Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

When trying to make something better only makes matters worse

Read: 148 Comments: 0 Rating: 5

If you use a modern PC, you’ve probably heard about UEFI. Even if you haven’t, the technology is nonetheless most likely being used on your computer. What is UEFI and how can criminals take advantage of it?

UEFI (Unified Extensible Firmware Interface) was designed back in 2005. It is now believed that UEFI will supersede BIOS (Basic Input Output System). So UEFI is the next-generation BIOS. When a PC is powered on, it looks for available hardware, tests it and initiates an operating system boot-up process. But unlike the conventional BIOS, UEFI BIOS boasts a wider array of features.

For example, the Secure Boot enables UEFI-compatible firmware to verify the validity of system components (boot loaders, drivers and UEFI Option ROMs), using their digital signatures. If a signature is missing or invalid, the component in question won't be loaded.

SecureBoot was designed to rule out the possibility of malicious components being used in a system—because they wouldn't have a valid signature! But things only worked out that way on paper—a bootloader attack vector was discovered.

Dmytro Oleksiuk examined Lenovo ThinkPad T450s’ firmware and discovered a severe UEFI vulnerability that enabled an attacker to execute code in the System Management Mode (SMM), which provides higher privileges than the hypervisor mode and the zero protection ring as well as access to the entire memory. Arbitrary code can be run in the SMM to disable flash-write protection and alter the firmware used to toggle off the Secure Boot check or bypass hypervisor restrictions.

The problem initially arose with a vulnerability located within code for the SystemSmmRuntimeRt UEFI driver. It was copy-pasted by Lenovo and other manufacturers from a reference code for Intel 8 series chipsets. However, it should be noted that the issue was resolved in the original Intel firmware back in 2014. In addition to Lenovo devices, the issue also affects HP Pavilion laptops and Gigabyte motherboards. According to Lenovo, the vulnerable firmware was provided by one of the three largest BIOS manufacturers (the actual supplier of the code wasn't revealed).

A working proof-of-concept exploit was designed for the SystemSmmRuntimeRt driver and can be used on all Lenovo ThinkPad laptops starting from X220. The exploit for this vulnerability is designed as a UEFI application that runs from a UEFI shell. It's also possible to exploit it from a running operating system (administrative privileges are required to launch it).

More code, more vulnerabilities—this is how things work.

Let's start with the SMM Incursion Attack I put "modern" in quotation marks on purpose because this attack has been known about for ages. It was first reported on in 2008 as a BIOS issue, but in 2015 it was rediscovered by Corey Kallenberg and Xeno Kovah. It's really as simple as putting two and two together—if the SMI handler uses code from outside SMRAM, an attacker with physical memory write permissions can replace the code and run it in SMM. And since UEFI developers really enjoyed using EFI Runtime services, the SMI handler can be used to invoke the services easily (typically , GetVariable, SetVariable and ResetSystem routines were used to this end). The number of devices affected by the vulnerability was so large that it was easier to list those that weren't. I roughly estimate that if your UEFI was built before May or June 2015, it is guaranteed to have a couple of the vulnerabilities that can be exploited in an SMM attack. Resolving all issues of this sort in a system can be complicated because previously this behaviour wasn't even regarded as a security risk (indeed, who could be foolish enough to meddle with the services), and simple IBV coders weren't told that it wasn't a good idea to do so—so even now some updated runtime drivers remain vulnerable. So prospects are rather bleak.

There are numerous attack options, and we can't describe all of them in our AVT format. Furthermore, to provide a clear explanation, we would also have to speak in detail about almost every term.

#technologies #exploit #vulnerability

Dr.Web recommends

Why did we choose to talk about this vulnerability? The UEFI is a perfect example of a promising idea that was evolving for years before getting incorporated into various products on the market and was intended by its makers to provide multiple layers of security, while in fact it has opened up opportunities for attackers that were unimaginable in the BIOS era. Exploits of this kind aren't used very often, but that’s only because it’s much easier to generate revenue from adware and encryption ransomware.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.