[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Windows Platform Binary Table (WPBT) - BIOS PE backdoor



PRECURSOR

There will be debate about if this is a vulnerability.  It affects a
majority of user PCs -- including all Enterprise editions of Windows,
there is no way to disable it, and allows direct code execution into
secure boot sequences.  I believe it is worth discussing.

SCOPE

Microsoft documented a feature in Windows 8 and above called Windows
Platform Binary Table.  Up until two days ago, this was a single Word
document not referenced elsewhere on Google:

 http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us

This feature allows a BIOS to deliver the payload of an executable,
which is run in memory, silently, each time a system is booted.  The
executable code is run under under Session Manager context (i.e.
SYSTEM).

This technique is being used by Lenovo and HP to silently deliver
software, even after systems are completely wiped.  This issue came to
light in this forum thread:
http://arstechnica.com/civis/viewtopic.php?p=29551819#p29551819

Additionally, the code is injected and executed in Windows after the
Windows kernel has booted - meaning hard drives are accessible.  In a
HP document - http://h10032.www1.hp.com/ctg/Manual/c03857419.pdf page
18 - they reference they use Windows Platform Binary Table to inject
their code into encrypted systems (e.g. BitLocker) (!!!!).

MITIGATIONS

It is not possible to disable this functionality.  If you can gain
access to the BIOS, you can inject code into the Windows boot sequence
using the documentation linked above.  The BIOS delivered PE code is
not countersigned by Microsoft.

Microsoft say: "If partners intentionally or unintentionally introduce
malware or unwanted software though the WPBT, Microsoft may remove
such software through the use of antimalware software.  Software that
is determined to be malicious may be subject to immediate removal
without notice."

However, you are relying on Microsoft being aware of attacks.  Since
the code is executed in memory and not written to disk prior to
activation, Windows Defender does not even scan the executed code.