DEF CON 31 - Ringhopper - How We Almost Zero day’d the World - Benny Zeltser, Jonathan Lusky

DEFCONConference
DEFCONConference
68,943
0
2023-09-16に共有
Last year we almost zero-day’d the world with the publication of RingHopper. Now we can finally share some juicy details and invite you for an illuminating journey as we delve into the realm of RingHopper, a method to hop from user-land to SMM.

We will survey the discovery and disclosure of a family of industry-wide vulnerabilities in various UEFI implementations, affecting more than eight major vendors, making billions of devices vulnerable to our attack. Then, we will deep-dive into the innards of SMM exploitation and discuss methods to use and abuse various functionalities and properties of edk2 to gain code execution. We will unveil both our futile and fruitful quests of crafting our way to SMM, and detail both the paths that lead to dead-ends, and the route to success.

We will give a detailed overview of different ways to elevate this kind of attack to user-land both on Windows and Linux by chaining multiple vulnerabilities together.

Finally, we will show RingHopper hopping from user-space to… SMM.
コメント (21)
  • @alexlefevre3555
    I think what's the most wild to me is the kernel level exploitation after the fact seemed like it was simply an afterthought. Wild stuff. The negative ring spaces seem to have NOT been the answer engineers had hoped.
  • @Sean_neaS
    I would have given up at each and every setback! I hope this was more fun it sounds like.
  • @ronminnich
    "AMI lets us do some pretty amazing things from user space" -- in a talk full of great quotes, that's maybe my favorite. So, would you consider attacking RISC-V OpenSBI?
  • @brujua7
    Great talk, great research! So lucky to have you folks
  • @bubbleopter
    basically, if your PC randomly sleeps, just throw it out the window, but first check for passersbys. if you don't have a window, drop the network, disconnect your harddrive, and mobo, and put both into the microwave at 1000w 😂
  • @n1k0n_
    So this is why my laptop got all those sleep mode firmware updates 😬
  • @GSX-R-lg3ei
    Race condition chaining from hell, love it.
  • @dandeeteeyem2170
    Finally an interesting talk from Def Con 31. I was beginning to lose hope 😅
  • @Ben_EH-Heyeh
    Exploitation researcher at Mitre wrote a POC SMM Rootkit called Light Eater.
  • @ThePlayerOfGames
    Soooo, every CPU post Core Duo is permanently vulnerable to ring -2 attacks unless we can disable the on chip operating system?
  • @t_r
    👏👏👏
  • @robmorgan1214
    Dude this s-t's been broken for years. Been pwning smm IN NON ROOT USERSPACE since 2015. SMM is not well written designed etc. Bugs abound. Only issue is persistence... ie you brick the CPU if your scratch pad overflows into something containing a FW patch. It's why i dont trust the "cloud".
  • @LaLaLand.Germany
    Can anyone dumb down what´s going on here? I don´t speak nerd. Am I okay with not having Uefi but good, old Bios?
  • @JonMasters
    Attacking the x86 architecture is not “zero daying the world”. The world doesn’t run exclusively on x86.