(err) bup dfs read file("/home/bup/ct", 0, ct data, file size, &bytes read);.if ( gRmlbCookie ! cookie )sys fault();}31
808-byte Mysteryvoid cdecl bup init trace hub(){.int ct data[202]; // [esp 1Ch] [ebp-334h] 808 bytes.}32
Trace Hub Configuration Binaryname.ctdf cpu infomode opt cbuid gid offset13C0 0000 0000 0003 0000 0000338801E0 0009 0000 0003 015F 0000338B01FF 0009 0004 0003 00CE 0000338Bmodepath/home/---rwxr----- ?--F /home/bup/ct---rwxrwxrwx ?--F /home/bup/df cpu infoNot signed33optFrom fitc.cfg
Stack Guardvoid cdecl bup init trace hub(){.int ct data[202]; // [esp 1Ch] [ebp-334h] 808 bytesint cookie; // [esp 344h] [ebp-Ch]cookie gRmlbCookie;.if ( !(getDW sel(0xBF, 0xE0u) & 0x1000000)&& !bup get si features(si features)&& !bup dfs get file size("/home/bup/ct", &file size) ){if ( file size ){LOBYTE(err) bup dfs read file("/home/bup/ct", 0, ct data, file size, &bytes read);.if ( gRmlbCookie ! cookie )sys fault();}34
Stack Guard Implementation Each process has unique value for stack cookie Value is obtained from hardware randomnumber generator Stored in nonvolatile process memory If stack’s copy of cookie is changed, processterminates35
Bypass mitigations36
How to Bypass Stack Guard? Break random number generator Intercept code flow before cookie checking37
Break Random Number Generatorsigned int InitRandDev(){signed int i; // edx@1signed int result; // eax@4dev rnd seed 0xDC80;dev rnd conf 0x44050;RandDevPriming(0x190u);i 1001;while ( !(dev rand sts & 1) ){if ( !--i )return DEVERROR;}result DEVERROR;if ( (dev rand sts & 0xF) 15 )result NOERROR;return result;}38If Random Number Generator isbroken, RBE doesn’t start at all
How to Bypass Stack Guard? Break random number generator Intercept code flow before cookie checking39
Code Flow (For C Programmers)void cdecl bup init trace hub(){.LOBYTE(err) bup dfs read file("/home/bup/ct", 0, ct data, file size, &bytes read);.}char cdecl bup dfs read file(char *file name, int offset, char *buffer, unsigned int read size, unsigned int *out bytes read){.*out bytes read read size;LOBYTE(res) bup read mfs file(7, fitc file desc.data offset offset, out bytes read, sm mem id, 0);.}int cdecl bup read mfs file(BUP MFS DESC *mfs desc, int file number, unsigned int offset, unsigned int *size, int sm block idx, int16 proc thread id){.while ( 1 ) {if ( cur offset read size ) break;.err bup mfs read data chunks(mfs desc, buffer, mfs desc- data chunks offset ((read start chunk id - mfs desc- total files) 6), block chunks count);.err sys write shared mem(proc thread id, sm block idx, cur offset, &buffer[chunk offset], copy size, copy size);.}}.}signed int cdecl sys write shared mem( int16 owner proc thread id, int block idx, int offset, char *src data, unsigned int src size, unsigned int write size){.sm block desc sys get shared mem block(block idx);.memcpy s((sm block desc- start addr offset), sm block size - offset, src data, write size);.}40
Code Flow (For People)bup init trace hubbup dfs read filebup read mfs filesys write shared mem41
Inside sys write shared memsigned int cdecl sys write shared mem(.){.sm block desc sys get shared mem block(block idx);.memcpy s((sm block desc- start addr linked block idx offset), sm block size - offset, src data,write size);.}[.]int cdecl sys get ctx struct addr(SYS LIB CTX STRUCT ID struct id){sys get tls data ptr proc near.tls idx dword ptr 8sys ctx start ptr sys get tls data ptr(SYSLIB GLB SYS CTX);pushebpswitch ( struct id ) {movebp, espcase SYS CTX SHARED MEM:moveax, large gs:0addr *sys ctx start ptr 0x68;movecx, [ebp tls idx]break;popebp.leaedx, ds:0[ecx*4]}subeax, edxreturn addr;retn}?42sys get tls data ptr endp
What is gs:[0]?00syslib ctx pointerlast error-0x10.-0xC.-8thread ID-4self pointer0SYS CTX SHARED MEM CTRL 0x68KERN SHARED MEM DESC 0x28.Thread Local Storagegs:[0]isUsedisUsedisUsedstart addressstart addressstart addresssizesizesizemmio selectormmio selectormmio selectortarget thread io handletarget thread io handletarget thread io handle430 4 8 0xC 0x10
Serious Architecture ProblemThread Local Storageresides at thread stack bottom44
Stack Layout0x00000000buffercookieret addressOverflow progressStack growscallers’ framesunusedsyslib ctx ptrlast errorThread Local Storagethread ID0xffffffffself pointerdefault heap45gs:[0]
A New Hope Function bup read mfs file gets address ofdestination buffer from syslib context Reads file data and writes to destination by chunksiteratively We can get arbitrary write primitive replacingsyslib context pointer We can rewrite memcpy’s return address46
Arbitrary Write Schemecontrolleddestinationofnextchunkcopyret addrdstsrccountmemcpy frame(called by sys shared mem write)buffernew syslib ctxnew smem descsyslib ctx ptr47smem descsyslib ctx
Non-Executable Stack48
Non-Executable StackProblem:Stack segment doesn’t intersect with code segmentSolved:We found ROP gadgets for own process creation49
Non-Executable Stack Bypass Create own code module and integrate it intofirmware Using ROP, load the module into memory Using ROP, create new process with highestprivileges50
Vulnerability Overview51
CVE-2017-5705,6,7 CVSSv3: AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2High) Attacker with local access to the system can load andexecute arbitrary code Affected Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel TrustedExecution Engine (TXE)52
Affected Products 536th, 7th & 8th Generation Intel Core Processor FamilyIntel Xeon Processor E3-1200 v5 & v6 Product FamilyIntel Xeon Processor Scalable FamilyIntel Xeon Processor W FamilyIntel Atom C3000 Processor FamilyApollo Lake Intel Atom Processor E3900 seriesApollo Lake Intel Pentium Celeron N and J series Processors
Possible Exploitation Vectors54
Possible Exploitation VectorsRestriction:Attacker needs write access to MFS partition ofME SPI region55
Ways to Rewrite ME SPI Region56 Mistakes in SPI flash region settings in SPI flashdescriptor Via HMR-FPO HECI message Manufacture mode Attack on UEFI setup variable DMA attack Security Descriptor Override jumper SPI programmer .
