Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: BIOS

[DeepSec 2014] A Myth or Reality – BIOS-based Hypervisor Threat – Mikhail Utin

DeepSecLogo

A Myth or Reality – BIOS-based Hypervisor Threat – Mikhail Utin

The talk is a status report of BIOS-based hypervisor research.

Myths and Reality often interest and interchange… this is how life works.

A myth about a Malicious Hypervisor (Russian Ghost) appeared on Russian Hacker’ website at the end of 2011. It has all myth’s attributes. There were rumors about the post, and the storyteller described it as reality.

We believe that it was real or may still exist, and we possibly know where it was born and eventually escaped from.

This research follows 3 individual cases

Case #1: Malicious BIOS Loaded Hypervisor – MBLH (released 2011)

Published in Russian on a Russian site (in Russian language)

Typical Russian computer science project to develop high performance computer system (not associated with Information Security). Troubleshooting issues from the project revealed that Chinese made motherboards contained additional software modules, embedded in the BIOS, and the standard analysis software didn’t see them.

Although the boards were labelled as “assembled in Canada” a majority of the components where of Chinese origin

Chinese boards had two software systems working simultaneously – there is a malicious hypervisor embedded into the BIOS which utilizes hardware virtualization Intel CPU capability.

By checking execution time of systems commands between boards from “China” and “Canada”

Boards without MBLH showed a significantly lower execution time (60x slower), allowing for detection of the hidden hypervisor

All attempts to bring this issue to light within Russia were dismissed… however the author was able to confirm (with some missing details) that the malicious hypervisor is embedded in the BMC BIOS.

Case #2: “SubVirt: Implementing Malware with Virtual Machines” –  University of Michigan and Microsoft Research

2005/2006 research paper – Virtual Machine Based Rootkit (VMBR)

We demonstrated that a VMBR can be implemented on commodity hardware and can be used to implement a wide range of malicious services

Installed as a shim between the BIOS and the Operating system. The VMBR only loses control of the system in the period of time when the system reboots and the BIOS is in control.

This research was performed on systems that did not support hardware virtualization support.

Research timeline for Case #1 (2007-2010) starts straight after the SubVirt research was released (2006)

Case #3: Widespread Distribution of Malicious Hypervisor via IPMI vulnerability (2013)

“illuminating the security issues surrounding lights out server management” – University of Michigan

IPMI malware carries similar threats to BIOS and is likely easier to develop, since many BMCs run a standard operating system… if widely used IPMI devices can be compromised remotely, they can be leveraged to create a large network of bots”

Attack scenarios highlighted in this research map (4 out of 5) to those seen in case #1.

These attacks cannot be defended against without vendor assistance. It’s not easy to detect an infection

With a modern trend to move toward cloud services, this may affect overall information security.

Conclusions

These style of attacks are dangerous and can infiltrate millions of servers worldwide

In theory these infections cannot be identified… but we still have a chance

There’s no protection against this, put your server in a dumpster – special thanks to IPMI

No security standard calls for secure management (IPMI) protection

References slide:

IMG_20141120_130742

Link:

{QuickPost} Windows 8 Digital Product Key recovery

Recently I’ve started moving over my lab systems from my old faithful Mac Book Pro to a new Lenovo system. After receiving the new Lenovo and booting into Windows 8 pro for the first time, I did what any sane person would… formatted the thing and installed a usable operating system.

After the usual tinkering period and getting everything setup just right, I turned my mind to setting up the various lab VMs I wanted, and quickly realized that my new Lenovo with Windows 8 pro had no license code. No sticker, nothing in the documentation, nothing on the box. Where the F was that little code I needed to get Windows 8 pro running in my VirtualBox lab.

Well, the answer came quickly… it’s in the BIOS. When you installed Windows 8 it checks for a Digital Product Key (DPK) and uses it. Simple, except I’m pretty sure my VirtualBox VM isn’t going to read the key from my BIOS through a thin layer of virtualized hardware (although I could be wrong on that). So, after digging about on the net and finding a whole load of “if you run Windows just do this” type solutions, I started digging around in my BIOS using a few Linux tools (dmidecode and acpidump).

Although dmidecode gives a nice decoded view of most of the data, it didn’t seem to pick out the information I was looking for (still, interesting stuff). In the end I used acpidump to dump the data and comb through it looking for the MSDM section containing my Windows 8 pro DPK.

Walkthrough

sudo acpidump -t MSDM

This will output the hex and ASCII version of the DPK from your system

DPK_blanked

Enjoy!

Links:

Follow

Get every new post delivered to your Inbox.

Join 133 other followers