DEF CON 31 - Ringhopper - How We Almost Zero day’d the World

DEF CON 31 - Ringhopper - How We Almost Zero day’d the World - Benny Zeltser, Jonathan Lusky

Рет қаралды 67,285

8 ай бұрын

Last year we almost zero-day’d the world with the publication of RingHopper. Now we can finally share some juicy details and invite you for an illuminating journey as we delve into the realm of RingHopper, a method to hop from user-land to SMM.
We will survey the discovery and disclosure of a family of industry-wide vulnerabilities in various UEFI implementations, affecting more than eight major vendors, making billions of devices vulnerable to our attack. Then, we will deep-dive into the innards of SMM exploitation and discuss methods to use and abuse various functionalities and properties of edk2 to gain code execution. We will unveil both our futile and fruitful quests of crafting our way to SMM, and detail both the paths that lead to dead-ends, and the route to success.
We will give a detailed overview of different ways to elevate this kind of attack to user-land both on Windows and Linux by chaining multiple vulnerabilities together.
Finally, we will show RingHopper hopping from user-space to… SMM.

Пікірлер: 47

@alexlefevre3555 8 ай бұрын

I think what's the most wild to me is the kernel level exploitation after the fact seemed like it was simply an afterthought. Wild stuff. The negative ring spaces seem to have NOT been the answer engineers had hoped.

@JustAnotherAlchemist 6 ай бұрын

That threw me back in my chair for a second too... then I looked closer and there is a reason they glossed over that part in the talk. Neither of these are really pure privilege escalation, more social engineering. The Windows privilege escalation requires at least user clicking through a UAC prompt, as the signed BIOS modification software would need to be invoked. The Linux privilege escalation requires that amifldrv kernel module be previously installed by super user/root. And, if installed properly, permissions would be set to deny anyway.

@Sean_neaS 8 ай бұрын

I would have given up at each and every setback! I hope this was more fun it sounds like.

@ronminnich 8 ай бұрын

"AMI lets us do some pretty amazing things from user space" -- in a talk full of great quotes, that's maybe my favorite. So, would you consider attacking RISC-V OpenSBI?

@fannstwebmaster5494 7 ай бұрын

From around 6:00 I was screaming DMA DMA DMA to myself... Fuck I was right 😂😂

@brujua7 8 ай бұрын

Great talk, great research! So lucky to have you folks

@bubbleopter 8 ай бұрын

basically, if your PC randomly sleeps, just throw it out the window, but first check for passersbys. if you don't have a window, drop the network, disconnect your harddrive, and mobo, and put both into the microwave at 1000w 😂

@boneappletee6416 8 ай бұрын

Remember to drill through your HDD after each use. 😊

@sovahc 8 ай бұрын

Just zero your ssd and bios. Then reflash, reinstall os and old games from cds, and never connect to the internet.

@volodumurkalunyak4651 8 ай бұрын

Wrong. If your PC randomly sleeps, unplug/replug the power cord.

@joshua7551 8 ай бұрын

Suddenly feeling vindicated for not trusting sleep states at all for the last 5 years. Between fastboot, Windows fast startup, and sleep states, I had a feeling one of them would have some sort of ACE bug. My work laptop runs Linux so it's not as much of an issue to just shut it down and start it back up when I switch between sites.

@bubbleopter 7 ай бұрын

@@sovahc true xD it's that last bit where things start to get all weird. "ooh, lemme connect this to an enormous network of computers and just hope there aren't any mischievous folk online." also is it possible to flash the disk with modified firmware, sorta like b/rootkit type thingamabob?

@n1k0n_ 8 ай бұрын

So this is why my laptop got all those sleep mode firmware updates 😬

@davidmordinson2022 8 ай бұрын

Well done, guys👏👏👏 Great one!

@RyanHarris77 8 ай бұрын

Thank you for citing your meme sources.

@user-jb8nz4ig9n 8 ай бұрын

The best talk in Defcon31💪

@GSX-R-lg3ei 8 ай бұрын

Race condition chaining from hell, love it.

@dandeeteeyem2170 8 ай бұрын

Finally an interesting talk from Def Con 31. I was beginning to lose hope 😅

@Look_What_You_Did 8 ай бұрын

Your lack of understanding does not change the complexity of the world around you. IE. Just because you don't get it doesn't' mean it is not worthwhile.

