@Rairii@haqueers.com
@Rairii@haqueers.com avatar

Rairii

@Rairii@haqueers.com

Reversing (malware and otherwise); appsec and websec; embedded security; exploit dev; software preservationist; knows how not to use cryptography.

Currently finding bugs in Windows bootloaders.

You may also know me from capcom.sys.

#nobot

This profile is from a federated server and may be incomplete. Browse more on the original instance.

atomicpoet, to fediverse
@atomicpoet@mastodon.social avatar

I disagree with those who say “Let’s focus on spreading awareness for Mastodon—not the Fediverse” for three reasons:

  1. Some people hate Mastodon. If they don’t like Mastodon, they should know about options to their liking.

  2. Some people are looking for alternatives to Facebook, YouTube, Instagram—and Mastodon is not the answer for them.

  3. What about developers looking to build novel and new social media? They should know what ActivityPub does.

Rairii,
@Rairii@haqueers.com avatar

@atomicpoet wait, does that include forks like glitchsoc/hometown?

tinker, to random

You know that creepy "Report a Trans" form from the Missouri state government? (found here: https://ago.mo.gov/file-a-complaint/transgender-center-concerns )

Here's an interesting Proof of Concept code for spamming that form that you can analyze:

https://github.com/boiled-water-tsar/eat-my-entire-trans-ass-andrew-bailey

Rairii,
@Rairii@haqueers.com avatar

@metricguy @tinker @endi @jackemled anyone want to crowdfund shady captcha solving service? ;)

Rairii,
@Rairii@haqueers.com avatar

@metricguy @tinker @endi @jackemled that said, is the captcha actually implemented properly? i remember at least one occurance when it was done entirely client side

Rairii, to random
@Rairii@haqueers.com avatar
Rairii, to infosec
@Rairii@haqueers.com avatar

so, it's been almost a month since the patch released (exactly a month would be friday)

Introducing bitpixie (CVE-2023-21563), a 17 year old bug (introduced in 5231.2 from october 2005 at the latest) leading to bitlocker (with TPM) bypass and key dumping

When booting from network via PXE, there's a special type of boot entry allowed called "PXE soft reboot".

This just loads the given PE from the remote PXE server, and does BS->LoadImage and BS->StartImage on it.

...except when BS->StartImage is called, derived BitLocker keys are still in memory!

When Secure Boot is disabled, you can just load any payload you want, of course.

When Secure Boot is enabled, things are slightly more complicated.

Luckily, there's a way for a physically present user to bypass Secure Boot: if you go into advanced options menu and choose "disable driver signature enforcement", win8+ winload will load a selfsigned mcupdate*.dll, and call its entrypoint before ExitBootServices.

When loading bootmgfw again, winload won't know of the older BitLocker keytable, and will enable access to the advanced boot options menu.

You need to set up enough of a Windows image so winload can reach the code path to load and execute mcupdate*.dll.

I used windows 8.1 RTM (9600.16384) for this, the files required from its boot.wim are:

Windows\apppatch\drvmain.sdb
Windows\Boot directory
Windows\fonts\vgaoem.fon
Windows\Inf directory
and in Windows\system32:
Boot, config, drivers directories
apisetschema.dll
bootvid.dll
ci.dll
C_*.NLS
C_G18030.DLL
C_IS2022.DLL
hal.dll
HalExtIntcLpioDMA.dll
kd.dll
kdcom.dll
kdstub.dll
l_intl.nls
ntoskrnl.exe
PSHED.DLL

(and of course, your payload as mcupdate_AuthenticAMD.dll and mcupdate_GenuineIntel.dll)

This is a total of 136MB of data uncompressed, and a 42MB WIM. It can probably be smaller than that :)

To dump bitlocker keytables, your payload must scan physical memory pages looking for a valid keytable.

But what about getting the bitlocker keys derived in the first place?

When loading a boot application, BitLocker keys are derived very early. If loading the boot applicaiton PE from disk fails, integrity validation is not performed and derived keys remain in memory.

That way, in a BCD coming from PXE server, the default boot option can have a device of the BitLocker-encrypted OS partition, a path of "" (valid, but will always fail), and a recovery sequence pointing to the pxesoftreboot entry.

Then, for Secure Boot being enabled, you can swap the BCDs on the PXE server after the first one gets loaded. You can slow the boot down by pressing down arrow during bootmgr initialisation to cause the boot menu to show up.

