 Welcome back to DEF CON 28 safe mode blue team village live stream today. We're going to be talking with their arms talking, but he'll be talking Connor Morley. Discussing our haven the UEFI memory space decision to be misused reminder if you have any questions for the speaker. You can obviously reach them at their Twitter handle dealing with DM then within the discord channel or reach them on the flamingo hotel text talks track one will be watching for questions there. And over to you, Connor. Thank you very much. So hi everyone. My name is going to Morley. I'm a threat hunter with a secure countercept, which is an MDR DRT service. Today, I'll be talking about the UEFI memory space, how it can be exploited by a range of attackers and how I can defend against it. And I give it the upname of Alta Haven. So, proper agenda, what we're going to run through I'm going to do a quick crash course on what exactly UEFI is, why this is of interest to attackers and defenders and how to exploit the UEFI memory space. Regardless of your point of view, so all the way from APT actors all the way down to script kids. And you've got to go over some of the issues with defending against exploitation of this memory sector, how we can overcome those difficulties and monitor this memory area, and what this means for others in industry. So let's dive straight in the course of what exactly is UEFI. So a lot of people may have heard the term UEFI may not know exactly what it is. So you if I stands for the unified extensible family interface. It's the successor to BIOS. Most people will be familiar with BIOS basically the output system. It interfaces between the mechanical elements of a system and its operating system. So effectively it works as a translational between the operating system and the firmware hardware of your device hence firmware interface. And so for example, if the operating system requests a file to be opened, the file command gets run from the OS through the UEFI to the firmware of your storage device, it then allocates that memory sector and returns there and then that's how it's read. It's a very, very general basic overview. It's key for all system functionality. It's conductible boot operations. It can as I said, it conducts all interfaces between between the software and hardware. And it is essential and all modern computers. So it is found everywhere regardless of operating system that you're using. It's also widely considered almost secure and BIOS. So we introduced the concept of some secure boot. So secure boot is the idea that when drivers are loaded at boot time, the REM signature is checked in order to guarantee and verify that they're the correct and authorized driver. This idea of secure boot actually eliminated a really easy physical access bypass to older machines, which basically means as soon as you had physical access to a machine, you could easily bypass any security. One of the key things to mention about UEFI is that it is stored on the independent chip on your motherboard and NV round chip, which is totally isolated. It's its own independent component of the machine and it is attached to the motherboard. So it's completely isolated from everything else. It is its own piece of kit. So just to really intensify and solidify where this sits in your computer. So the UEFI, as I said, sits between your operating system and firmware and the firmware that talks to the hardware. So operating system, if you want to talk to your hardware, has to go through the UEFI. It's essentially, it is essentially just a translation layer of operating system commands down to firmware layer commands to receive whatever the system needs to do. So most people, when you're talking about UEFI and BIOS, they'll think of this sort of screen, you know, your boot screen, and sometimes with, you know, boot manual settings as one of those options at the bottom. But the majority of the users will see this sort of screen and just, you know, folk by as it puts up the computer and not the BIOS. Some people will obviously go into those settings, which looks something like this. So on the left you have the older BIOS settings configuration menu. And on the right you have the newer UEFI interactive GUI. So one of the things that UEFI actually allows to do is the use of graphic user interfaces, which is not available in BIOS. This allows for, as you can see, this is there, allows for branding, it allows for, you know, CPU temperatures and all this sort of stuff. It also allows for point and click, so use for mouse, whereas BIOS doesn't. This is to do primarily with how UEFI operates using UEFI binary files, which allows it with these layers so you can't talk about it. Again, so this allows for security settings, it allows for the boot order to be configured and such things like that. So most people will think this is sort of the limit of what you can, oh, this will be like the limit of what most people have dealt with. But the UEFI itself is actually a lot more complicated. It does a lot more in relation to your host. It runs the entire time that your computer is operating. And so it's not just the boot service, it's fundamental to all operations of all modern hosts that you find around the world. So there's a lot more to it, a lot of people and I'm not privy to. The key thing to note is it is always active, it is essential, and it's isolated from the rest of the system. So why is UEFI interesting to attackers and defenders alike? So why are attackers' red teamers looking at UEFI? So as I said earlier, the UEFI is isolated from the rest of the system on its own little island of Silicone. So it's segregated from the rest of the system by design. Because it's isolated, it's not well known about and it's considered