Sign up to save your podcasts
Or
Share Corey Kallenberg and Xeno Kovah - Extreme Privilege Escalation On Windows 8/UEFI Systems
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Corey Kallenberg and Xeno Kovah - Extreme Privilege Escalation On Windows 8/UEFI Systems
Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Kallenberg/DEFCON-22-Corey-Kallenberg-Extreme-Privilage-Escalation.pdf
Additional Materials available here: https://defcon.org/images/defcon-22/dc-22-presentations/Kallenberg/DEFCON-22-Corey-Kallenberg-Extreme-Privilage-Escalation-WP-UPDATED.pdf
Extreme Privilege Escalation On Windows 8/UEFI Systems
Corey Kallenberg MITRE
Xeno Kovah MITRE
It has come to light that state actors install implants in the BIOS. Let no one ever again question whether BIOS malware is practical or present in the wild. However, in practice attackers can install such implants without ever having physical access to the box. Exploits against the BIOS can allow an attacker to inject arbitrary code into the platform firmware. This talk will describe two such exploits we developed against the latest UEFI firmware.
The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined “runtime services” interface between the OS and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced APIs that allow accessing this UEFI interface from a user land process. Vulnerabilities in this interface can potentially allow a user land process to escalate its privileges from “ring 3” all the way up to that of the platform firmware, which includes permanently attaining control of the very-powerful System Management Mode (SMM).
This talk will disclose two vulnerabilities that were discovered in the Intel provided UEFI reference implementation, and detail the unusual techniques needed to successfully exploit them.
View all episodes
Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Kallenberg/DEFCON-22-Corey-Kallenberg-Extreme-Privilage-Escalation.pdf
Additional Materials available here: https://defcon.org/images/defcon-22/dc-22-presentations/Kallenberg/DEFCON-22-Corey-Kallenberg-Extreme-Privilage-Escalation-WP-UPDATED.pdf
Extreme Privilege Escalation On Windows 8/UEFI Systems
Corey Kallenberg MITRE
Xeno Kovah MITRE
It has come to light that state actors install implants in the BIOS. Let no one ever again question whether BIOS malware is practical or present in the wild. However, in practice attackers can install such implants without ever having physical access to the box. Exploits against the BIOS can allow an attacker to inject arbitrary code into the platform firmware. This talk will describe two such exploits we developed against the latest UEFI firmware.
The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined “runtime services” interface between the OS and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced APIs that allow accessing this UEFI interface from a user land process. Vulnerabilities in this interface can potentially allow a user land process to escalate its privileges from “ring 3” all the way up to that of the platform firmware, which includes permanently attaining control of the very-powerful System Management Mode (SMM).
This talk will disclose two vulnerabilities that were discovered in the Intel provided UEFI reference implementation, and detail the unusual techniques needed to successfully exploit them.