├── pubkey.asc
├── README.md
├── CLVA-2016-05-001.md
├── CLVA-2016-05-002.md
├── CLVA-2017-01-002.md
└── CLVA-2017-01-001.md
/pubkey.asc:
--------------------------------------------------------------------------------
1 | -----BEGIN PGP PUBLIC KEY BLOCK-----
2 |
3 | mQINBFefjgEBEADU4TbsgjzHzlBp3OFrSP8imXtlEonjRxk+J3SKdtro5WOWPyBe
4 | TLWA/BzLeBNgpWhBMYGmqE90quw3Arbl5B2P5RE35lW0V742VD+BGtx9dkfTuLvk
5 | NZKQOH17LISIZTAYM1Qnv4DJK9m7cakOy9kKZFfLvFsaiEpPLbjfw7tKLVRc8I+H
6 | ZLapKtaUE6Fx333V89OLHBNh78TmzF5SJO00ssVnWqlm3wuaSLcoEFf1nMX8ooyS
7 | TA6xiNMgsrzK0Z/WrA4wVP0rek1ubvadtY4U/vY6rONfwF34qpxtc8MtFQFSUFJQ
8 | lBkocw1/6rqUEtrWiW5+C6AkQWhKGRkv8Qv1KV9bFbXb3i6iGnMhSMvO/veg+Dib
9 | kiW5fu/4WptBKH8RpMJsj4VTnqnTl8IGACpc1wTiHW5LyGpN1402lqzcX/dLEKSD
10 | 6xh6iD9XVcvSSauoa/Kd3NQ1jd20I0kpcZTzejRVQO0mRMl6Xk2jrr191+9Scxoc
11 | hMmRbDbyBo1Vu4Ho44N4PASl5LkBd+pYd07JpzVUCKS1/elMwFBcWcgyVJdJHomL
12 | ot9U32c6gESU96UOIQo/uuFi+iInQu2StyGzTsNBzbxKb0QjjFFDbNyGHILJkIT7
13 | CiSTNGYICoy9M4tBrF/XjvmX0kSd4Q7gXvXm7pJwFw4qVTKCYAuTSxyZqQARAQAB
14 | tDRDeWxhbmNlIFZ1bG5lcmFiaWxpdHkgUmVzZWFyY2ggVGVhbSA8dnJAY3lsYW5j
15 | ZS5jb20+iQI9BBMBCgAnBQJXn44BAhsDBQkHhh+ABQsJCAcDBRUKCQgLBRYCAwEA
16 | Ah4BAheAAAoJEGUML+kIBeurz8EQAKE895Omk49Dca8Ji4dvWRKi6r4xhnVwkxBe
17 | jexu/O39ED7ACUxN5d6k12NyNXauc4qjr+RvKmRFmm6JWmJo/XkKlHI/pRUOTZSz
18 | A2QliuATKHKrjbuM3pULso5G2wL0hVMthwUrGx7i2BVC44GOSNg+pVVGYOkya/Wv
19 | cd01sl2dZYpUeL6pEbu75T6GEHHjFUapqoN+EGb+7WdQVhESkoMeQb0nYATJ+t3V
20 | ME2e97WMP9fmQf8Cmu2rqswnIymSwzRUECkVsxXzd7LxgZks4IV8HJLQdeqD9eeR
21 | 2GIqZBdntzVlI/qz30dH0mUSCVCcMlcAlcAv7xdj/whuSej+/n82YqqX1ILMjv84
22 | UG0JOHIfL8HEsz3+UxN7jCsM2Boeg1KNsBcppkGJLWiu0eiwsJ/siJMdUDRfRYxT
23 | g08/5BClkZU/4XZNUTd/knkEny23jztxzIqLMUddbYM2kNfeguH0NiZOHzNd0/BQ
24 | cXMIG8qpuyvBVGm3D8H9hzbBpeKB9l0Ek7+JSt0uVdjwXQuzyFP8KOcyAa7sMA3r
25 | a5gcJwAWForyjpmQR8tkUATJVY9U+sPJJkXcOtqFg+P9/3xsbynzBVeholsHd/y8
26 | WFBOKvgvlca4BgFupqeGJxYROlD1+dZqcl5mRpp+j+FrWNYh3aiTvrM4GLzz8hBq
