UEFI HEAP CORRUPTION EXPLOITATION ON VMWARE
TTS
Video shows sample exploitation of one UEFI vulnerability. The bug itself was already patched in EDK2 sources. I believe more curious readers will find the one I'm referring to. The payload is designed to write some silly output to the serial port since writing to screen is kinda no-go. The cool fact about this bug is that it happens very early - before user can even enter UEFI setup. Same thing happens on my mac mini machine.
Bug itself is a heap corruption (heap overwrite) vulnerability. I wouldn't say exploitation is reliable. It heavily depends on the hardware devices installed and the memory layout -- even though I'm using only one hardcoded value which is stable among different VMware machines. Even though UEFI is the new standard custom vendors use custom UEFI implementations (AMI, PHOENIX, APPLE). Each implementation typically includes different set of drivers and different memory layout. Debugging this on real hardware is a mess. Anyway since the UEFI images can be relocated in memory I would suggest using the BIOS ROM memory (0xFFE00000) for some further exploitation voodoo (obviously still different vendor = different firmware but at least you have some stable memory address).
Since users do not really patch their firmware the same vulnerability still exists on Apple MAC computers (for example on my mac mini which I kinda bricked trying to debug this crap).
He was turned to steel
In the great magnetic field...
Likes: 0
Viewed:
source
Gloss