RingHopper – Hopping from User-space to God Mode

Presented at DEF CON 30 (2022), Aug. 14, 2022, 1 p.m. (45 minutes)

The SMM is a well-guarded fortress that holds a treasure – an unlimited god mode. We hopped over the walls, fooled the guards, and entered the holy grail of privileges. An attacker running in System Management Mode (SMM) can bypass practically any security mechanism, steal sensitive information, install a bootkit, or even brick the entire platform. We discovered a family of industry wide TOCTOU vulnerabilities in various UEFI implementations affecting more than 8 major vendors making billions of devices vulnerable to our attack. RingHopper leverages peripheral devices that exist on every platform to perform a confused deputy attack. With RingHopper we hop from ring 3 (user-space) into ring -2 (SMM), bypass all mitigations, and gain arbitrary code execution. In our talk, we will deep-dive into this class of vulnerabilities, exploitation method and how it can be prevented. Finally, we will demonstrate a PoC of a full exploitation using RingHopper, hopping from user-space into SMM.

Presenters:

• Benny Zeltser - Security Researcher, Intel
• Jonathan Lusky - Security Research Team Lead, Intel

Similar Presentations:

• DEF CON 31 (2023) / The RingHopper Journey or How We Almost Zero-day’d the World
• 31C3 (2014) / Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer
• DeepSec 2016 „Ten“ / Advanced Concepts for SMM Malware