Penetration Testing
Malicious Code Execution in PCI Expansion ROM Jul 02 2012 07:17PM
Adam Behnke (adam infosecinstitute com)
The malicious code in x86/x64 firmware can potentially reside in many
places. One of them is in the PCI expansion ROM. In the past, the small
amount of memory during PCI expansion ROM execution acted as a hindrance to
malicious code. The limited space for code and data limited the possible
tasks that could be carried out by such malicious codes. However, this
article explains how a malicious PCI expansion ROM might exploit a
little-known BIOS memory management interface to break through the memory
"barrier," thus creating a potentially more complex threat. The discussion
in this article is limited to PCI expansion ROM conforming to PCI firmware
revision 3.1 specification.

This newly "discovered" larger memory footprint enables a malware creator to
place (at least) a simple file system infector inside the PCI expansion ROM
(a compressed one). During PCI expansion ROM execution, the compressed file
system infector could have the memory it requires through memory allocation
with the PMM functions, provided that the BIOS implemented PMM-which is most
likely the case in the last 3 to 5 years. Another issue is that a malware
creator might abuse the presence of the "permanent" memory allocated for PCI
expansion ROM through the pmmAllocate() function by using the permanent
memory flag during the call to pmmAllocate().Additionally, a rogue but
simple network "interceptor" code might be possible given the jump in the
memory footprint, and if the interceptor hides in the "permanent" memory, it
could be troublesome.

View here: http://resources.infosecinstitute.com/pci-expansion-rom/ to read
the full article and walkthrough at InfoSec Institute.

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus