Friday, July 26, 2019

new video by Wendell from Level1Techs on Talos II OpenPower Secure Workstation + my original comment

Wendell's video is located here: https://www.youtube.com/watch?v=5syd5HmDdGU

Forget x86; OpenPower is it! Talos II Secure Workstation!

My comment on it:
Wendell i've found some alarming stuff in my ASUS decompiled BIOS, namely while searching for strings, I found "BACKDOO" and started digging around that area, and found what essentially amounts to a literal BACKDOOR highway linked to the Windows Drivers, namely started with me investigating my ASiO.sys (which I thought was for my sound card) but its actually for Asus IO (or AsusGIO) aka AISuite aka the new Aura Sync - also linked to ATKEX.dll and PEBIOSINTERFACE32.dll - and tied to windows service atkexComSvc - for control of hardware bus devices like fan control, lighting, USB charging, that kind of thing. It seems to have a deep link straight back to the BIOS and the driver can be exploited and the BIOS seems weak. There were even CVE's posted, CVE-2018-18535 , CVE-2018-18536 and CVE-2018-18537. Now, I havent experienced anything myself but theres been reports of questionable behavior (memory leaks, unwanted internet traffic, etc) indicative of active exploits in the wild surrounding this also. Its very alarming, and I wish I had the ability to do a more complete security dissection and writeup of the decompiled BIOS but honestly I can't read IDA to save my life :) So I am passing this info onwards to you. Please forward this to anyone applicable or if thats you and you see it, please look into this info.
Sources:
1: https://packetstormsecurity.com/files/150893/ASUS-Driver-Privilege-Escalation.html
2: https://packetstormsecurity.com/files/cve/CVE-2018-18535
3: https://packetstormsecurity.com/files/cve/CVE-2018-18536
4: https://packetstormsecurity.com/files/cve/CVE-2018-18537
5: https://community.norton.com/en/forums/pebiosinterface32dll-0
6: https://rog.asus.com/forum/archive/index.php/t-11511.html

On an unrelated note, I also just discovered (maybe its known to everyone) that VMWare put a literal backdoor in for their VMWare Tools for the guest to communicate back out to the host over a high bandwidth IO channel using specific CPU registers and memory addresses. At least they were kind enough to name it "open-vm-tools/lib/backdoor/backdoor.c" and open Source it - Also worth looking into.
This is on top of the well known information you mentioned about the vulnerable Intel ME engine and danger of closed source BIOS/UEFI - so I am eagerly following th open source firmware community, like Tianocore, CoreBoot and Libreboot for Thinkpads and the like... But yes I am sortaa? getting into these deep endeavors but its extremely above my head, and I assume for most people its so deep its just off the radar. Thank you for bringing this amazing Talos/Power9 machine to light!

I wish I could respond further and in more detail but I wanted to get this posted as is first, with some links. Disclaimer: I'm not an actual security researcher, I'm just a life long nerd trying to be one.

Monday, July 22, 2019

Emmett Brown - VOID (Synthwave album on Bandcamp)



Check out Emmett Brown's music, its Synthwave, and easily some of the best stuff I've heard.
One of my favorite songs is Twin Pines Mall. and Hypercolor Tease.
Free to stream!
Right up there with Perturbator, Carpenter Brut, Kavinsky and the like.
Be sure to check out his first album MANIC too.
He's also on Spotify