Secure Boot bypass revealed

Secure Boot is a security standard that is part of UEFI designed to restrict what gets loaded during boot time of the device.
Microsoft introduced the feature in Windows 8 back in 2011, and every client or server version of Windows supported it since then.
Microsoft stated back then that it was up to the manufacturer of the device to ship it with controls to turn Secure Boot off.
Without those controls, it is not possible to use load operating systems that are not explicitly allowed. In worst case, it would mean that only one particular flavor of Windows can be run on a device.
This is for instance the case on Windows RT or Windows Phone devices. Secure Boot can be turned off on PCs and notebooks however, at least for the time being.
Researchers discovered a way to manipulate Secure Boot on Windows devices, effectively rendering it useless.

secure golden secure boot key
Secure Boot uses policies which the Windows Boot Manager reads during boot. Not all policies get loaded though. Policies are usually linked to DeviceID, and the boot manager will only execute policies with a matching DeviceID.
Microsoft did introduce supplemental policies which are not linked to DeviceID which in turn enables anyone to enable test signing. With test signing enabled, it is possible to load anything during boot.
The "supplemental" policy does NOT contain a DeviceID. And, because they were meant to be merged into a base policy, they don't contain any BCD rules either, which means that if they are loaded, you can enable testsigning. Not just for windows (to load unsigned driver, ie rootkit), but for the {bootmgr} element as well, which allows bootmgr to run what is effectively an unsigned .efi (ie bootkit)!!! (In practise, the .efi file must be signed, but it can be self-signed) You can see how this is very bad!! A backdoor, which MS put  in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!
The effect here is that it unlocks Secure Boot on devices where the feature is locked. The method that the researchers discovered works on Windows devices with Secure Boot enabled, but only if Microsoft's MS16-094 security patch is not installed; also, administrative rights are required.
Microsoft tried to fix the issue with MS16-094 in July, and this month's MS16-100 security bulletins. The first patch introduced blacklisting, the second an update that revoked some boot managers.  The patches don't resolve the issue completely though according to the researchers.
You find additional information about the issue on this site. Please note that it plays an intro with music in the background. I suggest you use Ctrl-A, Ctrl-C to copy all content, and paste it in a text document as the music and background animation is quite distracting.

No comments

Powered by Blogger.