@dandeeteeyem2170 8 ай бұрын

@@Look_What_You_Did I was thinking in terms of inspiring youngsters to think about how to approach "hacking" philosophically. You don't seriously come here to get serious oh days, do you? Even black hat is losing it's edge thanks to infiltration by gov and corp hacks

@celestialowl8865 8 ай бұрын

@@Look_What_You_DidA complete lack of understanding probably would make it considerably less interesting, however.

@dandeeteeyem2170 8 ай бұрын

@@Munch473 thanks! After sifting through everything from this year, there's a couple of great ones where the speaker "slipped through the filters". I love talks like Bill Swearingen at Def Con 27. That stuff is useful and in the true spirit of the con IMHO..

@jmax8692 3 ай бұрын

Says the idiot who can’t understand the lectures 😂😂

@Ben_EH-Heyeh 7 ай бұрын

Exploitation researcher at Mitre wrote a POC SMM Rootkit called Light Eater.

@sjoervanderploeg4340 8 ай бұрын

So this is the reason why my machine was in sleep mode after vacation?

@t_r 8 ай бұрын

👏👏👏

@theflowpowa42oshow 26 күн бұрын

is it 420 or 42o?

@ThePlayerOfGames 8 ай бұрын

Soooo, every CPU post Core Duo is permanently vulnerable to ring -2 attacks unless we can disable the on chip operating system?

@The-Anathema 8 ай бұрын

More or less 'yes', and these aren't the first nor last attacks on the ME (from memory I can think of attacks going at least as far back as '09, and that's just what I can remember from the top of my head). It's a sophisticated piece of technical liability, potentially a backdoor (even if not intended to be one) and definitely a hardware level rootkit (again, even if not intended as one). This is one, among many, reasons why I advocate for a RISC architecture without all this extra complexity, I don't really care which one (there are pros and cons to most of them and it's above my paygrade). I have similar opinions about TPM (Trusted Platform Module -- version 2.0 especially but 1.0 as well to an extent), and AMD's equivalent PSP (I don't remember what their acronym stands for), but that's a topic for another time.

@D3v15H 8 ай бұрын

For those who did not listen the talk carefully. This is not an ME attack. This is done entirely on a CPU.

@The-Anathema 8 ай бұрын

That is correct, and worth mentioning since this comment thread is a little bit off-topic.

@joemck85 7 ай бұрын

Intel ME and AMD PSP are even further up the food chain and their inner workings are invisible to code running in SMM. The very first version of SMM was found on the 386, though I doubt that early revision of it is vulnerable to this particular attack method. Unless I'm mistaken though, this can be at least mostly mitigated with a UEFI update.

@robmorgan1214 8 ай бұрын

Dude this s-t's been broken for years. Been pwning smm IN NON ROOT USERSPACE since 2015. SMM is not well written designed etc. Bugs abound. Only issue is persistence... ie you brick the CPU if your scratch pad overflows into something containing a FW patch. It's why i dont trust the "cloud".

@theflowpowa42oshow 26 күн бұрын

You never trust a cloud 😶‍🌫

@LaLaLand.Germany 7 ай бұрын

Can anyone dumb down what´s going on here? I don´t speak nerd. Am I okay with not having Uefi but good, old Bios?

@jsrodman 7 ай бұрын

Unless your hardware is deep retro, there's UEFI there, just possibly pretending to be a BIOS.

@LaLaLand.Germany 7 ай бұрын

I´ll be deep retro, then. Asus P5K but maxed out. Enough power for what I want and reliable. Hope it never fails...@@jsrodman

@reddragonflyxx657 7 ай бұрын

@@LaLaLand.GermanyI'm commenting during the introduction of this talk, but SMM has been supported by x86 processors since the early 1990s. If you go back that far, you'll probably get some security through obscurity, but vendors don't bother writing patches for any security bugs in stuff that old. Anyway, this looks like a local privilege escalation attack. Generally I'd consider a machine compromised by the time that's feasible (unless it's doable from JS, like Spectre was... speaking of which, how are the Meltdown mitigations on your Bearlake processor?) because the attacker generally can do a lot with just normal user permissions on a desktop.