site: blog.ptsecurity.com
Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability CVE-2018-4251
http://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html [blog.ptsecurity.com]
2018-10-03 01:14
tags:
bios
cpu
exploit
hardware
mac
security
systems
Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users.
This mode allows configuring critical platform settings stored in one-time-programmable memory (FUSEs). These settings include those for BootGuard (the mode, policy, and hash for the digital signing key for the ACM and UEFI modules). Some of them are referred to as FPFs (Field Programmable Fuses).
We analyzed several platforms from a number of manufacturers, including Lenovo and Apple MacBook Prо laptops. The Yoga and ThinkPad computers we examined did NOT have any issues related to Manufacturing Mode. But we found that Apple laptops on Intel chipsets are running in Manufacturing Mode. After this information was reported to Apple, the vulnerability (CVE-2018-4251) was patched in macOS High Sierra update 10.13.5.
source: HN
Intel patches new ME vulnerabilities
http://blog.ptsecurity.com/2018/07/intel-patches-new-me-vulnerabilities.html [blog.ptsecurity.com]
2018-07-22 17:11
tags:
bios
bugfix
cpu
security
CVE-2018-3627, the vulnerability at issue in advisory SA-00118, is described as a logic bug (not a buffer overflow) that may allow execution of arbitrary code. Ease of exploitation makes this vulnerability more dangerous than the one in SA-00086, which was locally exploitable only in case of OEM configuration errors; instead, an attacker simply needs local access.
Things are even worse with CVE-2018-3628, which is described in advisory SA-00112. This vulnerability enables full-blown remote code execution in the AMT process of the Management Engine. Moreover, all signs indicate that—unlike CVE-2017-5712 in advisory SA-00086—attackers do not need an AMT administrator account.
source: L
New bypass and protection techniques for ASLR on Linux
http://blog.ptsecurity.com/2018/02/new-bypass-and-protection-techniques.html [blog.ptsecurity.com]
2018-03-06 19:16
tags:
defense
exploit
linux
malloc
programming
random
security
systems
This whitepaper analyzes ASLR implementation in the current version of the Linux kernel (4.15-rc1). We found problems that allow bypassing this protection partially or in full. Several fixes are proposed. We have also developed and discussed a special tool to demonstrate these issues. Although all issues are considered here in the context of the x86-64 architecture, they are also generally relevant for most Linux-supported architectures.
source: solar
Blocking double-free in Linux kernel
http://blog.ptsecurity.com/2017/08/linux-block-double-free.html [blog.ptsecurity.com]
2017-08-31 17:05
tags:
defense
linux
malloc
programming
security
It turned out that SLUB allows consecutive double freeing of the same memory region. In contrast, GNU C library allocator has a “fasttop” check against it, which introduces a relatively small performance penalty. The idea is simple: report an error on freeing a memory region if its address is similar to the last one on the allocator’s “freelist”.
source: solar
Disabling Intel ME 11 via undocumented mode
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html [blog.ptsecurity.com]
2017-08-28 21:32
tags:
cpu
hardware
investigation
After unpacking the executable modules, we proceeded to examine the software and hardware internals of Intel ME. Our team has been working on this for quite some time, and we have accumulated a large amount of material that we plan to publish. This is the first in a series of articles on the internals of Intel ME and how to disable its core functionality.
source: L
Intel debugger interface open to hacking via USB
http://blog.ptsecurity.com/2017/01/intel-debugger-interface-open-to.html [blog.ptsecurity.com]
2017-01-22 04:44
tags:
hardware
security
However, starting with the Skylake processor family in 2015, Intel introduced Direct Connect Interface (DCI), which provides access to the JTAG debugging interface via common USB 3.0 ports.
From 33C3 presentation.
source: R