elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado:


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Seguridad (Moderador: r32)
| | |-+  Vulnerabilidades en las placas base nivel firmware
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: Vulnerabilidades en las placas base nivel firmware  (Leído 4,893 veces)
Hason


Desconectado Desconectado

Mensajes: 791


Keep calm and use the spiritual force


Ver Perfil WWW
Vulnerabilidades en las placas base nivel firmware
« en: 17 Febrero 2020, 21:41 pm »

Vulnerabilidad crítica de ataque a cualquier pc de usuario a nivel firmware....
Se puede hacer a nivel físico que es lo más facil, o incluso con exploids.

Con esta herramienta podemos analizar nuestro firmware bios para saber si nos han modificado la bios y han bloqueado regiones de esta misma.


https://neverendingsecurity.wordpress.com/2015/04/07/uefi_boot_script_expl-chipsec-module-that-exploits-uefi-boot-script-table-vulnerability/?fbclid=IwAR2W9mLusuTHsJ70vw4U3fdma5W4xinqc8Qp08ttF07iAHlWTwS9XSKe8Z4

Este es mi log de chipsec con linux:

Código:
root@pow:/home/pow/chipsec# sudo chipsec_main
################################################################
## ##
## CHIPSEC: Platform Hardware Security Assessment Framework ##
## ##
################################################################
[CHIPSEC] Version 1.4.7
[CHIPSEC] Arguments:
****** Chipsec Linux Kernel module is licensed under GPL 2.0
[CHIPSEC] API mode: using CHIPSEC kernel module API
[CHIPSEC] OS : Linux 4.15.0-87-generic #87-Ubuntu SMP Fri Jan 31 19:32:37 UTC 2020 x86_64
[CHIPSEC] Python : 2.7.17 (64-bit)
[CHIPSEC] Helper : LinuxHelper (/usr/local/lib/python2.7/dist-packages/chipsec-1.4.7-py2.7-linux-x86_64.egg/chipsec/helper/linux/chipsec.ko)
[CHIPSEC] Platform: Desktop 4th Generation Core Processor (Haswell CPU / Lynx Point PCH)
[CHIPSEC] VID: 8086
[CHIPSEC] DID: 0C00
[CHIPSEC] RID: 06
[CHIPSEC] PCH : Default PCH
[CHIPSEC] VID: 8086
[CHIPSEC] DID: 8C5C
[CHIPSEC] RID: 05

[*] loading common modules from "/usr/local/lib/python2.7/dist-packages/chipsec-1.4.7-py2.7-linux-x86_64.egg/chipsec/modules/common" ..
[+] loaded chipsec.modules.common.bios_smi
[+] loaded chipsec.modules.common.ia32cfg
[+] loaded chipsec.modules.common.spi_access
[+] loaded chipsec.modules.common.smm
[+] loaded chipsec.modules.common.memlock
[+] loaded chipsec.modules.common.me_mfg_mode
[+] loaded chipsec.modules.common.spi_fdopss
[+] loaded chipsec.modules.common.spi_desc
[+] loaded chipsec.modules.common.spi_lock
[+] loaded chipsec.modules.common.bios_wp
[+] loaded chipsec.modules.common.bios_ts
[+] loaded chipsec.modules.common.rtclock
[+] loaded chipsec.modules.common.bios_kbrd_buffer
[+] loaded chipsec.modules.common.spd_wd
[+] loaded chipsec.modules.common.smrr
[+] loaded chipsec.modules.common.sgx_check
[+] loaded chipsec.modules.common.secureboot.variables
[+] loaded chipsec.modules.common.cpu.spectre_v2
[+] loaded chipsec.modules.common.cpu.cpu_info
[+] loaded chipsec.modules.common.uefi.access_uefispec
[+] loaded chipsec.modules.common.uefi.s3bootscript
[*] loading platform specific modules from "/usr/local/lib/python2.7/dist-packages/chipsec-1.4.7-py2.7-linux-x86_64.egg/chipsec/modules/hsw" ..
[*] loading modules from "/usr/local/lib/python2.7/dist-packages/chipsec-1.4.7-py2.7-linux-x86_64.egg/chipsec/modules" ..
[+] loaded chipsec.modules.remap
[+] loaded chipsec.modules.smm_dma
[+] loaded chipsec.modules.memconfig
[+] loaded chipsec.modules.debugenabled
[*] running loaded modules ..