Then just PXE boot from this, using the vulnerable bootmgfw from the system you are attacking :)

If Secure Boot is used for integrity validation (the default when Secure Boot is enabled), a downgrade attack can be performed here, and any vulnerable bootmgfw can be used.

Make sure your systems are patched, and using legacy integrity validation configured to use PCRs 0, 2, 4, 7 and 11. "Secure Boot integrity validation" is not secure!

lowqualityfacts, to random
@lowqualityfacts@mstdn.social avatar

My goal isn't for Mastodon to replace Twitter.

My goal is for the Fediverse to attack and dethrone God.

Rairii,
@Rairii@haqueers.com avatar

@lowqualityfacts which god

Rairii, to RaspberryPi
@Rairii@haqueers.com avatar

hired a surveillance cop then reacted poorly to people criticising them?

I already released (partial) VCE disassembler, which is enough for an interested reverser to keygen the <=RPi3 codec licensing algorithm.

Maybe I should just, ya know, post the serial algo code.

(fuck software patents/etc anyway)

Rairii,
@Rairii@haqueers.com avatar

// codec licensing serial algo (<=RPi3)
// shoutouts to fabien perigaud/synacktiv. your beerump 2017 presentation slides started me on this journey.
// (sure you redacted the fun stuff, I just rediscovered it myself)
// also shoutouts to everyone involved in BCM2708 reversing!
// greetings to elites, fuckings to lamers (second category includes broadcom and rpi foundation)

??=include <stdint.h>
??=include <stdio.h>

typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;

u8 vce_data[] = {
0x54, 0x6f, 0x76, 0x6b, 0x94, 0xce, 0x1a, 0x57, 0x56, 0x51, 0x0c, 0xb2, 0x72, 0xc9, 0xc3, 0x12,
0x13, 0xbc, 0xe8, 0xd2, 0x5b, 0xa3, 0x2d, 0x2a, 0x5a, 0x62, 0x4d, 0xeb, 0x16, 0x40, 0x05, 0x87,
0xe0, 0x98, 0x39, 0xf7, 0xac, 0xc6, 0xab, 0x7c, 0xe9, 0xfb, 0x07, 0xaa, 0x29, 0xcd, 0x1d, 0x9b,
0xf6, 0x0e, 0x01, 0xbb, 0x5c, 0xfc, 0x15, 0xae, 0xd9, 0xfa, 0x9c, 0xef, 0xf1, 0x75, 0x8e, 0x70,
0x46, 0x8b, 0xb0, 0x89, 0x50, 0xaf, 0x6e, 0x67, 0x18, 0xda, 0xee, 0xd4, 0x32, 0xbe, 0x4e, 0x58,
0x5d, 0x1f, 0x4b, 0x73, 0x88, 0xc0, 0x79, 0x02, 0xde, 0x47, 0xa0, 0x43, 0x9a, 0xdb, 0xc8, 0x35,
0x95, 0x3c, 0xcc, 0x8d, 0x64, 0x2f, 0x14, 0x68, 0x00, 0x71, 0x03, 0xb9, 0xed, 0x0b, 0xf3, 0x24,
0x60, 0xb1, 0x17, 0x63, 0xdf, 0x48, 0x41, 0xa4, 0x28, 0x5e, 0x2b, 0xd8, 0xb4, 0x90, 0xba, 0x83,
0xe4, 0x08, 0xd0, 0xe2, 0xb8, 0x6a, 0x10, 0x74, 0x9f, 0x7b, 0x19, 0x38, 0x8f, 0x91, 0xd6, 0xa8,
0x27, 0x06, 0x30, 0x33, 0x61, 0x34, 0x25, 0x21, 0x53, 0xc7, 0x66, 0x23, 0xff, 0xc5, 0x80, 0x85,
0xf4, 0xd7, 0x97, 0x99, 0x55, 0xf2, 0x8c, 0x04, 0x6c, 0x4f, 0xa1, 0x36, 0x20, 0x0a, 0xe1, 0x44,
0x59, 0xcf, 0x7d, 0xb6, 0xf9, 0x0f, 0x6d, 0x11, 0x78, 0x93, 0xe5, 0x3f, 0xf0, 0x9e, 0x84, 0xd3,
0x7e, 0xbd, 0xd1, 0xf5, 0xa5, 0x81, 0x22, 0x37, 0xf8, 0x52, 0xe3, 0x5f, 0xa9, 0xca, 0xfd, 0x42,
0x7f, 0x09, 0xa2, 0x9d, 0x8a, 0xb7, 0x4a, 0xe6, 0xa6, 0x77, 0x3d, 0x1c, 0x2e, 0xcb, 0x1b, 0x69,
0xb3, 0x1e, 0xc1, 0x7a, 0x82, 0xdd, 0x2c, 0xdc, 0x49, 0xea, 0x3a, 0xe7, 0x31, 0x4c, 0xad, 0xbf,
0x0d, 0xc2, 0xc4, 0x96, 0x65, 0x26, 0xfe, 0x92, 0x86, 0x3b, 0x3e, 0xec, 0xd5, 0xb5, 0xa7, 0x45
};

