DEF CON 31 - Ringhopper - How We Almost Zero day’d the World - Benny Zeltser, Jonathan Lusky
68,943
2023-09-16に共有
We will survey the discovery and disclosure of a family of industry-wide vulnerabilities in various UEFI implementations, affecting more than eight major vendors, making billions of devices vulnerable to our attack. Then, we will deep-dive into the innards of SMM exploitation and discuss methods to use and abuse various functionalities and properties of edk2 to gain code execution. We will unveil both our futile and fruitful quests of crafting our way to SMM, and detail both the paths that lead to dead-ends, and the route to success.
We will give a detailed overview of different ways to elevate this kind of attack to user-land both on Windows and Linux by chaining multiple vulnerabilities together.
Finally, we will show RingHopper hopping from user-space to… SMM.
コメント (21)
-
I think what's the most wild to me is the kernel level exploitation after the fact seemed like it was simply an afterthought. Wild stuff. The negative ring spaces seem to have NOT been the answer engineers had hoped.
-
I would have given up at each and every setback! I hope this was more fun it sounds like.
-
"AMI lets us do some pretty amazing things from user space" -- in a talk full of great quotes, that's maybe my favorite. So, would you consider attacking RISC-V OpenSBI?
-
Great talk, great research! So lucky to have you folks
-
basically, if your PC randomly sleeps, just throw it out the window, but first check for passersbys. if you don't have a window, drop the network, disconnect your harddrive, and mobo, and put both into the microwave at 1000w 😂
-
From around 6:00 I was screaming DMA DMA DMA to myself... Fuck I was right 😂
-
So this is why my laptop got all those sleep mode firmware updates 😬
-
Thank you for citing your meme sources.
-
Well done, guys👏👏👏 Great one!
-
The best talk in Defcon31💪
-
Race condition chaining from hell, love it.
-
Finally an interesting talk from Def Con 31. I was beginning to lose hope 😅
-
Exploitation researcher at Mitre wrote a POC SMM Rootkit called Light Eater.
-
So this is the reason why my machine was in sleep mode after vacation?
-
Soooo, every CPU post Core Duo is permanently vulnerable to ring -2 attacks unless we can disable the on chip operating system?
-
is it 420 or 42o?
-
👏👏👏
-
Dude this s-t's been broken for years. Been pwning smm IN NON ROOT USERSPACE since 2015. SMM is not well written designed etc. Bugs abound. Only issue is persistence... ie you brick the CPU if your scratch pad overflows into something containing a FW patch. It's why i dont trust the "cloud".
-
Can anyone dumb down what´s going on here? I don´t speak nerd. Am I okay with not having Uefi but good, old Bios?
-
Attacking the x86 architecture is not “zero daying the world”. The world doesn’t run exclusively on x86.