RingHopper - Hopping from User-space to God Mode
The SMM (System Management Mode) is a well-guarded fortress that holds a treasure - an unlimited god mode. We hopped over the walls, fooled the guards, and entered the holy grail of privileges.
An attacker running in SMM can bypass practically any security mechanism, steal sensitive information, install a bootkit, or even brick the entire platform.
We discovered a family of industry-wide TOCTOU vulnerabilities in various UEFI implementations, affecting more than eight major vendors and making billions of devices vulnerable to our attack. RingHopper leverages peripheral devices that exist on every platform to perform a confused deputy attack. With RingHopper, we hop from ring 3 (user-space) into ring -2 (SMM), bypass all mitigations, and gain arbitrary code execution.
In our talk, we will deep-dive into this class of vulnerabilities and exploitation method, and learn how they can be prevented. Finally, we will demonstrate a PoC of a full exploitation using RingHopper, hopping from user-space into SMM.