quite low level technology. It's commonly overlooked in a lot of attack situations and normally isolated to the sort of APT root kit, sort of attack frameworks and methodologies and TDPs. So it's normally overlooked in most operations by defenders. So it gives this sort of idea that it's lucrative and valuable for attackers. The other thing to note is that remediation of anything on the UEFI is really difficult. With a lot of components on a machine, obviously you can shop and change them, hard drives, RAMs, if you really had to, changing the UEFI, if you had to, much more difficult. A lot of the time they're soldered onto the motherboard. So as you can imagine, changing that is a real pain. And even removing it, obviously interactively through an interface can be really tricky if you don't have experience with the UEFI. So as I said, there's a whole section later on that I'm going to cover about why remediation is difficult. And I'm going to go over that in a lot more detail. One of the other things to note about the UEFI is that by standard, by its own, by the standards of UEFI, everything written to it is automatically put as persistent. So it's non-volatile and everything that's written will automatically stay there throughout boots, which as you can imagine, from a sort of persistence attack methodology, sort of mentality, is inherently quite valuable. So although this is why attackers are looking at it, why are they looking at it now? What exactly has changed? So as I said, it's normally as being root kits and level of actors, ATPs, because it's a complex sort of area that a lot of people would look or don't really understand. But what's happened is that since Windows, actually since Windows actually, surprisingly, but more recently since Windows Vista and onwards, Windows has, Microsoft had gradually introduced more runtime access to the UEFI memory space. So the UEFI runs boot services and runtime services, and through the iterations of Windows and obviously their updates and newer versions, they've steadily introduced more and more runtime service access to the UEFI memory space. So research done last year at DEF CON, DEF CON 27, Michael Libowitz and Tova Timson, they did a whole presentation on this type of attack about how to avoid 300s and EDR by utilizing the UEFI memory space because it avoids detection. I was really recommending their research, really cool stuff, and obviously this is where this entire piece of research stemmed from. And they went into how they could use native Windows API functions to read and write into the UEFI memory space. So originally, when I first saw the talk, I thought, oh, this is worrying, but surely there must be a area around this. Again, this is a section that will come later on, but it was a gap that was found, or that I, when looking into it, I did see was in the security defensive structure. So because of their research, there is now very, not because of the research, but because of Microsoft's expansion to the runtime service access. There is, by their exposure, Windows API basic functionalities that allow read and write access into this lucrative, sort of not well understood memory sector that's isolated from the rest of the system, which is pretty valuable. So how is it that the UEFI memory space is exploited all the way from the AAPT actors, all the way down to strictities or newer attackers? So the way LibreWidth's intims and exposed was to use a C-sharp, pre-compiled payloads, using kind of 32.da.l exported functions, and get a firmware environment variable EX, and set a firmware environment variable EX. As you can imagine, these are the read and write functions. With these two methods, the attacker can install a payload into this memory space and then create an external persistence mechanism to read from this isolated memory space at a later point or by trigger in order to run a more malicious or internal payload or a beacon or agent or anything like that from the UEFI memory space. This obviously requires the payloads to be pre-built, so they have to be autotargeted and have an understanding of where they're going and what they can leverage out of the environment they're going into. It also has to specify at the time of compilation the variable names and the GUIDs or the vendor IDs of the variable they're going to be injecting into the memory space. And because of this, and obviously you have to have an understanding of how C-Shark can be used for API DLL interactions in order to leverage the 32.da.l in order to access the UEFI and write into it. So you have to have a good understanding and preparedness of who you're going to attack, how you're going to attack them, and obviously an understanding of the programming language itself in order to utilize it. So as attack methods go, this is quite advanced compared to obviously how you're pasting off the internet and running it as you like. You also have to have an understanding of UEFI variable constructs, their attributes, and how they're constructed. So there's a lot of layers to this sort of attack, but it is very powerful and you can leverage correctly as demonstrated was very effective. I decided to approach this from another angle, so instead of going for something pre-compiled and thought about what if we could just do like a drive-by sort of attack. So we went back to the old tried-and-true PowerShell, which is able to leverage the same DLL import functionality. So ignoring high-level codes, we found that the same functionality into the UEFI and space read and write could be annulated in PowerShell just as effective. You can do this as a PowerShell script or you can actually do it as a on-the-fly sort of write to terminal and execute, and both work just as well. The only