27 | X82a3y0IuQINBFefjgEBEAC/boBrwzAXCHX16mIOgy0TX5AeJrJZf0adwzB/RLem
28 | 2bQ8lCw4vV0U81422Xt1O3ENavqwh/Ib91ti1i4z721eHyxSB87qBeOX9fpWedj4
29 | CNFXTaMPDmCJFcFoExYkn+N5lT6iRvffLkXGy5aRkW9ZjKJXO9OtEtcolrsq4+dX
30 | G7tEX3hUY2Xiwrv2SYlLzxiw8PP1f49obNc7O2wDAPXe8ifKkajNvwV9VXeUk1rb
31 | 5fqcyC16TMLvSxrv0woYQnFjMNXV4cyYs25mGQXBW+4LozotRwrRNxcC9CEnPmzn
32 | 5bq/TkyNjzcsV8ahM7HESaP6uL/xn8IrwPrGw1P9BnkGmigdPT202NYnin/BYIYU
33 | gz7cGoOfJP3lnpxeiNy70SFFnuhZqVMtgzwLNJWAKtBDAw1c5fLgrbClQd6DoKHW
34 | +MDhwdmi1mXBI/+BHL8749kv4TTxTrBhkkWIgyL/ds6jX8YD2EkIWDB8Es0A3m+T
35 | dCjazmiU5GVoWgEK4bRe9PJ5w80xBAaE/Dn0HZ8iZ/mXZJAlyTwgPBEu+eDG24ob
36 | s7YuPksSvf9ptw7OxMdpRZTmz4b58xZbVlgMK1RVFzR6yeoqQqMq9ld6bKotdx1V
37 | uWMkHmfi5HoOz0IeuTdmRXQSnedHQBfQfMBs45UJmH0SUndjdli7uwXpdIDo5Mh2
38 | YwARAQABiQIlBBgBCgAPBQJXn44BAhsMBQkHhh+AAAoJEGUML+kIBeurOeoP/Rwc
39 | Pa3syhHWQ1gTqieXz/4Tl5fzjYowW4Dd1KARF+E/7P2yV5MANTVb3icKxNuQhzTb
40 | bVjw1t1VLc8oIlX2+dFoV5vioufPI8JSGl3vjEd/H9oLPa8iJcw2UCc+m4PpE/1+
41 | ahYpOjFI9uEw3DmKX22PjAB2dbiojl2eNm4CltkAmdQ/8DI4b3M9ZD5rjXUKgURW
42 | dNkcZ3H7/Ez4JfZ/KoW9pDm6E1Umik9ay5re3fzPhet3xyHVeAXTeCHDnbiUekJ6
43 | 2P3YF7zFKHp8T6ZbtWlau+5zN1Emj+KQ9mPiiHHu9YvcLj4YmWaxjaFXBXALonp5
44 | Wnxxww2PmbsUt2D4HOdSZAXMrLT2bFURyX5BypxVhlXl2iz0N1N4ZemZ3SjcdNL2
45 | YA0pvq0uJjrY4dRakTqEW2MWu3f+J3Jyu/soN7loEfVJ7OVyK3QeQzIkE780lbo9
46 | KHb0RUAoqeviGhdE84bsrb5xZi3nF6sQk6Yvhat5IdSIuxfq4GTGvAnp1hjig5Ar
47 | jHqlV7sJtJe1zwPByc4ChJFs92Rw+7/w5oFd6GmZaJQfPKvuBqgTqBPMCHHOCuhG
48 | AXprESLKNUJci3v5Jc27lhXNHnFuO27jk5qDFYHdUb4y+e6XqIWHA2/dsux/usoF
49 | +TSytjBz/8QcWrFM1G6ijQoQehMBAC6ncsDNruVq
50 | =9/0i
51 | -----END PGP PUBLIC KEY BLOCK-----
52 | ```
53 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Cylance Vulnerability Research - Disclosure Repository
2 |
3 | This is a repository to hold all of Cylance's Vulnerability Research team's public vulnerability disclosures.
