For the fourth year in a row I visited the Chaos Communication Congress (CCC) in Germany. CCC is a conference that promotes creativity and open-minded judgement which includes for a big part topics about IT security and privacy, but also electronic projects, 3D printing, "food hacking", art, music and many more. For the second time the congress was organised in the Congress Center in Leipzig between Christmas and New Years Eve (27-30 December 2018). Fairly quickly I noticed that they really improved in using the infrastructure compared to last year and even extended the venue with some more halls. During the congress I probably spend more then 50% of my time solving challenges on the 35C3CTF, for the rest I visited several talks, soldered some kits, danced and walked around. Typically the latter will be done a lot because the venue is huge, at average I did around 20k steps each day. There is a reason why a lot of people take their step or even bike at the conference. If you want to know more about CCC, visit their event page (LINK) and be sure to read the ticket selling procedure when its published around July.
During this series of blog posts I will highlight three talks that I found interesting. Please note that I do not want to take any credit of these talks. I am just writing it down in short and I mainly do this to force myself to do some research about these topics and perhaps share some knowledge with others. For this part I will analyse the talk titled "First SEDNIT UEFI Rootkit".
First SEDNIT UEFI rootkit
Talk link: https://www.youtube.com/watch?v=Z-GRbgh-yQQ
The talk First SEDNIT UEFI rootkit was given by Frédéric Vachon and he explained the internals of an EUFI rootkit developed by the hacking team SEDNIT. In fact this was the first ever occurrence of such a malware from SEDNIT. The exploit relies on a computer chip inside computer that can trace your computer called LoJack.
What does LoJack normally do?
- UEFI/BIOS module
LoJack stores a file dropper and small agent in a BIOS module and replace autochk.exe. autochk.exe is used to verify the file system integrity and launched during each boot at an early stage.
Autochk.exe acts as the dropper and drops "rpcnetp.exe" and installs it as a service.
Injects a DLL into svchost and then changes it to internet explorer and handles all communication
What are the exploit steps?
What happens when you open a malicious executable containing the EUFI rootkit from SEDNIT? First it parses out all the firmware volumes of the UEFI firmware and looks for four specific files (IP4DXE, NTFSDXE, SMIFLASH and DXECore). IP4DXE and DXECORE contains information to find the firmware volume to install the rootkit. NTFSDXE and SMIFLASH will be removed by the malware and replaced by a malicious NTFS driver.
The malware has now found the correct place to store the rootkit. So it will create a firmware file-system file header. Then adds the rootkit file and writes this information at the end of DXE drivers volume. Now this malicious firmware needs to be written back to SPI flash memory but first it needs to check if its actually possible. It checks some values in the BIOS Control Register (BIOS_CTNL), more specifically it checks if BIOS Write Enable(BIOSWE) is set to 1 and BOIS Lock Enabled(BLE) is set to 1. These values will prevent any changes in the BIOS but there is vulnerability that could bypass the two settings. Due a race conditions bug (Speed Racer) its still possible to write data to the BIOS even if these values are correctly set. So Intel implement a fix by adding an extra BIOS setting called SMM Bios Write Protect Disable (SMM_BWP) which protect writing to the BIOS. The malware will follows the logic below:
Screenshot from the slides from Frédéric Vachon
So this makes it a really cool attack because instead of needing physical access to flash the firmware its now possible to flash firmware remotely. The sednit attack group abused this to then add their rootkit in the DXE drivers. The rootkit is started during the Driver Execution Environment boot phase, where the DXE Driver (including the EUFI rootkit) will be loaded. After loading it will create an event "EFI_EVENT_GROUP_READY_TO_BOOT" and will bind a notify function to this event. At the next boot phase it will capture the event created by the rootkit and the notify function will be executed. This function will install a NTFS driver, drop the autoche.exe and rpcnetp.exe file and patch a value in the windows registry. A NTFS driver is needed to obtain file-based access to the window partitions is because at the UEFI boot phases this driver is not loaded yet. After that they change a windows registry value from "\HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute" which states what executable should be run during booting Windows.
Regedit.exe - BootExecute registry
When the computer is booting windows it will then run the autoche.exe instead of autochk.exe and it will revert back the windows registry modification as well to stay undetected.
Is your system vulnerable?
First of all its very unlikely you have a LoJack chip present in your laptop. Second make sure to check whether the BIOS write protection flags are set (BLE, BIOSWE and SMM_BWP). Checking these settings can be easily done by running the tool CHIPSEC. When running this tool on my system it showed that all bits were correctly set, so which means I am not vulnerable for such an attack.
Running CHIPSEC on Linux