Slashdot Mirror
Macs Vulnerable To Userland Injected EFI Rootkits
Bismillah writes that a new vulnerability in recent Macs — and potentially older ones — can be used to plant code such as rootkits into areas of EFI memory that shouldn't be writeable, but become unlocked after the computer wakes up from sleep mode. The article explains that [The vulnerability] appears to be due to a bug in Apple's sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writeable from user accounts on the computer.
Memory areas are normally locked as read-only to protect them.
However, putting some late-model Macs to sleep for around 20 seconds and then waking them up unlocks the EFI memory for writing.
Oh, I know how to solve this one. There's a bug in the EFI capsule update mechanism that allows to install unsigned firmware updates if you have root.
Now combine it with this bug, and you can corrupt an EFI update initiated by root from an unprivileged account. Essentially, wait for the next EFI update and you get arbitrary code execution from Ring 3, userland, to Ring -3, the firmware.
With Mac's making up about 6% or so of PC market. Does anyone care about doing attacks on OS X or Mac's? In fact, it does seem the direction towards attacks made outside of singular device hardware is becoming more popular. Attacking routers, severs, even cloud based systems. Or direct attacks against certain systems that guarantee financial gain. Such as personal information, or other private information that can be sold. Maybe the NSA still wants to rootlet your Mac. But most hackers want monetary gains not small potato's these days. The stuff Mac users fall for are more ransomware and fake click jacking stuff. This rootkit potential is just that. Something Apple will most likely fix but is also less likely to be exploited.
It's interesting that a lot of effort has been put into things like SecureBoot, but there is still a plethora of devices in a PC which are ready to accept new (potentially malicious) firmware at any given point in time.
Less of an issue among people/organizations who exclusively buy new, from manufacturer or authorized retailer; but (at least on the PC side, I don't deal much with mac procurement), refurbished off-lease units are an enormous market. Very, very, popular with organizations that can't afford to ride the latest-and-greatest. It's not glamorous (something like the Optiplex 780 is nothing to write home about; but if you need a few computer labs or a cube farm on a tight budget, the fact that you can get units with an adequate 3rd party warranty, no DOA, 4GB of RAM, and an adequately punchy CPU for ~$150, sometimes a little less, each, is pretty compelling.
"Previous owner" isn't a scary vulnerability for exploits that live at the OS level; all the refurb stuff typically gets wiped once by the refurb house during their testing process, and re-imaged when it reaches the customer; but it is damn scary for firmware-level exploits. Especially motherboard firmware(HDD firmware exploits are scary; but taking out the HDD and shredding it, then replacing it with another low-capacity-everything-is-on-the-network-anyway boot disk is at least cheap); which compromises the system at a scary-deep level, and also compromises the component that makes up most of the value of the computer.
Without a good OS-level vector, preferably with a nice internet infection capability, it isn't a good candidate for a pandemic; but if this sort of firmware fuckery makes the used market about as reliable as buying street drugs, it will have a major impact.
still ring-0. quite a big deal...