The RingHopper Journey or How We Almost Zero-day’d the World

Presented at DEF CON 31 (2023), Aug. 11, 2023, 10 a.m. (45 minutes).

Last year we almost zero-day’d the world with the publication of RingHopper. Now we can finally share some juicy details and invite you for an illuminating journey as we delve into the realm of RingHopper, a method to hop from user-land to SMM. We will survey the discovery and disclosure of a family of industry-wide vulnerabilities in various UEFI implementations, affecting more than eight major vendors, making billions of devices vulnerable to our attack. Then, we will deep-dive into the innards of SMM exploitation and discuss methods to use and abuse various functionalities and properties of edk2 to gain code execution. We will unveil both our futile and fruitful quests of crafting our way to SMM, and detail both the paths that lead to dead-ends, and the route to success. We will give a detailed overview of different ways to elevate this kind of attack to user-land both on Windows and Linux by chaining multiple vulnerabilities together. Finally, we will show RingHopper hopping from user-space to… SMM. REFERENCES: 1. DEF CON 29 - Mickey Shkatov, Jesse Michael - High Stakes Updates: BIOS RCE OMG WTF BBQ 2. DEF CON 26 - Shkatov and Michael - UEFI Exploitation for the Masses 3. DEF CON 23 - Yuriy Bulygin - Attacking Hypervisors Using Firmware and Hardware 4. DEF CON 22 - Panel - Summary of Attacks Against BIOS and Secure Boot 5. OffensiveCon22 - Alex Ermolov, Alex Matrosov and Yegor Vasilenko UEFI Firmware Vulnerabilities

Presenters:

  • Jonathan Lusky - Security Research Team Lead at Cellebrite
    Jonathan (@LuskyYehonatan) is a security research team lead @ Cellebrite. In the past, he was a security research team lead @ Intel. He is curious about anything related with low-level security research, reversing binaries, poking CPUs and breaking stuff up. Currently, he is about to complete his master’s degree at the Technion focusing on neural network extraction attacks. In his spare time, Jonathan loves to participate in CTFs, play tennis and hike.
  • Benny Zeltser - Security Research Team Lead at Intel
    Benny (@benny_zeltser) is a security research team lead @ iSTARE, Intel. He focuses on breaking and exploiting anything on the border between HW and SW. Previously, Benny worked at IBM on development of malware analysis techniques, and spent four years in the IDF Intelligence as a security and research engineer. When Benny is not breaking things, he usually hikes with his 1 yo or cultivating his coffee brewing (and drinking) hobby.

Links:

Similar Presentations: