Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Everyone gets a rootkit - vulnerability on every Windows OS since 2012

Summary

Title credit to Eclypsium, I liked it. Since Windows 8's release in 2012 Microsoft included something called Windows Platform Binary Table (WPBT). A weakness has been discovered that can allow an attacker to run malicious code with kernel privileges when a device boots up. It can alledgedly be exploited in a number of ways both through physical or remote access and allows malicious software to bypass e.g. Windows Defender or BitLocker.

 

Quotes

Quote


This weakness can be potentially exploited via multiple vectors (e.g. physical access, remote, and supply chain) and by multiple techniques (e.g. malicious bootloader, DMA, etc). Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices.

This functionality was intended to let OEMs include important files, drivers, or executables for the system without needing to modify the Windows image on disk. The technology has been used by a number of vendors including Lenovo, ASUS, and many others. However, by executing files and modifying the operating system, this type of functionality can be seen as a vendor-specific rootkit. Acclaimed researcher and co-author of Windows Internals, Alex Ionescu, has been calling out the dangers of WPBT as a rootkit as early as 2012 and continues to do so today.

By compromising the firmware update process, we were able to load our own implant DXE driver which controls various boot-related functions. Since UEFI ACPI protocols allow drivers to modify ACPI tables, we were able to add a new WPBT table of our choosing. <snip> However, this officially should NOT have worked, as WPBT requires any binaries to be properly signed. Microsoft’s WPBT code-signing policy states: <snip> However, our testing revealed that this check will pass even if the code signing certificate has been explicitly revoked.

 

Quote

This weakness can be potentially exploited via multiple vectors (e.g. physical access, remote, and supply chain) and by multiple techniques (e.g. malicious bootloader, DMA, etc). Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices.

Attacker With Physical Access – An attacker with physical access can launch a DMA attack to directly read and write system memory, and thus patch the WPBT table. Some DMA attacks can be performed without opening the device chassis while others will require the more invasive step of opening the device itself.


Remote Attacker – Remote attackers can compromise devices in a variety of ways. Malware such as TrickBot can identify vulnerable UEFI firmware that can be compromised directly. With control of firmware the attacker could directly control WPBT. Likewise, malware or remote attackers could use vulnerabilities such as BootHole to run a malicious bootloader capable of updating WPBT.

Supply Chain Attack – Malicious firmware can also be introduced in the supply chain or vendor update process. In our example, we were able to compromise the valid firmware update process of the device, so it is important to note that such a compromise can happen before as well as after a device is acquired. In addition to compromises to UEFI/BIOS firmware, firmware within DMA-capable devices such as SSD, network adapters, or PCIe interfaces could lead to a corruption of the WPBT table.

 

Quote

Microsoft recommends customers use Windows Defender Application Control (WDAC) to limit what is allowed to run on their devices. WDAC policy is also enforced for binaries included in the WPBT and should mitigate this issue. We recommend customers implement a WDAC policy that is as restrictive as practical for their environment. You can find documentation on WDAC – https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview

My thoughts

Not too long ago we had the news of a malicious driver being signed, and now it seems just about anything can be loaded. My hacking skills aren't good enough to see how easy this will be to exploit in daily life, but it sure sounds like one of more serious vulnerabilities. Microsoft recommends strict(er) control through Windows Defender, but if I understand correctly it doesn't seem particularly well enforced, so how is that going to help? Since some seem to have been calling this out since its inception pretty much, I somehow doubt we'll see much change in the future, but fingers crossed this will get some more attention. I can only assume Windows 11 is affected the same?

 

[Edit] Lenovo seems to have pulled stuff years ago already due to attempted exploits using this system:https://support.lenovo.com/nl/en/product_security/lse_bios_notebook

 

Sources

https://eclypsium.com/2021/09/20/everyone-gets-a-rootkit/

https://nl.hardware.info/nieuws/78620/windows-systemen-zijn-sinds-windows-8-kwetsbaar-voor-malafide-rootkits

Crystal: CPU: i7 7700K | Motherboard: Asus ROG Strix Z270F | RAM: GSkill 16 GB@3200MHz | GPU: Nvidia GTX 1080 Ti FE | Case: Corsair Crystal 570X (black) | Storage: 250 GB Crucial BX100 SSD + 2 TB Seagate HDD + 1TB WD Green + 3TB WD Red | PSU: EVGA Supernova G2 1000W | Monitor: Asus VG248QE 24"

Laptop: Dell XPS 13 9370 | CPU: i5 10510U | RAM: 16 GB

Link to post
Share on other sites

inb4 people accuse MS of doing this intentionally to move people to W11 because this is the kind of thing TPMs and secure boot are "supposed" to prevent

🌲🌲🌲

Judge the product by its own merits, not by the Company that created it.