[*] running module: chipsec.modules.common.bios_smi
[x][ =======================================================================
[x][ Module: SMI Events Configuration
[x][ =======================================================================
[+] SMM BIOS region write protection is enabled (SMM_BWP is used)

[*] Checking SMI enables..
Global SMI enable: 1
TCO SMI enable : 1
[+] All required SMI events are enabled

[*] Checking SMI configuration locks..
[+] TCO SMI configuration is locked (TCO SMI Lock)
[+] SMI events global configuration is locked (SMI Lock)

[+] PASSED: All required SMI sources seem to be enabled and locked

[*] running module: chipsec.modules.common.ia32cfg
[x][ =======================================================================
[x][ Module: IA32 Feature Control Lock
[x][ =======================================================================
[*] Verifying IA32_Feature_Control MSR is locked on all logical CPUs..
[*] cpu0: IA32_Feature_Control Lock = 1
[*] cpu1: IA32_Feature_Control Lock = 1
[*] cpu2: IA32_Feature_Control Lock = 1
[*] cpu3: IA32_Feature_Control Lock = 1
[+] PASSED: IA32_FEATURE_CONTROL MSR is locked on all logical CPUs

[*] running module: chipsec.modules.common.spi_access
[x][ =======================================================================
[x][ Module: SPI Flash Region Access Control
[x][ =======================================================================
SPI Flash Region Access Permissions
------------------------------------------------------------
[*] FRAP = 0x0000FFFF << SPI Flash Regions Access Permissions Register (SPIBAR + 0x50)
[00] BRRA = FF << BIOS Region Read Access
[08] BRWA = FF << BIOS Region Write Access
[16] BMRAG = 0 << BIOS Master Read Access Grant
[24] BMWAG = 0 << BIOS Master Write Access Grant

BIOS Region Write Access Grant (00):
FREG0_FLASHD: 0
FREG1_BIOS : 0
FREG2_ME : 0
FREG3_GBE : 0
FREG4_PD : 0
FREG5 : 0
FREG6 : 0
BIOS Region Read Access Grant (00):
FREG0_FLASHD: 0
FREG1_BIOS : 0
FREG2_ME : 0
FREG3_GBE : 0
FREG4_PD : 0
FREG5 : 0
FREG6 : 0
BIOS Region Write Access (FFF):
FREG0_FLASHD: 1
FREG1_BIOS : 1
FREG2_ME : 1
FREG3_GBE : 1
FREG4_PD : 1
FREG5 : 1
FREG6 : 1
BIOS Region Read Access (FFF):
FREG0_FLASHD: 1
FREG1_BIOS : 1
FREG2_ME : 1
FREG3_GBE : 1
FREG4_PD : 1
FREG5 : 1
FREG6 : 1
[*] Software has write access to Platform Data region in SPI flash (it's platform specific)
[!] WARNING: Software has write access to GBe region in SPI flash
[-] Software has write access to SPI flash descriptor
[-] Software has write access to Management Engine (ME) region in SPI flash
[-] FAILED: SPI Flash Region Access Permissions are not programmed securely in flash descriptor

[*] running module: chipsec.modules.common.smm
[x][ =======================================================================
[x][ Module: Compatible SMM memory (SMRAM) Protection
[x][ =======================================================================
[*] PCI0.0.0_SMRAMC = 0x1A << System Management RAM Control (b:d.f 00:00.0 + 0x88)
[00] C_BASE_SEG = 2 << SMRAM Base Segment = 010b
[03] G_SMRAME = 1 << SMRAM Enabled
[04] D_LCK = 1 << SMRAM Locked
[05] D_CLS = 0 << SMRAM Closed
[06] D_OPEN = 0 << SMRAM Open
[*] Compatible SMRAM is enabled
[+] PASSED: Compatible SMRAM is locked down

[*] running module: chipsec.modules.common.memlock
[x][ =======================================================================
[x][ Module: Check MSR_LT_LOCK_MEMORY
[x][ =======================================================================
[X] Checking MSR_LT_LOCK_MEMORY status
[*] cpu0: MSR_LT_LOCK_MEMORY[LT_LOCK] = 1
[*] cpu1: MSR_LT_LOCK_MEMORY[LT_LOCK] = 1
[*] cpu2: MSR_LT_LOCK_MEMORY[LT_LOCK] = 1
[*] cpu3: MSR_LT_LOCK_MEMORY[LT_LOCK] = 1
[+] PASSED: Check have successfully passed

[*] running module: chipsec.modules.common.me_mfg_mode
[x][ =======================================================================
[x][ Module: ME Manufacturing Mode
[x][ =======================================================================
[-] FAILED: ME is in Manufacturing Mode

