API tools faq
paste
Advertisement
Guest User

[CVE-2015-2552] Windows 8+ - Trusted Boot Bypass

a guest
Oct 14th, 2015
16,624
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.46 KB | None | 0 0
raw download clone embed print report
  1. Vulnerability title (Microsoft): Trusted Boot Security Feature Bypass Vulnerability
  2. CVE: CVE-2015-2552
  3. Vendor: Microsoft
  4. Product: Windows NT series 8.0+
  5. Affected versions: See "systems affected".
  6. Reported by: "Myria"
  7.  
  8. Vulnerability Summary:
  9. =====================
  10. An attacker with administrative access to a Windows machine with UEFI Secure
  11. Boot enabled may bypass code signing policy checks by putting intentionally-
  12. malformed configuration options in the boot configuration database (BCD).
  13.  
  14. Vulnerability Details:
  15. =====================
  16. On a Windows system with Secure Boot enabled, Windows doesn't correctly
  17. protect against attempts to enable features that are prohibited while UEFI
  18. Secure Boot is enabled, such as "test-signing" and the local kernel
  19. debugger. This allows things such as loading unsigned kernel drivers, or,
  20. in locked-down Windows installations like Windows RT, effect a "jailbreak".
  21.  
  22. In Windows Vista and later, the boot configuration database ("BCD") is a
  23. registry hive used by the operating system boot loader to load and prepare
  24. the NT kernel (ntoskrnl.exe) for launch. In UEFI systems, this task is
  25. split between bootmgr.efi and winload.efi. The latter is what contains this
  26. vulnerability.
  27.  
  28. One of winload.efi's responsibilities is to take the settings in BCD and
  29. translate them to a simple command line for the kernel, similarly to Linux.
  30. When an attempt to enable a prohibited feature such as "test-signing" occurs
  31. the standard way, winload.efi will block the attempt by not passing the
  32. "/TESTSIGNING" command-line option to the NT kernel.
  33.  
  34. The BCD setting named "loadoptions" allows passing arbitrary kernel command
  35. line arguments to the NT kernel. An obvious attack would be to attempt to
  36. pass "/TESTSIGNING" by putting it into the "loadoptions" field. winload.efi
  37. counters this obvious attack by checking against a blacklist of strings, but
  38. fails to account for Unicode.
  39.  
  40. BCD, being a registry hive, stores all strings as UTF-16. To search for the
  41. prohibited strings, winload.efi calls wcsstr(). However, ntoskrnl.exe takes
  42. its command line as ASCII bytes. To do the conversion from Unicode to
  43. ASCII, winload.efi simply truncates each UTF-16 code point to 8 bits.
  44.  
  45. The bug is then simple: winload.efi is checking against pre-transformed
  46. data, while ntoskrnl.exe is checking post-transformed data. By replacing
  47. character(s) of a blacklisted string with Unicode characters that become the
  48. original character(s) when truncated to 8 bits, one can get past the
  49. wcsstr() check while still passing the desired parameter to the kernel.
  50.  
  51. Proof of Concept:
  52. ================
  53. In an Administrator-privileged instance of PowerShell, execute the
  54. following command, then reboot:
  55.  
  56. bcdedit /set '{current}' loadoptions '/T_STSIGNING'
  57.  
  58. replacing "_" with the Unicode character U+0145 ("Latin Capital Letter N
  59. With Cedilla"). The machine will come back up with test-signing enabled,
  60. which can be seen by the watermark in the lower-right corner of the desktop.
  61.  
  62. Impact:
  63. ======
  64. Users or programs with administrative access to a machine can escalate to
  65. kernel privilege by loading unsigned drivers, or using the kernel debugger
  66. to poke at kernel memory and gain arbitrary code execution.
  67.  
  68. Users can intentionally use this on their own devices to bypass lockdowns
  69. for certain products (Windows Phone, Windows RT).
  70.  
  71. Mitigating Factors:
  72. ==================
  73. - The attack requires administrative access.
  74. - A watermark appears when this is enabled, but this is bypassable.
  75.  
  76. No public attack against systems for which the owner does not want the
  77. exploit is known.
  78.  
  79. Systems affected:
  80. ================
  81. UEFI systems with Secure Boot enabled running the following:
  82.  
  83. Windows 8
  84. Windows 8.1
  85. Windows Server 2012
  86. Windows Server 2012 R2
  87. Windows 10
  88. Windows Server 2016 Technical Preview
  89. Windows RT 8.0
  90. Windows RT 8.1
  91. Windows Phone 8
  92. Windows Phone 8.1
  93. Windows Mobile 10 Preview
  94.  
  95. Advisory:
  96. ========
  97. https://technet.microsoft.com/en-us/library/security/ms15-111.aspx
  98.  
  99. Solution:
  100. ========
  101. Install KB3088195.
  102. https://support.microsoft.com/en-us/kb/3096447
  103. (mismatched number intentional)
  104.  
  105. Disclosure Timeline:
  106. ===================
  107. Discovery: Approximately summer 2013
  108. Vendor notification: Unknown (*)
  109. Vendor fixed vulnerability: October 13, 2015
  110. Public advisory: October 13, 2015
  111. Public disclosure: October 13, 2015
  112.  
  113. (*) The author, the original discoverer, did not report it. The author
  114. believes that the disclosure happened in approximately spring 2015.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!