Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

[Kevin Beaumont <kevin.beaumont () gmail com>]

Hi Dimirti,

The specification says it is supported (and slightly expanded) in
Windows 10, and I can confirm through testing the method still works
on Windows 10 - I was successfully able to extract files from a
Windows BitLockered drive.

On 13 August 2015 at 14:33, Limanovski, Dimitri
<dimitri.limanovski () blackrock com> wrote:
> Hi Kevin,
> I too was looking at this, and it does look absolutely horrendous. More so, that Microsoft does not provide a good 
> measure to control WPBT: in the official doc there's some watered down paragraph about "good security measures", but 
> there's no way to enforce binary signing, or CA-like validation of the signature. One thing is not clear is whether 
> Windows 10 is vulnerable to the same functionality, and whether the malicious actors can write to WPBT directly, or, 
> like the case with Lenovo, have to hijack "trusted" OEM apps that are allowed to do so.
>
> Dimitri
>
> -----Original Message-----
> From: Kevin Beaumont [mailto:kevin.beaumont () gmail com]
> Sent: Wednesday, August 12, 2015 7:45 AM
> To: bugtraq () securityfocus com
> Subject: Windows Platform Binary Table (WPBT) - BIOS PE backdoor
>
> PRECURSOR
>
> There will be debate about if this is a vulnerability.  It affects a majority of user PCs -- including all Enterprise 
> editions of Windows, there is no way to disable it, and allows direct code execution into secure boot sequences.  I 
> believe it is worth discussing.
>
> SCOPE
>
> Microsoft documented a feature in Windows 8 and above called Windows Platform Binary Table.  Up until two days ago, 
> this was a single Word document not referenced elsewhere on Google:
>
>  
> http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us
>
> This feature allows a BIOS to deliver the payload of an executable, which is run in memory, silently, each time a 
> system is booted.  The executable code is run under under Session Manager context (i.e.
> SYSTEM).
>
> This technique is being used by Lenovo and HP to silently deliver software, even after systems are completely wiped.  
> This issue came to light in this forum thread:
> http://arstechnica.com/civis/viewtopic.php?p=29551819#p29551819
>
> Additionally, the code is injected and executed in Windows after the Windows kernel has booted - meaning hard drives 
> are accessible.  In a HP document - http://h10032.www1.hp.com/ctg/Manual/c03857419.pdf page
> 18 - they reference they use Windows Platform Binary Table to inject their code into encrypted systems (e.g. 
> BitLocker) (!!!!).
>
> MITIGATIONS
>
> It is not possible to disable this functionality.  If you can gain access to the BIOS, you can inject code into the 
> Windows boot sequence using the documentation linked above.  The BIOS delivered PE code is not countersigned by 
> Microsoft.
>
> Microsoft say: "If partners intentionally or unintentionally introduce malware or unwanted software though the WPBT, 
> Microsoft may remove such software through the use of antimalware software.  Software that is determined to be 
> malicious may be subject to immediate removal without notice."
>
> However, you are relying on Microsoft being aware of attacks.  Since the code is executed in memory and not written 
> to disk prior to activation, Windows Defender does not even scan the executed code.
>
>
> This message may contain information that is confidential or privileged. If you are not the intended recipient, 
> please advise the sender immediately and delete this message. See 
> http://www.blackrock.com/corporate/en-us/compliance/email-disclaimers for further information.  Please refer to 
> http://www.blackrock.com/corporate/en-us/compliance/privacy-policy for more information about BlackRock’s Privacy 
> Policy.
>
> For a list of BlackRock's office addresses worldwide, see 
> http://www.blackrock.com/corporate/en-us/about-us/contacts-locations.
>
> © 2014 BlackRock, Inc. All rights reserved.