[*] running module: chipsec.modules.common.spi_fdopss
[x][ =======================================================================
[x][ Module: SPI Flash Descriptor Security Override Pin-Strap
[x][ =======================================================================
[*] HSFS = 0xF008 << Hardware Sequencing Flash Status Register (SPIBAR + 0x4)
[00] FDONE = 0 << Flash Cycle Done
[01] FCERR = 0 << Flash Cycle Error
[02] AEL = 0 << Access Error Log
[03] BERASE = 1 << Block/Sector Erase Size
[05] SCIP = 0 << SPI cycle in progress
[13] FDOPSS = 1 << Flash Descriptor Override Pin-Strap Status
[14] FDV = 1 << Flash Descriptor Valid
[15] FLOCKDN = 1 << Flash Configuration Lock-Down
[+] PASSED: SPI Flash Descriptor Security Override is disabled

[*] running module: chipsec.modules.common.spi_desc
[x][ =======================================================================
[x][ Module: SPI Flash Region Access Control
[x][ =======================================================================
[*] FRAP = 0x0000FFFF << SPI Flash Regions Access Permissions Register (SPIBAR + 0x50)
[00] BRRA = FF << BIOS Region Read Access
[08] BRWA = FF << BIOS Region Write Access
[16] BMRAG = 0 << BIOS Master Read Access Grant
[24] BMWAG = 0 << BIOS Master Write Access Grant
[*] Software access to SPI flash regions: read = 0xFF, write = 0xFF
[-] Software has write access to SPI flash descriptor

[-] FAILED: SPI flash permissions allow SW to write flash descriptor

[*] running module: chipsec.modules.common.spi_lock
[x][ =======================================================================
[x][ Module: SPI Flash Controller Configuration Locks
[x][ =======================================================================
[*] HSFS = 0xF008 << Hardware Sequencing Flash Status Register (SPIBAR + 0x4)
[00] FDONE = 0 << Flash Cycle Done
[01] FCERR = 0 << Flash Cycle Error
[02] AEL = 0 << Access Error Log
[03] BERASE = 1 << Block/Sector Erase Size
[05] SCIP = 0 << SPI cycle in progress
[13] FDOPSS = 1 << Flash Descriptor Override Pin-Strap Status
[14] FDV = 1 << Flash Descriptor Valid
[15] FLOCKDN = 1 << Flash Configuration Lock-Down
[+] SPI Flash Controller configuration is locked
[+] PASSED: SPI Flash Controller locked correctly.

[*] running module: chipsec.modules.common.bios_wp
[x][ =======================================================================
[x][ Module: BIOS Region Write Protection
[x][ =======================================================================
[*] BC = 0x2A << BIOS Control (b:d.f 00:31.0 + 0xDC)
[00] BIOSWE = 0 << BIOS Write Enable
[01] BLE = 1 << BIOS Lock Enable
[02] SRC = 2 << SPI Read Configuration
[04] TSS = 0 << Top Swap Status
[05] SMM_BWP = 1 << SMM BIOS Write Protection
[+] BIOS region write protection is enabled (writes restricted to SMM)

[*] BIOS Region: Base = 0x00180000, Limit = 0x007FFFFF
SPI Protected Ranges
------------------------------------------------------------
PRx (offset) | Value | Base | Limit | WP? | RP?
------------------------------------------------------------
PR0 (74) | 00000000 | 00000000 | 00000000 | 0 | 0
PR1 (78) | 00000000 | 00000000 | 00000000 | 0 | 0
PR2 (7C) | 00000000 | 00000000 | 00000000 | 0 | 0
PR3 (80) | 00000000 | 00000000 | 00000000 | 0 | 0
PR4 (84) | 00000000 | 00000000 | 00000000 | 0 | 0

[!] None of the SPI protected ranges write-protect BIOS region

[+] PASSED: BIOS is write protected

[*] running module: chipsec.modules.common.bios_ts
[x][ =======================================================================
[x][ Module: BIOS Interface Lock (including Top Swap Mode)
[x][ =======================================================================
[*] BiosInterfaceLockDown (BILD) control = 1
[*] BIOS Top Swap mode is disabled (TSS = 0)
[*] RTC TopSwap control (TS) = 0
[+] PASSED: BIOS Interface is locked (including Top Swap Mode)

[*] running module: chipsec.modules.common.rtclock
[x][ =======================================================================
[x][ Module: Protected RTC memory locations
[x][ =======================================================================
[*] RC = 0x00000004 << RTC Configuration (RCBA + 0x3400)
[02] UE = 1 << Upper 128 Byte Enable
[03] LL = 0 << Lower 128 Byte Lock
[04] UL = 0 << Upper 128 Byte Lock
[-] Protected bytes (0x38-0x3F) in low 128-byte bank of RTC memory are not locked
[-] Protected bytes (0x38-0x3F) in high 128-byte bank of RTC memory are not locked
[!] WARNING: Protected locations in RTC memory are accessible (BIOS may not be using them)

[*] running module: chipsec.modules.common.bios_kbrd_buffer
[x][ =======================================================================
[x][ Module: Pre-boot Passwords in the BIOS Keyboard Buffer
[x][ =======================================================================
[*] Keyboard buffer head pointer = 0x1E (at 0x41A), tail pointer = 0x1E (at 0x41C)
[*] Keyboard buffer contents (at 0x41E):
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 |
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 |
[*] Checking contents of the keyboard buffer..