 

Don't dilute <good thing> by always trying to focus on, and drag conversation back to, <bad thing>.

🌲🌲🌲

Link to post
Share on other sites
53 minutes ago, Arika S said:

MS of doing this intentionally

Wouldnt be surprized, at all...

Link to post
Share on other sites
1 hour ago, Arika S said:

inb4 people accuse MS of doing this intentionally to move people to W11 because this is the kind of thing TPMs and secure boot are "supposed" to prevent

It sounds like this security vulnerability also exists in Windows 11, so that theory has some pretty big holes in it.

Link to post
Share on other sites
2 minutes ago, LAwLz said:

It sounds like this security vulnerability also exists in Windows 11, so that theory has some pretty big holes in it.

that hasn't stopped people before

🌲🌲🌲

Judge the product by its own merits, not by the Company that created it.

 

Don't dilute <good thing> by always trying to focus on, and drag conversation back to, <bad thing>.

🌲🌲🌲

Link to post
Share on other sites
45 minutes ago, Kadzo said:

(*grabs pitchforks*)

(*runs back to grab torches as well*)

 

That being said, glad I'm not using windows anymore......

Now I only have to deal with the plethora of unpacthed UNIX vulnerabilities

Link to post
Share on other sites

So just to be clear? This only is implemented in "OEM machines" ?

 

The article is not clear and even contradicting itself in this regard. 

 

Also technical not news, because I read about this years ago (I honestly thought its patched by now...)

 

@tikkeryou mean win8 release in 2012? It says 2021... 

 

AMD stands for Advanced Micro Machines

-ColdFusion, 2021

Link to post
Share on other sites
1 minute ago, Mark Kaine said:

So just to be clear? This only is implemented in "OEM machines" ?

i don't think so, it seems to be exploitable regardless of if it's an OEM or DIY machine since the core mechanisms that exist that allow OEMs to do what they do exist within windows itself.

 

Which basically means that it's a problem not just for MS, but for all OEMs/Vendors, which is going to be good fun to see what happens.

🌲🌲🌲

Judge the product by its own merits, not by the Company that created it.

 

Don't dilute <good thing> by always trying to focus on, and drag conversation back to, <bad thing>.

🌲🌲🌲

Link to post
Share on other sites
30 minutes ago, Mark Kaine said:

So just to be clear? This only is implemented in "OEM machines" ?

 

The article is not clear and even contradicting itself in this regard. 

 

Also technical not news, because I read about this years ago (I honestly thought its patched by now...)

 

@tikkeryou mean win8 release in 2012? It says 2021... 

 

Oh whoops. Yeah I meant 2012 there. As I understand it, it's a feature intended (mainly) for OEMs, but is a normal Windows feature and thus generally exploitable.

Crystal: CPU: i7 7700K | Motherboard: Asus ROG Strix Z270F | RAM: GSkill 16 GB@3200MHz | GPU: Nvidia GTX 1080 Ti FE | Case: Corsair Crystal 570X (black) | Storage: 250 GB Crucial BX100 SSD + 2 TB Seagate HDD + 1TB WD Green + 3TB WD Red | PSU: EVGA Supernova G2 1000W | Monitor: Asus VG248QE 24"

Laptop: Dell XPS 13 9370 | CPU: i5 10510U | RAM: 16 GB

Link to post
Share on other sites
1 hour ago, Arika S said:

i don't think so, it seems to be exploitable regardless of if it's an OEM or DIY machine since the core mechanisms that exist that allow OEMs to do what they do exist within windows itself.

 

Which basically means that it's a problem not just for MS, but for all OEMs/Vendors, which is going to be good fun to see what happens.

 

1 hour ago, tikker said:

it's a feature intended (mainly) for OEMs, but is a normal Windows feature and thus generally exploitable.

 

This is what Alex ionescu says (which is untypically for him rather vague)

 

Quote

Note the Windows binary in ACPI memory. This is a lovely "Windows Platform Binary Table" (WPBT) rootkit that most OEM vendors now shove in your systems.

so not all of them, and it sounds like a "feature" that needs to be enabled first, so potentially all systems  - but its not enabled by default...

 

(definitely open for interpretation hence "vague")

AMD stands for Advanced Micro Machines

-ColdFusion, 2021

Link to post
Share on other sites
1 hour ago, Mark Kaine said:

 

 

This is what Alex ionescu says (which is untypically for him rather vague)

 

so not all of them, and it sounds like a "feature" that needs to be enabled first, so potentially all systems  - but its not enabled by default...

 

(definitely open for interpretation hence "vague")

Yeah I can't quite figure it out yet. According to Microsoft

Quote

This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution.  The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table.
The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute.  The binary handoff medium is physical memory, allowing the boot firmware to provide the platform binary without modifying the Windows image on disk.

which doesn't make it sound turned off by default and as long as you can mess with the boot firmware seems to allow exploitation.