??=define INLINE static inline attribute ((optimize (3))) attribute((always_inline))

INLINE u32 GET(u32 var, u8 bits) {
return vce_data[(var >> bits) & 0xff] << bits;
}

// should probably use bitwise OR, but this is what the vce code does
INLINE u32 GET32(u32 var) {
return GET(var,24) ^ GET(var,16) ^ GET(var,8) ^ GET(var,0);
}

// vce has no rotate instructions, so it does it the long way as in C
INLINE u32 ROR(u32 var, u32 right) {
return (var >> right) ^ (var << (32 - right));
}

u32 codec_license_hash(u32 board_serial /* r1 /,u32 codec / r2 */) {

??=define CODEC_XOR_BOARD_ROR(bits) codec ^= ROR(board_serial,bits)
??=define BOARD_XOR_CODEC_ROR(bits) board_serial ^= ROR(codec,bits)

for (u32 i = 0; i < 17; i++) {
CODEC_XOR_BOARD_ROR(1);
BOARD_XOR_CODEC_ROR(6);
CODEC_XOR_BOARD_ROR(13);
BOARD_XOR_CODEC_ROR(17);
CODEC_XOR_BOARD_ROR(21);
BOARD_XOR_CODEC_ROR(29);

board_serial = GET32(board_serial);
codec = GET32(codec);
}

??=undef CODEC_XOR_SHIFTS_BOARD
??=undef BOARD_XOR_SHIFTS_CODEC

return codec;
}

// This board serial taken from hxxps://web.archive.org/web/20221208160705/forums.raspberrypi.com/viewtopic.php?t=38901
// The person who owns the SoC with this serial burned in fuses did a nice thing and provided their own WVC1 + MPG2 keys, we can use that to verify this implementation is correct:
// decode_MPG2=0x6fd66307
// decode_WVC1=0x01a512b0
??=define BOARD_SERIAL 0x9d3e8cb1

void main() {
printf("??= VC1 key\ndecode_WVC1=0x%08x\n\n", codec_license_hash(BOARD_SERIAL, 0xf00bad34 ^ 0x57564331 /* 'WVC1' /));
printf("??= MPEG-2 key\ndecode_MPG2=0x%08x\n\n", codec_license_hash(BOARD_SERIAL, 0xf00bad34 ^ 0x4D504732 / 'MPG2 /));
printf("??= Super-secret key ;)\n??=\n"
"??= start.elf, before booting ARM, reads bootsig key from efuses, then compares against 1/2 of 5 hardcoded keys.\n"
"??= If not equal, then this key is checked, if not correct then infinite loop + LED flash\n"
"??= (same as if 3rdsig -- ARM kernel binary HMAC signature -- verification fails)\n"
"??= As to why this is done, I have no idea. Bootsig key is also 128-bit HMAC key and this reduces the available\n"
"??= possible entropy for unique bootsig key (necessary for boot-time security I would think!) down to either\n"
"??= 51, 52, or 77 bits depending on what key was burned into your Pi's efuses...\n"
"decode_0001=0x%08x\n\n", codec_license_hash(BOARD_SERIAL, 0xf00bad34 ^ 0x30303031 / '0001' */));
}

  • All
  • Subscribed
  • Moderated
  • Favorites
  • normalnudes
  • rosin
  • ngwrru68w68
  • tacticalgear
  • DreamBathrooms
  • mdbf
  • magazineikmin
  • thenastyranch
  • Youngstown
  • Durango
  • slotface
  • everett
  • vwfavf
  • kavyap
  • megavids
  • khanakhh
  • Leos
  • cisconetworking
  • cubers
  • InstantRegret
  • ethstaker
  • osvaldo12
  • modclub
  • anitta
  • provamag3
  • GTA5RPClips
  • tester
  • JUstTest
  • All magazines
    •