[+] PASSED: Keyboard buffer looks empty. Pre-boot passwords don't seem to be exposed

[*] running module: chipsec.modules.common.spd_wd
[x][ =======================================================================
[x][ Module: SPD Write Disable
[x][ =======================================================================
[-] FAILED: SPD Write Disable is not set and SPDs were detected

[*] running module: chipsec.modules.common.smrr
[x][ =======================================================================
[x][ Module: CPU SMM Cache Poisoning / System Management Range Registers
[x][ =======================================================================
[+] OK. SMRR range protection is supported

[*] Checking SMRR range base programming..
[*] IA32_SMRR_PHYSBASE = 0xDA000006 << SMRR Base Address MSR (MSR 0x1F2)
[00] Type = 6 << SMRR memory type
[12] PhysBase = DA000 << SMRR physical base address
[*] SMRR range base: 0x00000000DA000000
[*] SMRR range memory type is Writeback (WB)
[+] OK so far. SMRR range base is programmed

[*] Checking SMRR range mask programming..
[*] IA32_SMRR_PHYSMASK = 0xFF000800 << SMRR Range Mask MSR (MSR 0x1F3)
[11] Valid = 1 << SMRR valid
[12] PhysMask = FF000 << SMRR address range mask
[*] SMRR range mask: 0x00000000FF000000
[+] OK so far. SMRR range is enabled

[*] Verifying that SMRR range base & mask are the same on all logical CPUs..
[CPU0] SMRR_PHYSBASE = 00000000DA000006, SMRR_PHYSMASK = 00000000FF000800
[CPU1] SMRR_PHYSBASE = 00000000DA000006, SMRR_PHYSMASK = 00000000FF000800
[CPU2] SMRR_PHYSBASE = 00000000DA000006, SMRR_PHYSMASK = 00000000FF000800
[CPU3] SMRR_PHYSBASE = 00000000DA000006, SMRR_PHYSMASK = 00000000FF000800
[+] OK so far. SMRR range base/mask match on all logical CPUs
[*] Trying to read memory at SMRR base 0xDA000000..
[+] PASSED: SMRR reads are blocked in non-SMM mode

[+] PASSED: SMRR protection against cache attack is properly configured

[*] running module: chipsec.modules.common.sgx_check
Skipping module chipsec.modules.common.sgx_check since it is not supported in this platform

[*] running module: chipsec.modules.common.secureboot.variables
[*] NOT IMPLEMENTED: OS does not support UEFI Runtime API
Skipping module chipsec.modules.common.secureboot.variables since it is not supported in this platform

[*] running module: chipsec.modules.common.cpu.spectre_v2
[x][ =======================================================================
[x][ Module: Checks for Branch Target Injection / Spectre v2 (CVE-2017-5715)
[x][ =======================================================================
[*] CPUID.7H:EDX[26] = 1 Indirect Branch Restricted Speculation (IBRS) & Predictor Barrier (IBPB)
[*] CPUID.7H:EDX[27] = 1 Single Thread Indirect Branch Predictors (STIBP)
[*] CPUID.7H:EDX[29] = 0 IA32_ARCH_CAPABILITIES
[+] CPU supports IBRS and IBPB
[+] CPU supports STIBP
[-] CPU doesn't support enhanced IBRS
[!] WARNING: CPU supports mitigation (IBRS) but doesn't support enhanced IBRS
[!] OS may be using software based mitigation (eg. retpoline)

[*] running module: chipsec.modules.common.cpu.cpu_info
[x][ =======================================================================
[x][ Module: Current Processor Information:
[x][ =======================================================================
[*] Thread 0000
[*] Processor: Intel(R) Core(TM) i5-4440 CPU @ 3.10GHz
[*] Family: 06 Model: 3C Stepping: 3
[*] Microcode: 00000027
[*]
[*] Thread 0001
[*] Processor: Intel(R) Core(TM) i5-4440 CPU @ 3.10GHz
[*] Family: 06 Model: 3C Stepping: 3
[*] Microcode: 00000027
[*]
[*] Thread 0002
[*] Processor: Intel(R) Core(TM) i5-4440 CPU @ 3.10GHz
[*] Family: 06 Model: 3C Stepping: 3
[*] Microcode: 00000027
[*]
[*] Thread 0003
[*] Processor: Intel(R) Core(TM) i5-4440 CPU @ 3.10GHz
[*] Family: 06 Model: 3C Stepping: 3
[*] Microcode: 00000027
[*]
[#] INFORMATION: Processor information displayed