caveat for both attacks is that it has to be run at an administrative level. The reason for this is the session that you're using in order to have firmware edit privileges. You have to do token escalation that can only occur as an admin. So emulating what Timsman and Liberwitz did, I was able to replicate this as a PowerShell, as I said, as a script and as a drive-by, and they were both extremely effective and fully functional. It was only after I'd translated their C-Shop code into PowerShell I found that a guy called Michael Nejas, sorry if I'm pronouncing that wrong, he's actually already written a PowerShell module online which you can download and import, which has the read and write functionality nicely wrapped as two separate functions, arguments, and all this sort of stuff, making the copy paste of my PowerShell scripting even easier and much smaller because you don't have to take into account the token escalation and importing the APIs and understanding how to do that. It does it all for you. So we've gone from pre-compiled targeted C-Shop payloads to very small on-the-fly copy paste PowerShell scripting, which as you can imagine, if you put that online, anyone can tweak the payload inside in and start playing around with it, and it's much easier to do much quicker. So I made some POC code. There's a link at the end for a repository where this is available to everyone. So the POC code is PowerShell, and we've done some reverse shell payload. The idea is that you've done some reverse shell payload into your file and then immediately runs it. So it's just a write, read, execute. Obviously in the real world, as I said earlier, you'd obviously write it to the memory space, you create persistence, read it later, extract it in an execute. For a POC, this seemed to work very well. So when I tested this, so the antivirus that I was using on the host, Windows 10, it detected obviously the reverse shell when it was running to memory, which is what you'd expect, but it didn't terminate it and it didn't remove the payload itself in the UEFI memory space. So the payload itself was still on the host, even after the AV had flagged it, which I'll demonstrate later. As an extra point, this will tie into the defensive problems later. As an attacker, what you might want to do is the first write operation you have into a UEFI memory space and the persistence that you create. When you run that first payload, delete the original entry into UEFI and the persistence and recreate it again. The reason is that the payload inside the first UEFI, if they find the way that you've injected into it, they can not see trace that back and figure out what you put there or what you've labeled it under and things like that. Whereas if you do it a second time from an encoded or encrypted payload inside the UEFI that you've been extracted and run again, it becomes much, much harder for investigators to track that from a point of infection to where you're going and what we're doing. So now comes the tricky bit. I do have a demo. So the demo has been created, this is a heads up to, it was OBS of a virtual machine, however it is fairly small. So I do apologize. The videos themselves are available afterwards. They'll be available for people to look over. And it will be a good description of what's around. So this is the first one. So this screen shows the drive-by payload that I'm going to be using in Notepad. As you can see, it's in by arrays. So I copy that. This payload is fairly available from the repository that's available at the end. This is pasted into the administrative PowerShell terminal. As you can see the who am I, CM underscore test. That's now being executed. So that's being written into UFI memory space and then being extracted and executed. So we're going to go to my attack box where I have a reverse TCP handler waiting for the connection from the POC code, which is going to be extracted from UFI memory. So we give that a few seconds and there it is. So that's the reverse shell from the UFI hosted payload and the who am I shows that it is CM underscore test. So it's the same machine that we just ran the PowerShell POC code on. One thing to note is that the PowerShell instance in that case will be running in the background. We'll be running in the background. So when you SCSQ to the output to PID of the PowerShell instance that it can be running as as a POC code, obviously in real attacks you wouldn't keep it as a PowerShell instance. You might migrate it to something else, but there we go. So that's the basically the balance of moving from generating payloads and then targeted attacks all the way down to probably pasting and giving this an effect. So that's the attack side of it. What about defending? So there are a number of issues with defending UFI memory space. And to understand these issues it's good to understand why Microsoft has slowly included more access controls to this memory space in their iterative versions. One of the main reasons is the simplification for firmware updates and maintenance. So for example, if you're a vendor of hardware, if you want to update the firmware of your device in the old versions you'd have to run the update and all you'd have to do specialised boot time scans in order to check that it was the correct version. Whereas now using these interfaces the operating system is able to run software that can check the installed version, make sure it's compatible, the right type, the right vendor, so on and so forth. It's also able to change the boot order from runtime so you no longer have to go into the UFI or BIOS menu. You can just do that straight from the operating system which obviously is much more user friendly for a lot of users. One of the interesting things is