Watching the Watcher: Extreme Privilege Escalation on Windows 8/UEFI Systems



The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined “runtime services” interface between the operating system and the firmware.

This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced APIs that allow accessing this UEFI interface from a userland process. Vulnerabilities in this interface can potentially allow a userland process to escalate its privileges from “ring 3” all the way up to that of the platform firmware, which includes permanently attaining control of the very-powerful System Management Mode (SMM).

This talk will disclose two of these vulnerabilities that were discovered in the Intel provided UEFI reference implementation, and detail the unusual techniques needed to successfully exploit them. We will also discuss “The Watcher”. A simple but powerful backdoor that can be left running in SMM to give an attacker arbitrary code execution at the maximum privilege level forever more.

Location: Track 2 Date: October 15, 2014 Time: 5:00 pm - 6:00 pm Corey Kallenberg Xeno Kovah John Butterworth Sam Cornwell