[*] running module: chipsec.modules.common.uefi.access_uefispec
[*] NOT IMPLEMENTED: OS does not support UEFI Runtime API
Skipping module chipsec.modules.common.uefi.access_uefispec since it is not supported in this platform

[*] running module: chipsec.modules.common.uefi.s3bootscript
[*] NOT IMPLEMENTED: OS does not support UEFI Runtime API
Skipping module chipsec.modules.common.uefi.s3bootscript since it is not supported in this platform

[*] running module: chipsec.modules.remap
[x][ =======================================================================
[x][ Module: Memory Remapping Configuration
[x][ =======================================================================
[*] Registers:
[*] TOUUD : 0x000000021FE00001
[*] REMAPLIMIT: 0x000000021FD00001
[*] REMAPBASE : 0x00000001FF000001
[*] TOLUD : 0xDF200001
[*] TSEGMB : 0xDA000001

[*] Memory Map:
[*] Top Of Upper Memory: 0x000000021FE00000
[*] Remap Limit Address: 0x000000021FDFFFFF
[*] Remap Base Address : 0x00000001FF000000
[*] 4GB : 0x0000000100000000
[*] Top Of Low Memory : 0x00000000DF200000
[*] TSEG (SMRAM) Base : 0x00000000DA000000

[*] checking memory remap configuration..
[*] Memory Remap is enabled
[+] Remap window configuration is correct: REMAPBASE <= REMAPLIMIT < TOUUD
[+] All addresses are 1MB aligned
[*] checking if memory remap configuration is locked..
[+] TOUUD is locked
[+] TOLUD is locked
[+] REMAPBASE and REMAPLIMIT are locked
[+] PASSED: Memory Remap is configured correctly and locked

[*] running module: chipsec.modules.smm_dma
[x][ =======================================================================
[x][ Module: SMM TSEG Range Configuration Check
[x][ =======================================================================
[*] TSEG : 0x00000000DA000000 - 0x00000000DAFFFFFF (size = 0x01000000)
[*] SMRR range: 0x00000000DA000000 - 0x00000000DAFFFFFF (size = 0x01000000)

[*] checking TSEG range configuration..
[+] TSEG range covers entire SMRAM
[+] TSEG range is locked
[+] PASSED: TSEG is properly configured. SMRAM is protected from DMA attacks

[*] running module: chipsec.modules.memconfig
[x][ =======================================================================
[x][ Module: Host Bridge Memory Map Locks
[x][ =======================================================================
[+] PCI0.0.0_BDSM = 0x00000000DB200001 - LOCKED - Base of Graphics Stolen Memory
[+] PCI0.0.0_BGSM = 0x00000000DB000001 - LOCKED - Base of GTT Stolen Memory
[+] PCI0.0.0_DPR = 0x00000000DA000001 - LOCKED - DMA Protected Range
[+] PCI0.0.0_GGC = 0x0000000000000211 - LOCKED - Graphics Control
[+] PCI0.0.0_MESEG_MASK = 0x0000007FFF000C00 - LOCKED - Manageability Engine Limit Address Register
[+] PCI0.0.0_PAVPC = 0x00000000DF100017 - LOCKED - PAVP Configuration
[+] PCI0.0.0_REMAPBASE = 0x00000001FF000001 - LOCKED - Memory Remap Base Address
[+] PCI0.0.0_REMAPLIMIT = 0x000000021FD00001 - LOCKED - Memory Remap Limit Address
[+] PCI0.0.0_TOLUD = 0x00000000DF200001 - LOCKED - Top of Low Usable DRAM
[+] PCI0.0.0_TOM = 0x0000000200000001 - LOCKED - Top of Memory
[+] PCI0.0.0_TOUUD = 0x000000021FE00001 - LOCKED - Top of Upper Usable DRAM
[+] PCI0.0.0_TSEGMB = 0x00000000DA000001 - LOCKED - TSEG Memory Base
[+] PASSED: All memory map registers seem to be locked down

[*] running module: chipsec.modules.debugenabled
[x][ =======================================================================
[x][ Module: Debug features test
[x][ =======================================================================

[*] Checking IA32_DEBUG_INTERFACE msr status
[+] CPU debug interface state is correct.
[+] CPU debug interface state is correct.
[+] CPU debug interface state is correct.
[+] CPU debug interface state is correct.