4 |
5 | The public key for our Vulnerability Research Team e-mail is below:
6 |
7 | ```
8 | -----BEGIN PGP PUBLIC KEY BLOCK-----
9 |
10 | mQINBFefjgEBEADU4TbsgjzHzlBp3OFrSP8imXtlEonjRxk+J3SKdtro5WOWPyBe
11 | TLWA/BzLeBNgpWhBMYGmqE90quw3Arbl5B2P5RE35lW0V742VD+BGtx9dkfTuLvk
12 | NZKQOH17LISIZTAYM1Qnv4DJK9m7cakOy9kKZFfLvFsaiEpPLbjfw7tKLVRc8I+H
13 | ZLapKtaUE6Fx333V89OLHBNh78TmzF5SJO00ssVnWqlm3wuaSLcoEFf1nMX8ooyS
14 | TA6xiNMgsrzK0Z/WrA4wVP0rek1ubvadtY4U/vY6rONfwF34qpxtc8MtFQFSUFJQ
15 | lBkocw1/6rqUEtrWiW5+C6AkQWhKGRkv8Qv1KV9bFbXb3i6iGnMhSMvO/veg+Dib
16 | kiW5fu/4WptBKH8RpMJsj4VTnqnTl8IGACpc1wTiHW5LyGpN1402lqzcX/dLEKSD
17 | 6xh6iD9XVcvSSauoa/Kd3NQ1jd20I0kpcZTzejRVQO0mRMl6Xk2jrr191+9Scxoc
18 | hMmRbDbyBo1Vu4Ho44N4PASl5LkBd+pYd07JpzVUCKS1/elMwFBcWcgyVJdJHomL
19 | ot9U32c6gESU96UOIQo/uuFi+iInQu2StyGzTsNBzbxKb0QjjFFDbNyGHILJkIT7
20 | CiSTNGYICoy9M4tBrF/XjvmX0kSd4Q7gXvXm7pJwFw4qVTKCYAuTSxyZqQARAQAB
21 | tDRDeWxhbmNlIFZ1bG5lcmFiaWxpdHkgUmVzZWFyY2ggVGVhbSA8dnJAY3lsYW5j
22 | ZS5jb20+iQI9BBMBCgAnBQJXn44BAhsDBQkHhh+ABQsJCAcDBRUKCQgLBRYCAwEA
23 | Ah4BAheAAAoJEGUML+kIBeurz8EQAKE895Omk49Dca8Ji4dvWRKi6r4xhnVwkxBe
24 | jexu/O39ED7ACUxN5d6k12NyNXauc4qjr+RvKmRFmm6JWmJo/XkKlHI/pRUOTZSz
25 | A2QliuATKHKrjbuM3pULso5G2wL0hVMthwUrGx7i2BVC44GOSNg+pVVGYOkya/Wv
26 | cd01sl2dZYpUeL6pEbu75T6GEHHjFUapqoN+EGb+7WdQVhESkoMeQb0nYATJ+t3V
27 | ME2e97WMP9fmQf8Cmu2rqswnIymSwzRUECkVsxXzd7LxgZks4IV8HJLQdeqD9eeR
28 | 2GIqZBdntzVlI/qz30dH0mUSCVCcMlcAlcAv7xdj/whuSej+/n82YqqX1ILMjv84
29 | UG0JOHIfL8HEsz3+UxN7jCsM2Boeg1KNsBcppkGJLWiu0eiwsJ/siJMdUDRfRYxT
30 | g08/5BClkZU/4XZNUTd/knkEny23jztxzIqLMUddbYM2kNfeguH0NiZOHzNd0/BQ
31 | cXMIG8qpuyvBVGm3D8H9hzbBpeKB9l0Ek7+JSt0uVdjwXQuzyFP8KOcyAa7sMA3r
32 | a5gcJwAWForyjpmQR8tkUATJVY9U+sPJJkXcOtqFg+P9/3xsbynzBVeholsHd/y8
33 | WFBOKvgvlca4BgFupqeGJxYROlD1+dZqcl5mRpp+j+FrWNYh3aiTvrM4GLzz8hBq
34 | X82a3y0IuQINBFefjgEBEAC/boBrwzAXCHX16mIOgy0TX5AeJrJZf0adwzB/RLem
35 | 2bQ8lCw4vV0U81422Xt1O3ENavqwh/Ib91ti1i4z721eHyxSB87qBeOX9fpWedj4
36 | CNFXTaMPDmCJFcFoExYkn+N5lT6iRvffLkXGy5aRkW9ZjKJXO9OtEtcolrsq4+dX
