|
|
BugTraq
Windows Platform Binary Table (WPBT) - BIOS PE backdoor Aug 12 2015 11:44AM Kevin Beaumont (kevin beaumont gmail com) (3 replies) RE: Windows Platform Binary Table (WPBT) - BIOS PE backdoor Aug 13 2015 01:33PM Limanovski, Dimitri (dimitri limanovski blackrock com) (1 replies) Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor Aug 13 2015 06:48PM Kevin Beaumont (kevin beaumont gmail com) Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor Aug 12 2015 05:33PM Stefan Kanthak (stefan kanthak nexgo de) (2 replies) Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor Aug 15 2015 07:06PM Pedro Ribeiro (pedrib gmail com) Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor Aug 13 2015 06:45PM Kevin Beaumont (kevin beaumont gmail com) |
|
Privacy Statement |
https://www.us-cert.gov/ncas/current-activity/2015/08/12/Lenovo-Service-
Engine-LSE-BIOS-Vulnerability
2015-08-12 14:44 GMT+03:00 Kevin Beaumont <kevin.beaumont (at) gmail (dot) com [email concealed]>:
> PRECURSOR
>
> There will be debate about if this is a vulnerability. It affects a
> majority of user PCs -- including all Enterprise editions of Windows,
> there is no way to disable it, and allows direct code execution into
> secure boot sequences. I believe it is worth discussing.
>
> SCOPE
>
> Microsoft documented a feature in Windows 8 and above called Windows
> Platform Binary Table. Up until two days ago, this was a single Word
> document not referenced elsewhere on Google:
>
> http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:downlo
ad.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/win
dows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us
>
> This feature allows a BIOS to deliver the payload of an executable,
> which is run in memory, silently, each time a system is booted. The
> executable code is run under under Session Manager context (i.e.
> SYSTEM).
>
> This technique is being used by Lenovo and HP to silently deliver
> software, even after systems are completely wiped. This issue came to
> light in this forum thread:
> http://arstechnica.com/civis/viewtopic.php?p=29551819#p29551819
>
> Additionally, the code is injected and executed in Windows after the
> Windows kernel has booted - meaning hard drives are accessible. In a
> HP document - http://h10032.www1.hp.com/ctg/Manual/c03857419.pdf page
> 18 - they reference they use Windows Platform Binary Table to inject
> their code into encrypted systems (e.g. BitLocker) (!!!!).
>
> MITIGATIONS
>
> It is not possible to disable this functionality. If you can gain
> access to the BIOS, you can inject code into the Windows boot sequence
> using the documentation linked above. The BIOS delivered PE code is
> not countersigned by Microsoft.
>
> Microsoft say: "If partners intentionally or unintentionally introduce
> malware or unwanted software though the WPBT, Microsoft may remove
> such software through the use of antimalware software. Software that
> is determined to be malicious may be subject to immediate removal
> without notice."
>
> However, you are relying on Microsoft being aware of attacks. Since
> the code is executed in memory and not written to disk prior to
> activation, Windows Defender does not even scan the executed code.
[ reply ]