[*] Module Result
[+] PASSED: All checks have successfully passed

[CHIPSEC] *************************** SUMMARY ***************************
[CHIPSEC] Time elapsed 0.078
[CHIPSEC] Modules total 25
[CHIPSEC] Modules failed to run 0:
[CHIPSEC] Modules passed 14:
[+] PASSED: chipsec.modules.common.bios_smi
[+] PASSED: chipsec.modules.common.ia32cfg
[+] PASSED: chipsec.modules.common.smm
[+] PASSED: chipsec.modules.common.memlock
[+] PASSED: chipsec.modules.common.spi_fdopss
[+] PASSED: chipsec.modules.common.spi_lock
[+] PASSED: chipsec.modules.common.bios_wp
[+] PASSED: chipsec.modules.common.bios_ts
[+] PASSED: chipsec.modules.common.bios_kbrd_buffer
[+] PASSED: chipsec.modules.common.smrr
[+] PASSED: chipsec.modules.remap
[+] PASSED: chipsec.modules.smm_dma
[+] PASSED: chipsec.modules.memconfig
[+] PASSED: chipsec.modules.debugenabled
[CHIPSEC] Modules information 1:
[#] INFORMATION: chipsec.modules.common.cpu.cpu_info
[CHIPSEC] Modules failed 4:
[-] FAILED: chipsec.modules.common.spi_access
[-] FAILED: chipsec.modules.common.me_mfg_mode
[-] FAILED: chipsec.modules.common.spi_desc
[-] FAILED: chipsec.modules.common.spd_wd
[CHIPSEC] Modules with warnings 2:
[!] WARNING: chipsec.modules.common.rtclock
[!] WARNING: chipsec.modules.common.cpu.spectre_v2
[CHIPSEC] Modules not implemented 3:
[*] NOT IMPLEMENTED: chipsec.modules.common.secureboot.variables
[*] NOT IMPLEMENTED: chipsec.modules.common.uefi.access_uefispec
[*] NOT IMPLEMENTED: chipsec.modules.common.uefi.s3bootscript
[CHIPSEC] Modules not applicable 1:
[*] NOT APPLICABLE: chipsec.modules.common.sgx_check
[CHIPSEC] *****************************************************************



Tengo el chip bios bloqueado en ciertas regiones, y hay que desbloquearlo, con el mismo programa chipsec puede hacerse según tengo entendido, pero me quedé atascado por ataques físicos para que no pueda hacerlo.

Bueno, yo comparto por si alguien más quiere analizarselo o saberlo.

Saludos.


En línea

Verse constantemente expuesto al peligro puede generar desprecio hacia él.
El que resiste, gana
Aníbal sabía como conseguir la victoria, pero no cómo utilizarla
"Houston, tenemos un problema": los detalles y curiosidades tras uno de los mensajes de alarma más famosos de la historia
https://amaltea.wordpress.com/2008/03/06/proverbios-y-refranes-grecolatinos/
kub0x
Enlightenment Seeker
Colaborador
***
Desconectado Desconectado

Mensajes: 1.486


S3C M4NI4C


Ver Perfil
Re: Vulnerabilidades en las placas base nivel firmware
« Respuesta #1 en: 24 Febrero 2020, 11:05 am »

Buen aporte. Lo añado a la lista de futuros tests, pues a mi también me preocupa el tema UEFI hijacking.

Revisad bien https://github.com/chipsec/chipsec/blob/master/drivers/linux/WARNING.txt pues instala kernel drivers que permiten a cualquier aplicación user-mode acceder a memoria y demás registros privilegiados. Lo mejor, utilizarlo desde la EFI SHELL o live CD/USB.

Saludos.


En línea

Viejos siempre viejos,
Ellos tienen el poder,
Y la juventud,
¡En el ataúd! Criaturas Al poder.

Visita mi perfil en ResearchGate

Hason


Desconectado Desconectado

Mensajes: 791


Keep calm and use the spiritual force


Ver Perfil WWW
Re: Vulnerabilidades en las placas base nivel firmware
« Respuesta #2 en: 24 Febrero 2020, 13:21 pm »

Yo lo tengo instalado en el disco duro por que mi pc solo lo utilizo para pruebas y pasar el rato, no tengo nada importante, de hecho tengo varios discos duros con linux para toquetear cosas, y si crasea reinstalo.

