We take a look at UEFI platform initialization firmware such as found on many current mainboards like laptops, desktops and servers.
Many security flaws, such as the recently discovered LogoFAIL vulnerability, expose both consumers and organizations to severe risks.
What strategies are there to find such issues, and how do we exploit them?
The rough plan is commonly:
- understanding the system/environment
- data structures
- domain specific tools
- manipulating the system/environment
- input; this is our exploit :)
- monitoring the system/environment
- emulators
- probes
- loggers, parsers
We have prepared a tool to scan memory for EFI data structures: https://github.com/platform-system-interface/ems
Here is a Ghidra plugin to assist: https://github.com/al3xtjames/ghidra-firmware-utils
For inspection and extraction, we can use e.g. Fiedka, the Fiano tool suite's utk and UEFITool.
- https://uefi.org/sites/default/files/resources/Jiewen%20Yao%20-%20SMM%20Protection%20in%20%20EDKII_Intel.pdf
- http://publications.alex-ionescu.com/Recon/ReconBru%202017%20-%20Getting%20Physical%20with%20USB%20Type-C,%20Windows%2010%20RAM%20Forensics%20and%20UEFI%20Attacks.pdf
- https://i.blackhat.com/EU-23/Presentations/EU-23-Pagani-LogoFAIL-Security-Implications-of-Image_REV2.pdf
- https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/