that in development of Windows they use UFI variables and memory space for crash dump data. So if you ever run Windows developer editions and you have a crash you'll find that it will output crash data to the UFI memory space because it's non-volatile by nature. They know that it will be stored so that they output there. It allows for much easier maintenance and upgrading and patching of the firmware level of a machine. But what restrictions are there on this variable access that Windows has introduced? Well, none, effectively. The only restriction I could find was a variable size. Over a certain size when you try to extract it you may have some issues because it assumes that it's going to be a certain size. You can overload the UFI if you try to run it off although I haven't actually tried that and I don't know if you can recommend it. You must provide if you want to read data from the UFI you must provide the variable name and the GUID or the vendor ID to access that particular variable's data. And this is where the trouble arises from. There is no currently available way to enumerate the variables well, there wasn't. A variable way to enumerate the variables on the UFI RAM chip at runtime with only one exception which Ligritz and TOEFA, Timson demonstrated last year. I couldn't find any other except for one exception which I'll cover in a second. Therefore, users, software systems, operating systems and anything like that can only access variables that they already know exist and they already have the necessary credentials for. So from a defense point of view that creates an issue. If an attacker creates a new variable with a randomized name and a GUID that's non-specific an attacker, a defender can't enumerate these variables and therefore can't analyze what's inside the UFI memory system. So these, any Nazis they put in there effectively go undetected because the defender doesn't know where they're called and can't extract them, can't access them. So the only exception that was found was a typical chip sec. It was designed by the guys over at Intel and it's a deep firmware security analysis and repair tool. It's really powerful. I was quite impressed with it. It does help the UFI variables at runtime. It was the only tool and I did a lot of searching and I could find it did that. But the tool itself, even in their invocations they say it's not for production, it's for development only. It's very large. It's quite clunky. It requires the installation of a custom kernel driver and it also requires the disable the disablement of certain security functions in order for it to operate. Which obviously as a defense software if you're going to be using this remotely in production is counter-intuitive. So although it does what I was looking for it just, it wasn't capable of doing it in the way that was required. So how to monitor, although those are the difficulties how do you monitor the memory space? So I tested a lot of methods in order to try and find runtime access and enumeration. This is just a few of them. I spent a lot of time going through these methods. So examination of runtime enumeration. First of all I looked at the UFI specification itself which is really extensive. There are a lot of sections that explain how you can enumerate UFI variables but they mainly focus on what's called the EFI shell which is a specialized shell that can be accessed to boot time in order to interface with the EFI layer of your device. It requires a custom loader to be put normally on a removal medium which you then access and it provides the shell. So the specification provides a lot of information about commands that can be run in this particular terminal this sort of environment in order to get these variables but not enough really to do it from runtime. So it was inconclusive and I couldn't find runtime services from the specification unfortunately. Attempts to, so the operating system as I said Windows introduced the interaction for the operating system to have access and control over certain elements of UFI. UFI should have an understanding of what is in there. So analyzing how the operating system interfaces with the UFI showed that it works off of a database inside the isolated EFI partition of your hard drive. From that partition it then interfaces with a file called BCD which is a registry file so key value pairs which effectively match up to the values that it already knows about at installation. So backtracing this all the way down by the way the BCD file in the EFI partition is held by system so you can't access it from while you're running the Windows system which was always a fun caveat. So the operating system only knows what it knows at installation it can't enumerate what is in the EFI memory space. So unfortunately that was the dead end. I turned back to Chipsec as it was the only tool that I could find that did what I was looking for and the source code is fully available online which is really, really cool really good things to look at. So I began looking at how it functions I began following its procedures and how it accesses the memory. On assessment I found that it imported something called EDK2 which seemed to be very important in EFI enumeration. Effectively what the EDK2 does is after a lot of time playing with it extracting it running it independently from Chipsec which was very difficult I found that instead of accessing it from runtime what EDK2 does is it creates what's called an EFI payload which can be running within an EFI shell to output specific results. So it's more like a compiler for EFI payloads or capsules as you may call them which was run from Chipsec for I think mainly for remediation or repairs to the firmware. Unfortunately it didn't do what I was looking