Según mi log, en el resumen aparece:

Código:
[#] INFORMATION: chipsec.modules.common.cpu.cpu_info
[CHIPSEC] Modules failed 4:
[-] FAILED: chipsec.modules.common.spi_access
[-] FAILED: chipsec.modules.common.me_mfg_mode
[-] FAILED: chipsec.modules.common.spi_desc
[-] FAILED: chipsec.modules.common.spd_wd
[CHIPSEC] Modules with warnings 2:
[!] WARNING: chipsec.modules.common.rtclock
[!] WARNING: chipsec.modules.common.cpu.spectre_v2
[CHIPSEC] Modules not implemented 3:
[*] NOT IMPLEMENTED: chipsec.modules.common.secureboot.variables
[*] NOT IMPLEMENTED: chipsec.modules.common.uefi.access_uefispec
[*] NOT IMPLEMENTED: chipsec.modules.common.uefi.s3bootscript
[CHIPSEC] Modules not applicable 1:
[*] NOT APPLICABLE: chipsec.modules.common.sgx_check
[CHIPSEC] *****************************************************************



Falla el acceso a ciertas regiones del chip BIOS, y da problemas, del palo que grabas la BIOS original del fabricante,(en mi caso con willem programmer)  pero luego se reescribe sola a otros valores.

Luego creo tengo la vulnerabilidad Meltdown y Spectre  explotada:
[!] WARNING: chipsec.modules.common.cpu.spectre_v2
hay bastante información, resulta que desde hace muchos años que va está Vulnerabilidad ya...

https://www.kaspersky.es/blog/35c3-spectre-meltdown-2019/17620/
https://hardzone.es/2019/03/05/spoiler-vulnerabilidad-cpus-intel/

También me detecta [!] WARNING: chipsec.modules.common.rtclock que no tengo mucha información , pero creo tiene que ver con el reloj sistema, al instalar linux descargado y preparado desde mi pc, me da error crítico de timezone.

Y luego tengo algo metido en la uefi, chipsec no tiene acceso, y me es imposible instalar correctamente cualquier  sistema operativo en modo uefi, por eso chipsec no tiene acceso supongo.


Está esta herramienta para toquetear las uefi, pero si no se instala en modo uefi el sistema operativo no funciona:

https://wiki.gentoo.org/wiki/Efibootmgr/es?fbclid=IwAR0vyfCZJEVmavky3Sec9NQuUGLRlMaNZ0vsCClyNFPfT7a6QX5KrgUBfEY

Con chipsec hay mucha información al respecto, hay publicados muchos scripts para toquetear firmware y hacer cosas, pero para mi no es nada sencillo hacerlo.

Aqui dejo dos enlaces para checar vulnerabilidades desde linux:

https://security.web.cern.ch/security/advisories/l1tf/l1tf.shtml?fbclid=IwAR0iClrmI6yF1sAv7khWcMGvCIClBgqr_zNbCWsal-gljG-ktBOIf3tjwWk

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF?fbclid=IwAR1iibuaiH-LdrT5zyoSsAIzcx3kb_KsjUiKO6wL12cfGVcX2vhoxvtcumE

Para mitigar la Vulnerabilidad spectre está "Retpoline" , pero claro, si ya estamos expuestos, a saber todo lo que se ha podido modificar ya...

https://unix.stackexchange.com/questions/435778/how-to-check-if-linux-kernel-is-retpoline-enabled-or-not?fbclid=IwAR0pFvKaCMiHnNVAtN4uAmcfPYv2_SQmU4DJpKeVhDLnENtRpln9fS-2MK8

Vamos, resumiendo, en vez de intel inside, es NASA inside....


Tengo otros dos pc, igual comprometidos , y uno de ellos es AMD, e igual tiene historias.

Como pasatiempo tal vez indague más el asunto, pero como comento no es muy sencillo para mi toquetear todo esto,si te explotan estas vulnerabilidades con un exploit, no hay nada que hacer, es un coladero, todos los pc son vulnerables, a cualquier persona que no tenga protegido y parcheado el s.o. le pueden hacer pupa.

Dicen que las nuevas placas base irán protegidas contra esto, pero ya creo hay otras nuevas vulnerabilidades... es decir, coladero.

 Creo tengo mucho modificado, lo que más me preocupa son las uefi, que no tengo acceso y no se como resetearlas de fábrica dijeramos y es de lo que menos información tengo.

Lo publico para compartirlo y para que no se me olvide, si no se me olvidará todo.

La verdad he estado recopilando bastante información, pero es que resulta que es muy extenso todo y complicado, tanto que se me quitan las ganas de investigarlo más.

Y ya se por que comprando pc nuevos se me infectaban con esto, por que tengo el router modificado también jeje, y entonces al conectar nuevos dispositivos, me lanzan exploid.