37 | G7tEX3hUY2Xiwrv2SYlLzxiw8PP1f49obNc7O2wDAPXe8ifKkajNvwV9VXeUk1rb
38 | 5fqcyC16TMLvSxrv0woYQnFjMNXV4cyYs25mGQXBW+4LozotRwrRNxcC9CEnPmzn
39 | 5bq/TkyNjzcsV8ahM7HESaP6uL/xn8IrwPrGw1P9BnkGmigdPT202NYnin/BYIYU
40 | gz7cGoOfJP3lnpxeiNy70SFFnuhZqVMtgzwLNJWAKtBDAw1c5fLgrbClQd6DoKHW
41 | +MDhwdmi1mXBI/+BHL8749kv4TTxTrBhkkWIgyL/ds6jX8YD2EkIWDB8Es0A3m+T
42 | dCjazmiU5GVoWgEK4bRe9PJ5w80xBAaE/Dn0HZ8iZ/mXZJAlyTwgPBEu+eDG24ob
43 | s7YuPksSvf9ptw7OxMdpRZTmz4b58xZbVlgMK1RVFzR6yeoqQqMq9ld6bKotdx1V
44 | uWMkHmfi5HoOz0IeuTdmRXQSnedHQBfQfMBs45UJmH0SUndjdli7uwXpdIDo5Mh2
45 | YwARAQABiQIlBBgBCgAPBQJXn44BAhsMBQkHhh+AAAoJEGUML+kIBeurOeoP/Rwc
46 | Pa3syhHWQ1gTqieXz/4Tl5fzjYowW4Dd1KARF+E/7P2yV5MANTVb3icKxNuQhzTb
47 | bVjw1t1VLc8oIlX2+dFoV5vioufPI8JSGl3vjEd/H9oLPa8iJcw2UCc+m4PpE/1+
48 | ahYpOjFI9uEw3DmKX22PjAB2dbiojl2eNm4CltkAmdQ/8DI4b3M9ZD5rjXUKgURW
49 | dNkcZ3H7/Ez4JfZ/KoW9pDm6E1Umik9ay5re3fzPhet3xyHVeAXTeCHDnbiUekJ6
50 | 2P3YF7zFKHp8T6ZbtWlau+5zN1Emj+KQ9mPiiHHu9YvcLj4YmWaxjaFXBXALonp5
51 | Wnxxww2PmbsUt2D4HOdSZAXMrLT2bFURyX5BypxVhlXl2iz0N1N4ZemZ3SjcdNL2
52 | YA0pvq0uJjrY4dRakTqEW2MWu3f+J3Jyu/soN7loEfVJ7OVyK3QeQzIkE780lbo9
53 | KHb0RUAoqeviGhdE84bsrb5xZi3nF6sQk6Yvhat5IdSIuxfq4GTGvAnp1hjig5Ar
54 | jHqlV7sJtJe1zwPByc4ChJFs92Rw+7/w5oFd6GmZaJQfPKvuBqgTqBPMCHHOCuhG
55 | AXprESLKNUJci3v5Jc27lhXNHnFuO27jk5qDFYHdUb4y+e6XqIWHA2/dsux/usoF
56 | +TSytjBz/8QcWrFM1G6ijQoQehMBAC6ncsDNruVq
57 | =9/0i
58 | -----END PGP PUBLIC KEY BLOCK-----
59 | ```
--------------------------------------------------------------------------------
/CLVA-2016-05-001.md:
--------------------------------------------------------------------------------
1 | # [CLVA-2016-05-001]: Crestron AM-100 Path Traversal Vulnerability
2 |
3 | # Summary
4 |
5 | Cylance identified a vulnerability in the Crestron AirMedia AM-100, which could allow an unauthenticated entity to read arbitrary files on affected devices. The unauthenticated user must be able to access the web server on the affected devices.
