black hat 2017: Running Unsigned Code in Intel Management Engine (vulnerability)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
here is the entire article:

How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine

Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such "God mode" capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools.

Unfortunately, this changing did not go without errors. In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS. Running your own code on ME gives unlimited possibilities for researchers, because it allows exploring the system in dynamics.

In our presentation, we will tell how we detected and exploited the vulnerability, and bypassed built-in protection mechanisms.


__EDIT___
here is another article about this bug. It has been published on a big german computer forum/portal:
Intel-Chipsätze: Sicherheitslücke erlaubt beliebige Code-Ausführung
 
Last edited:

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Very bad vulnerability.... apparently no defence from it, if you get infected and somehow you find it out (how?), you can just throw the MB in the trash...bad, bad news...
 
Last edited:

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
^^^^ here is another article in a big german online magazine for IT about this bug.

Minix: Fehler in Intel ME ermöglicht Codeausführung - Golem.de


a quote from this article:
Die Schwachstelle soll alle Prozessoren der Skylake- und Kaby-Lake-Reihe betreffen und wird über den Platform Controller Hub (PCH) getriggert.

Translation:
Code:
All Skylake and Kaby-lake CPUs are affected by this voulnerability..... ..... .....



another quote from the article:
Virenscanner und andere gängige Sicherheitstools sind derzeit nicht in der Lage, einen entsprechenden Angriff abzuwehren oder zu erkennen.

Translation:
Code:
AV software and other popular security tools are currently not able to block
or detect this kind of attack
 

gorblimey

Level 3
Verified
Aug 30, 2017
101
Help me out a little.
This is a problem for Skylake or any Intel cpu?

We-e-e-ell, I run a Gigabyte GA-H61M-USB3-B3 Rev2 with a Sandy Bridge i5 2400... It appears I don't have the IME, but if I want it I can download it from Drivers Search: GA-H61M-USB3-B3 but I must also upgrade from W7x64 to W8.1. Well, the upgrade will never happen :mad:. So it seems I'm safe :) And vPro is also not for me :p

But seriously, those with older boards might want to take a good long dekko at their BIOS.
 
  • Like
Reactions: tonibalas

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top