Para mi lo más viable , es comprarlo todo nuevo, routers, pc, y todo nuevo, y lo viejo tirarlo creo, si no me quiero acabar de romper la cabeza.

Si quereis aportar al tema de como modificar el hardware con chipsec para desbloquear BIOS, acceder a las uefi, y todo sobre este tema podeis poner información, han pasado muchos años ya, al principio no habia casi información sobre esto, pero ahora hay mucha información ya, tanta que me saturo.

Tengo mucho cacao mental con tanta información, no puedo postear más cosas de momento.
Pero pongo dos enlaces más , que si no me equivoco son para crear exploids para firmware:

http://blog.cr4.sh/

https://github.com/rsec/firmware_security_docs/blob/master/BIOS/My%20aimful%20life:%20Building%20reliable%20SMM%20backdoor%20for%20UEFI%20based%20platforms.html

Curiosamente este último enlace ha desaparecido ahora mismo, no me aparece...

Casi toda la información la recopilo de My aimful life, pero es que tiene mucha información como para asimilarlo todo en poco tiempo.

Tengo enlaces donde explica a desbloquear las regiones de la BIOS bloqueadas con un script, pero me da fallo al ejecutar el escript, lástima, por que creo está bien explicado aqui, pero no entiendo demasiado:

http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html?fbclid=IwAR3JV4Q_aVQuFQiqH6MOpE9JHWclmtMlt-ufzc4Q4z_KYq6tOuM2rIIhLaM


El comando para desbloquear la BIOS, me da fallo:

Código:
root@paul:/home/pol/chipsec# python chipsec_util.py spi disable-wp

################################################################
## ##
## CHIPSEC: Platform Hardware Security Assessment Framework ##
## ##
################################################################
[CHIPSEC] Version : 1.4.6
[CHIPSEC] OS : Linux 3.13.0-170-generic #220-Ubuntu SMP Thu May 9 12:40:49 UTC 2019 x86_64
[CHIPSEC] Python : 2.7.6 (64-bit)
****** Chipsec Linux Kernel module is licensed under GPL 2.0
[CHIPSEC] API mode: using CHIPSEC kernel module API
[CHIPSEC] Helper : LinuxHelper (/home/pol/chipsec/chipsec/helper/linux/chipsec.ko)
[CHIPSEC] Platform: Desktop 4th Generation Core Processor (Haswell CPU / Lynx Point PCH)
[CHIPSEC] VID: 8086
[CHIPSEC] DID: 0C00
[CHIPSEC] RID: 06
[CHIPSEC] PCH : Default PCH
[CHIPSEC] VID: 8086
[CHIPSEC] DID: 8C5C
[CHIPSEC] RID: 05
[CHIPSEC] Executing command 'spi' with args ['disable-wp']

[CHIPSEC] trying to disable BIOS write protection..
[-] couldn't disable BIOS region write protection in SPI flash
[CHIPSEC] (spi disable-wp) time elapsed 0.000

Casi, pero nop.(por que me da fallo al ejecutar el script, me dice que no soy root y no tengo permisos de ejecutar el script....)

Todo esto no puede asimilarse en poco tiempo supongo, hay que dedicarle estudio, y no estoy mucho por la labor, pero lo comparto.



Saludos.
« Última modificación: 24 Febrero 2020, 14:07 pm por Hason » En línea

Verse constantemente expuesto al peligro puede generar desprecio hacia él.
El que resiste, gana
Aníbal sabía como conseguir la victoria, pero no cómo utilizarla
"Houston, tenemos un problema": los detalles y curiosidades tras uno de los mensajes de alarma más famosos de la historia
https://amaltea.wordpress.com/2008/03/06/proverbios-y-refranes-grecolatinos/
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
Recibe $3,133.7 USD por reportar vulnerabilidades nivel web en Google
Nivel Web
sirdarckcat 1 2,488 Último mensaje 4 Noviembre 2010, 10:42 am
por WHK
[Guia] Vulnerabilidades a nivel web
Nivel Web
BigBear 0 2,941 Último mensaje 7 Octubre 2011, 01:28 am
por BigBear
Como reparar una memoria USB a nivel Firmware (AYUDA) FULL
Electrónica
Erick_malagon 2 67,408 Último mensaje 8 Abril 2017, 18:27 pm
por campers007
placas base
Hardware
sagunto1234 4 3,342 Último mensaje 23 Diciembre 2016, 08:17 am
por sagunto1234
¿Por qué las placas base de nueva generación cuestan cada vez más?
Noticias
El_Andaluz 0 1,420 Último mensaje 5 Mayo 2020, 23:52 pm
por El_Andaluz
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines