Just recently Apple patched the Thuderstrike vulnerability. Or so it was thought. Let me quote Security researcher and Apple hacker Pedro Vilaca:
The attack requires you to reverse the boot script implementation, which is a royal pain in the ass. EFI binaries are a bit annoying to reverse even with the assistance of Snare’s EFI utils. IDA also has some bugs regarding EFI binaries.
While doing some experiments with flashrom I finally noticed something big. I couldn’t believe it the first time so I tried it in other Macs and it was indeed true. Macs have an even bigger hole than Dark Jedi.
Drum roll…
What is that hole after all? Is Dark Jedi hard to achieve on Macs?
No, it’s extremely easy because Apple does all the dirty work for you. What the hell am I talking about?
Well, Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle. !?#$&#%&!#%&!#
And you ask, what the hell does this mean? It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.
Wait, am I saying Macs EFI can be rootkitted from userland without all the tricks from Thunderbolt that Trammell presented? Yes I am! And that is one hell of a hole :-).
In short, if you never turn off your Mac, meaning you put it to sleep or leave it running, you can get the EFI BIOS taken over remotely. Thus your Mac gets pwned without physical access being required. Scary indeed. The only defense against this flaw is to always shut down the computer and never put it to sleep.
Now here’s where it get really scary:
I have tested against a MacBook Pro Retina, a MacBook Pro 8,2, and a MacBook Air, all running latest EFI firmware available. And every single one is vulnerable.
It appears that latest MacBook models are not vulnerable but I’m not 100% sure about this. I couldn’t fully test it on a recent model (the owner was afraid of giving me root access ;-)). The first impression was that the bug was silently fixed by Apple but this requires extensive testing to be sure (or some EFI binary disassembling).
I expect all mid/late 2014 machines and newer to not be vulnerable. Apple either fixed it by accident or they know about it. It’s not something you just fix by accident, just sayin’.
In other words, only Apple’s latest and greatest Macs are protected. If you have any Mac older than mid 2014, you may have cause for concern. You can bet that Apple is aware of this. But are they doing something about it for users of ALL their products? That’s the question.
Like this:
Like Loading...
Related
This entry was posted on June 1, 2015 at 8:32 pm and is filed under Commentary with tags Apple, Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
An Old Vulnerability Returns To Threaten Macs
Just recently Apple patched the Thuderstrike vulnerability. Or so it was thought. Let me quote Security researcher and Apple hacker Pedro Vilaca:
The attack requires you to reverse the boot script implementation, which is a royal pain in the ass. EFI binaries are a bit annoying to reverse even with the assistance of Snare’s EFI utils. IDA also has some bugs regarding EFI binaries.
While doing some experiments with flashrom I finally noticed something big. I couldn’t believe it the first time so I tried it in other Macs and it was indeed true. Macs have an even bigger hole than Dark Jedi.
Drum roll…
What is that hole after all? Is Dark Jedi hard to achieve on Macs?
No, it’s extremely easy because Apple does all the dirty work for you. What the hell am I talking about?
Well, Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle. !?#$&#%&!#%&!#
And you ask, what the hell does this mean? It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.
Wait, am I saying Macs EFI can be rootkitted from userland without all the tricks from Thunderbolt that Trammell presented? Yes I am! And that is one hell of a hole :-).
In short, if you never turn off your Mac, meaning you put it to sleep or leave it running, you can get the EFI BIOS taken over remotely. Thus your Mac gets pwned without physical access being required. Scary indeed. The only defense against this flaw is to always shut down the computer and never put it to sleep.
Now here’s where it get really scary:
I have tested against a MacBook Pro Retina, a MacBook Pro 8,2, and a MacBook Air, all running latest EFI firmware available. And every single one is vulnerable.
It appears that latest MacBook models are not vulnerable but I’m not 100% sure about this. I couldn’t fully test it on a recent model (the owner was afraid of giving me root access ;-)). The first impression was that the bug was silently fixed by Apple but this requires extensive testing to be sure (or some EFI binary disassembling).
I expect all mid/late 2014 machines and newer to not be vulnerable. Apple either fixed it by accident or they know about it. It’s not something you just fix by accident, just sayin’.
In other words, only Apple’s latest and greatest Macs are protected. If you have any Mac older than mid 2014, you may have cause for concern. You can bet that Apple is aware of this. But are they doing something about it for users of ALL their products? That’s the question.
Share this:
Like this:
Related
This entry was posted on June 1, 2015 at 8:32 pm and is filed under Commentary with tags Apple, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.