Crystal: CPU: i7 7700K | Motherboard: Asus ROG Strix Z270F | RAM: GSkill 16 GB@3200MHz | GPU: Nvidia GTX 1080 Ti FE | Case: Corsair Crystal 570X (black) | Storage: 250 GB Crucial BX100 SSD + 2 TB Seagate HDD + 1TB WD Green + 3TB WD Red | PSU: EVGA Supernova G2 1000W | Monitor: Asus VG248QE 24"

Laptop: Dell XPS 13 9370 | CPU: i5 10510U | RAM: 16 GB

Link to post
Share on other sites
1 hour ago, Mark Kaine said:

 

 

This is what Alex ionescu says (which is untypically for him rather vague)

 

so not all of them, and it sounds like a "feature" that needs to be enabled first, so potentially all systems  - but its not enabled by default...

 

(definitely open for interpretation hence "vague")

I'm not worried. I'm sure there will be a patch soon. If not, well, guess MS will just have to give Windows 12 away for free 🤷‍♂️

Link to post
Share on other sites
17 minutes ago, tikker said:

Yeah I can't quite figure it out yet. According to Microsoft

which doesn't make it sound turned off by default and as long as you can mess with the boot firmware seems to allow exploitation.

Yeah, as I said, its not clear to me... this implies BIOS access is needed...? if so then 🤔

 

 

AMD stands for Advanced Micro Machines

-ColdFusion, 2021

Link to post
Share on other sites
8 hours ago, Arika S said:

inb4 people accuse MS of doing this intentionally to move people to W11 because this is the kind of thing TPMs and secure boot are "supposed" to prevent

The issues is this WPBT is provided by MS so that vendors can inject code into a signed secure boot. 

 

55 minutes ago, Mark Kaine said:

Yeah, as I said, its not clear to me... this implies BIOS access is needed...? if so then 🤔

 

Even with BIOS access you should not be able to inject code into a secure boot OS that is the entire point of secure boot. 
 

3 hours ago, Mark Kaine said:

so not all of them, and it sounds like a "feature" that needs to be enabled first, so potentially all systems  - but its not enabled by default...

I suppose the follow on question is how do you enabled it and can the attacker do this? is it just a matter of writing the correct boot args to the UEFI?

 

Link to post
Share on other sites
1 hour ago, SlidewaysZ said:

This is literally a 2015 security exploit. I guess they just didn't patch it because too many companies used it as a way to exploit it themselves to install stuff

 

https://www.google.com/amp/s/www.howtogeek.com/226308/the-windows-platform-binary-table-why-crapware-can-come-back-after-a-clean-install/amp/

 

Why Microsoft why! You had this issue in 2015! 

Yep, break out those torches and pitchforks. 

My eyes see the past…

My camera lens sees the present…

Link to post
Share on other sites
9 hours ago, Arika S said:

inb4 people accuse MS of doing this intentionally to move people to W11 because this is the kind of thing TPMs and secure boot are "supposed" to prevent

That's some massive pre-planning on Microsoft's part, damn impressive lol

Link to post
Share on other sites
2 hours ago, SlidewaysZ said:

This is literally a 2015 security exploit. I guess they just didn't patch it because too many companies used it as a way to exploit it themselves to install stuff

 

https://www.google.com/amp/s/www.howtogeek.com/226308/the-windows-platform-binary-table-why-crapware-can-come-back-after-a-clean-install/amp/

 

Why Microsoft why! You had this issue in 2015! 

Haven't read the article,  but as for the title... i know that... hidden partitions! Removed them from my laptop, no more dumb lenovo "help center" apps! 

 

 

1 hour ago, hishnash said:

Even with BIOS access you should not be able to inject code into a secure boot OS that is the entire point of secure boot. 

 

1 hour ago, hishnash said:

I suppose the follow on question is how do you enabled it and can the attacker do this? is it just a matter of writing the correct boot args to the UEFI?

Right, it doesn't seem the "tech news" sites are capable of explaining or understanding this... quelle surprise! afaik, you need access to the machine for this (unless its already installed by... "OEM")???

 

 

AMD stands for Advanced Micro Machines

-ColdFusion, 2021

Link to post
Share on other sites
13 hours ago, tikker said:

Lenovo seems to have pulled stuff years ago already due to attempted exploits using this system:https://support.lenovo.com/nl/en/product_security/lse_bios_notebook

Lenovo used this to install the LSE (which the LSE had an issue).

 

While there is an exploit, it really seems as though it's limited to physical access or supply chain issues...but there has been similar things in the past (graphics cards that contain malware in their firmware, etc).

3735928559 - Beware of the dead beef

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×