for which was obviously runtime enumeration. So the operating system doesn't enumerate it only has a list of what it already knows. The specification didn't provide the information I was looking for and the tool under analysis that I knew could do it I stumbled to the first hurdle and couldn't figure out how it was operating so I ended up kind of down a rabbit hole for quite a while trying to think myself out of it. Eventually I did basically knuckle down and get back to Chipsec and I spent a lot of time following it, debugging it really analyzing how it worked and eventually I figure out through its project process how that accesses the UFI memory space from runtime. And to do this it uses an undocumented function of the NTDLL.DL file called NTEnumerateSystemEnvironmentVariable about to use EX and what this command does is it extracts the variable information within UFI to a buffer of your creation which can then be extracted and carved to find each variable within it. So you run this function from the NTDLL it provides a data blob in a buffer which you can then loop through and carve and extract all of the variables for analysis. And this proved to be a great success. From the Chipsec tool I extracted the methodology I put it in a lightweight wrapper and really analyzed it through its paces. The resulting POC code which is in Python runs on everything Windows 7 forward tested. It should in theory run on Windows XP because the function within NTDLL was introduced in one of the NTDLL versions which was released alongside a Windows XP Service Pack 2. So technically it should run on Windows XP but I didn't try that one. It does check if the system you're on is de-reified based before it allows it to run which is obviously something else to know. As it uses the native NTD NTDLL.DLL which is found on every single Windows host you're not required to install anything custom except for Python and also run the POC code so it leverages local files in order to enumerate this memory space. As with the attacks it must be run as admin because of the token escalation that's required for firmware access. As you can see from the left when running this POC Python code it did successfully dump all of the EFI variables including malicious codes that were not defined anywhere else and allowed them for analysis as byte data and as translated unicode. So we've gone from a very large powerful common key tool to a very lightweight wrapped Python script which can run on any Windows host post Windows 7. I do have another demo for that there with me. So this just shows Python code we're now going to run Python file as you can see it's outputting the EFI variables nice and clearly as you can see the one's going past although maybe quite small on your screen is showing the DEF CON demo P2 entries that was from the attack that I demonstrated earlier along with the associated byte data and the unicode of the reverse TCP payload that I generated using NSFNM. There we are that I'm left there it's DEF CON demo DEF CON demo hyphen P1 as an example of how that works so so now we have an understanding of how this attack can be used at all range of attack levels how it can be monitored and defended against very lightweight and integrated into defensive software what does this mean for computer users and as researchers everyone can be targeted equally everyone can patch them now so despite the obvious with which all critical attackers can leverage this memory space using the APA function exposed last year and as I demonstrated can be all the way up from defined calculated attack methodology all the way down to type by copy pasting defenders equally have the equal ease in accessing and enumerating this memory space for analysis so although standard hunting procedures or antivirus or defensive technologies may not look into this currently the integration of such technologies now is very very easy so integration into standard detection rules processes techniques and defensive software is extremely extremely easy using the lightweight capabilities that I've outlined which effectively neuter this is a malicious heathen on all available modern operands modern hosts it also allows for increased sort of research in this area so although we now can monitor this they may be custom payloads that they use that are specific or they might be malware variations that are specific for leveraging this memory space which allow us to create custom rules and remediation methods in order to remove this as a threat so as we can now enumerate these attack these malicious payloads when they're on a unified memory space it also allows us to remediate it by leveraging the same capabilities of the attackers that read right if a defender knows what the payloads are called and where they're stored they can overwrite and remove their payloads from a victim's host so we are in a situation now where attackers have this capability to leverage this isolated memory space the defenders equally have the same level of ease in order to monitor and neuter any attempts to leverage it so that's me that's my email if anyone has any questions the github below is the repository with the POC codes as well as the full research paper which explains the processes taken and has a lot more technical information than this presentation so if anyone does have any questions please feel free to email me there's also the talk of text channel if anyone has any questions there or please feel free to direct message me and I will answer any questions that I'm capable of and I look forward to hearing from you guys the last slide I have prepared so please if anyone has any questions please feel free to comment thank you very much thanks a lot Conor appreciate it good talk thank you