GetVariable Strikes Again, Linux Santa, AMD Vulns, & Remote Computer Detonation – PSW #770

We're back baby. Shmoocon was amazing. Also, I did not eat the cereal (though I heard it was awful, like if you were to eat the pages of a musty book from your grandparents basement)

"Often times when EFI Modules make multiple (G|S)etVariable calls in the same function, there is a vulnerability. The DataSize variable must be reinitialized to 0 before subsequent Variable calls in order to avoid this vulnerability." - Wow, I remember getting yelled at for improper variable initialization or re-initialization. This is a great example of UEFI variable abuse that we talked about in the SMM segment with Jesse.

This is a real thing. Remember when I warned you that updating your BMC firmware is important? This is why. This is also why we can't have nice things.

"Reference validation is performed before signature validation, allowing for the execution of malicious XSLT transforms. Execution of XSLT transforms allows an attacker to execute arbitrary Java code."

Amazing work, the takeaway (other than deep technical details): " Not much effort is needed to turn a full exploit chain for a local privilege escalation into one that is able to escape containers as well."

"For a fair amount of time, null-deref bugs were a highly exploitable kernel bug class. Back when the kernel was able to access userland memory without restriction, and userland programs were still able to map the zero page, there were many easy techniques for exploiting null-deref bugs. However with the introduction of modern exploit mitigations such as SMEP and SMAP, as well as mmap_min_addr preventing unprivileged programs from mmap’ing low addresses, null-deref bugs are generally not considered a security issue in modern kernel versions. This blog post provides an exploit technique demonstrating that treating these bugs as universally innocuous often leads to faulty evaluations of their relevance to security." - The last sentence applies to more than just kernel null dereference bugs.

"AMD has listed the various AGESA revisions it has issued to its OEMs to patch the vulnerabilities (AGESA code is used to build BIOS/UEFI code). However, the availability of new BIOS patches with the new AGESA code will vary by vendor. That means you'll have to check with your motherboard or system vendor to see if it has posted new BIOS revisions with the correct AGESA code." - Because, well, reasons. Your UEFI code is customized by the OEM, which means in order to update it, the OEM has to update it. This also depends on your hardware.

If you are looking for a foundation to learn how to find vulnerabilities in Chrome, look no further thanks to Joff Thyer!

I love this, from the Google project for macOS: "Santa is a binary authorization system for macOS. It consists of a system extension that monitors for executions, a daemon that makes execution decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server. It is named Santa because it keeps track of binaries that are naughty or nice." This project is that, but for Linux.

I love how using the serial interface they just pulled off all the binaries using netcat, I mean why go hard with SPI or a flash reader interface if you don't have to? The results are typical, poorly coded protections and buffer overflows.

This, THIS, is why we cannot trust suppliers and have to pay attention to supply chain issues. The hardware, software and firmware that you acquire DOES NOT come with perfect security 100% of the time, and never will!

Crazy story: "Now, 5 years after the company collapsed, I acquired one of their signs to investigate why the company failed. Along the way I ended up taking over the company’s sign control domain and writing an exploit to get full control of any signs still in the field."

So many flaws: "However, this ATECC CryptoAuthentication implementation contains flaws that can be leveraged to compromise the integrity of the system. The secure element shared secret is exposed, as shown in Figure 1, which allows attackers to abuse the secure element. The shared secret resides in the device’s nonvolatile storage which can be accessed by attackers. The CryptoAuthentication chip can be used as an oracle to generate the decryption seed which is used to derive AES keys for encrypted firmware. The plaintext bootloader reveals the firmware AES key derivation and decryption scheme. "

This is an interesting read: "with it immediately failing if the key isn't RSA. Which it isn't, since the Secure Enclave doesn't support RSA. Apple's PKCS#11 module appears incapable of making use of keys generated on Apple's hardware."

Charles McGonigal, who was chief of counterintelligence, worked secretly for Oleg Deripaska, a Russian oligarch associated with acts of bribery, extortion and violence.

Mr. McGonigal, while working for the bureau, took $225,000 in secret cash payments and concealed that relationship from the F.B.I.

Mr. Deripaska was a client of Paul Manafort, who for several months in 2016 served as Donald J. Trump’s campaign chairman and in 2018 was convicted of financial fraud and other crimes.

CNET has been quietly publishing machine learning-generated stories. CNET's AI-written articles aren't just riddled with errors. They also appear to be substantially plagiarized.

Apple now lets you protect your Apple ID and iCloud account with hardware security keys, a significant upgrade for those who want maximum protection from hackers, identity thieves, or snoops.

From August 2021 to December 2022, we have observed 134 million exploit attempts in total, targeting CVE-2021-35394. CVE-2021-35394 is a critical (CVSS v3: 9.8) vulnerability in Realtek Jungle SDK version 2.x to 3.4.14B, caused by multiple memory corruption flaws that allow remote unauthenticated attackers to perform arbitrary command injection. Realtek chipsets are omnipresent in the IoT world, and even when the Taiwanese chip maker pushes security updates to address problems in its products quickly, supply chain complexities delay their delivery to end users.