Extreme Privilege Escalation on Windows 8/UEFI Systems

Corey Kallenberg, Xeno Kovah, John Butterworth, Sam Cornwell
August, 2014
Cite Slides (PDF) Whitepaper (PDF) Conference Presentation Video

Abstract

Public disclosure of two vulnerabilities (VU#552286) that allow a ring 3 attacker to feed a UEFI system a fake BIOS update, cause a memory corruption while it’s being parsed, and execute arbitrary code in the context of SMM, before signature checks or any other protection mechanisms are in play. These vulnerabilities affected hundreds of PC models. This talk also introduced “The Watcher”, a PoC SMM agent that can perform arbitrary code execution on behalf of an attacker.

Type
Conference paper
Publication
In BlackHat USA 2014, Defcon 2014, Hack in the Box KUL 2014, and Hack.lu 2014

This vulnerability (VU#552286) won the Pwnie Award for Best Privilege Escalation in 2014, for its capability to jump from Windows Userspace (with Admin privileges) to SMM.

firmware security BIOS security BIOS attack secure boot attack
Xeno Kovah
Xeno Kovah
Dark Mentor Level X

Hacking firmware like it’s no big deal.