Is Remote Exploitation Possible? Yes, if: AMT is enabled on the target and attackerknows password* BIOS has “Flash Rewrite Enable” option BIOS password is blank or known*Attacker can use AMT authentication bypass vulnerability(CVE-2017-5689)57
BAD NEWS58
Bad News – HAPHAP is no cure-all(for CVE-2017-5705,6,7)*Mark Ermolov, Maxim GoryachyDisabling Intel ME 11 via undocumented mode [DMU17]59
Bad News – Firmware DowngradeIntel Firmware Update against CVE-2017-5705,6,7doesn’t help because ROM allows ME downgrading60
Bad News – TLSME 11.8.50.3399TLS is still in at the same place61
Demo time62
Demo 1AMT on non-vPro platform63
Demo 2JTAG for Intel ME64
Demo 3Hello from Intel ME65
Intel ME 11 – Related Technologies Intel Active Management Technology Intel Protected Audio Video Path Intel Platform Trust Technology (fTPM) Intel Software Guard Extensions Intel Boot Guard66
100% Protection?Waiting for Intel Management Engine 13!(maybe Intel will remove it from PCH. ;)67
Our Achievements Switched-on AMT on non-vPro systemsActivated JTAG for Intel ME via the vulnerabilityDumped starter code (aka ROM)Recovered complete Huffman code for ME 11Extracted Integrity and Confidentiality PlatformKeys [FFS17] Bypassed Intel Boot Guard68
Kudos! Positive Technologies for allowing us to spendpart of our working time on it! Dmitry Sklyarov Plato Mavropoulos People who have helped us but don’t wanttheir names to be published ;)69
Disclosure timeline 7027/06/2017 - Bug reported to Intel PSIRT28/06/2017 - Intel started initial investigation05/07/2017 - Intel requested proof-of-concept06/07/2017 - Additional information sent to Intel PSIRT17/07/2017 - Intel acknowledged the vulnerability28/07/2017 - Bounty payment received20/11/2017 - Intel published SA-00086 security advisory
References[IMS14] Igor Skochinsky, Intel ME Secrets. Hidden code in your chipset and how to discover what exactlyit does. Hex-Rays. RECON 2014.[STW17] Dmitry Sklyarov, ME: The Way of the Static Analysis. Troopers 2017.[FFS17] Dmitry Sklyarov, Intel ME: flash file system explained, Black Hat Europe, 2017.[IRR09] Alexander Tereshkin, Rafal Wojtczuk, Introducing Ring-3 Rootkits. Black Hat USA, 2009Las Vegas, NV.[SMT10] Vassilios Ververis, Security Evaluation of Intel’s Active Management Technology, Sweden 2010TRITA-ICT-EX-2010:37.[PSTR14] Xiaoyu Ruan, Platform Embedded Security Technology Revealed: Safeguarding the Future ofComputing with Intel Embedded Security and Management Engine, 2014, Apress, ISBN 978-14302-6572-6.[ASM17] Dmitriy Evdokimov, Alexander Ermolov, Maksim Malyutin, Intel AMT Stealth Breakthrough, BlackHat USA, 2017 Las Vegas, NV.[DMU17] Mark Ermolov, Maxim Goryachy, Disabling Intel ME 11 via undocumented w-en/analytics/Intel-ME-disable-eng.pdf, 2017.71
Thank you!Questions?Mark ErmolovMaxim Goryachy72
7 Intel ME 11 Excluding publications such as Dr. Ruan'sbook [PSTR14], ME is a partially documented Intel technology with proprietary firmware Root of trust for multiple security features such as PAVP, PTT and Boot Guard Has full access to many Intel hardware devices Has hardware capabilities for interception of some user activity An integral component for all stages of the .
![[HACK INSTA] Using Our Website In 1 Minutes 1O@5-aS! - UT Southwestern](/img/65/hack-instagram-account-mdx12.jpg)
