#357 me11 unsigned code exec

Open
opened 2 years ago by vimuser · 8 comments

https://www.blackhat.com/eu-17/ see talk about ME v11 code execution there

Also, intel responded:

interesting: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

If PoC and src is given and the exploit published, we might be able to get libreboot on newer systems in the future

https://www.blackhat.com/eu-17/ see talk about ME v11 code execution there Also, intel responded: interesting: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr https://www.intel.com/content/www/us/en/support/articles/000025619/software.html If PoC and src is given and the exploit published, we might be able to get libreboot on newer systems in the future
Leah Rowe commented 2 years ago
Owner

person of interest https://twitter.com/h0t_max

let's hope that this person doesn't "help" intel "fix" this "bug". what intel refers to as a "security vulnerability" actually enables libreboot, potentially

person of interest https://twitter.com/h0t_max let's hope that this person doesn't "help" intel "fix" this "bug". what intel refers to as a "security vulnerability" actually enables libreboot, potentially
consts commented 2 years ago

Another person of interest https://twitter.com/_markel___ It's a team of two PT guys

Another person of interest https://twitter.com/_markel___ It's a team of two PT guys
consts commented 2 years ago
* How to hack a turned off computer or running unsigned code in Intel Management Engine Slides https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf Whitepaper https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine-wp.pdf ------ * Intel ME: Flash File System Explained Slides https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained.pdf Whitepaper https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained-wp.pdf
consts commented 2 years ago
Another article could be useful http://blog.ptsecurity.com/2017/12/huffman-tables-intel-me.html
consts commented 2 years ago

I chatted with h0t_max and he said, that they would share details about how they activated JTAG in PCH. So, they must be in the schedule of 34c3 https://events.ccc.de/congress/2017/Fahrplan/events/8762.html

I chatted with h0t_max and he said, that they would share details about how they activated JTAG in PCH. So, they must be in the schedule of 34c3 https://events.ccc.de/congress/2017/Fahrplan/events/8762.html
consts commented 2 years ago

Starting ME12.x, when incrementing the SVN, the new SVN value will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel® ME FW to a lower SVN. The mitigation occurs in Intel® ME ROM which validates the FW contains a valid SVN on every boot. All of Intel® ME data protection keys are cryptographically bound to the security version number located within the FW (SVN). This prevents data, such as disk encryption keys, from being accessed by the attacker following a downgrade.

Intel® ME will only allow systems to boot where Intel® ME FW SVN ≥ SVN FPF HW value. In case where FPF HW SVN > Intel® ME FW SVN, the platform will not boot. Recovering such downgraded systems will required physical flashing to Intel® ME FW SVN ≥ SVN FPF HW value.

https://github.com/corna/me_cleaner/issues/111#issuecomment-350480591

>Starting ME12.x, when incrementing the SVN, the new SVN value will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel® ME FW to a lower SVN. The mitigation occurs in Intel® ME ROM which validates the FW contains a valid SVN on every boot. All of Intel® ME data protection keys are cryptographically bound to the security version number located within the FW (SVN). This prevents data, such as disk encryption keys, from being accessed by the attacker following a downgrade. >Intel® ME will only allow systems to boot where Intel® ME FW SVN ≥ SVN FPF HW value. In case where FPF HW SVN > Intel® ME FW SVN, the platform will not boot. Recovering such downgraded systems will required physical flashing to Intel® ME FW SVN ≥ SVN FPF HW value. https://github.com/corna/me_cleaner/issues/111#issuecomment-350480591
consts commented 2 years ago

Intel ME File System Explorer https://github.com/ptresearch/parseMFS

Intel ME File System Explorer https://github.com/ptresearch/parseMFS
consts commented 2 years ago

PDF slides about Intel ME JTAG activation https://github.com/ptresearch/IntelME-JTAG

PDF slides about Intel ME JTAG activation https://github.com/ptresearch/IntelME-JTAG
Sign in to join this conversation.
Loading...
Cancel
Save
There is no content yet.