6 |
7 | ## Product Description
8 |
9 | The Crestron AirMedia AM-100 allows users to "wirelessly present PowerPoint®, Excel®, Word, and PDF documents, as well as photos, on the room display from their personal iOS® or Android™ mobile device" or desktop/laptop. (via [http://www.crestron.com/microsites/airmedia-mobile-wireless-hd-presentations](http://www.crestron.com/microsites/airmedia-mobile-wireless-hd-presentations)).
10 |
11 | ## Affected Products
12 |
13 | * Crestron AirMedia AM-100 (firmware v1.1.1.11 - v1.2.1)
14 |
15 | ## Impact
16 |
17 | An unauthenticated entity may be able to read arbitrary files on the affected AM-100 as superuser ("root").
18 |
19 | # Vulnerability Information
20 |
21 | * Cylance Identifier: CLVA-2016-05-001
22 | * CVE Identifier: CVE-2016-5639
23 |
24 | ## Description
25 |
26 | A path traversal vulnerability exists in `login.cgi` (and possibly other binaries in the `/home/boa/cgi-bin` directory) on the AM-100 embedded web server. The `src` GET parameter passed to `login.cgi` specifies the relative path to a file for rendering, such as `AwLoginDownload.html`. However, the value of this parameter can specify an arbitrary path on the AM-100 filesystem.
27 |
28 | ## Impact
29 |
30 | The attacker may be able read the contents of unexpected files and expose sensitive data. Additionally, as the embedded web server runs as root, the attacker is unrestricted by filesystem permissions.
31 |
32 | ## Attack Scenario
33 |
34 | An unauthenticated entity with access to the AM-100 embedded web server could, for example, read the system's password file, then conduct a brute force password guessing attack in order to break into an account on the system.
35 |
36 | ## Resolution
37 |
38 | Crestron has released firmware version 1.4.0.13 to address this issue. Affected users should update the firmware of their AM-100 as soon as possible. Crestron partners can find the latest firmware at [http://www.crestron.com/products/model/AM-100](http://www.crestron.com/products/model/AM-100)
39 |
40 | ## Credit
41 |
42 | * Zach Lanier, Director of Research, Cylance
43 |
44 | ## Additional Information
45 | ### Details for CLVA-2016-05-001
46 |
47 | * Example of a benign/normal `GET` request for `login.cgi`:
48 |
49 | ```
50 | GET http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=AwLoginDownload.html HTTP/1.1
51 | ...
52 | ```
53 |
54 | * Example of expected response:
55 |
56 | ```
57 | HTTP/1.1 200 OK
58 | Content-Type: text/html
59 | Date: Wed, 26 Oct 2005 19:07:53 GMT
60 | Server: lighttpd/1.4.35-devel-4f1e285
61 |
62 |
63 |
64 |
65 |
66 |
67 | Crestron AirMedia
68 | ...
69 | ```
70 |
71 | * Example of malicious request for `/etc/shadow` (system's password file):
72 |
73 | ```
74 | http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../etc/shadow
75 | ```
76 |
77 | * Response (password hash redacted for privacy reasons):
78 |
79 | ```
80 | root:[HASH]:0:0:99999:7:::
81 | ```
82 |
83 | # CLVA-2016-05-001 Timeline
84 |
85 | * Discovery Date: 2016-05-12
86 | * Vendor Notification Date: 2016-05-19
87 | * CERT/CC Contact Date: 2016-05-27
88 | * Vendor Acknowledgement Date: 2016-06-06
89 | * Patch Release Date: 2016-08-01
90 | * Public Disclosure Date: 2016-08-01
91 |
--------------------------------------------------------------------------------
/CLVA-2016-05-002.md:
--------------------------------------------------------------------------------
1 | # [CLVA-2016-05-002]: Crestron AM-100 Command Injection Vulnerability
2 |
3 | # Summary
4 |
5 | Cylance identified a vulnerability in the Crestron AirMedia AM-100, which could allow an unauthenticated entity to execute arbitrary commands on affected devices. The unauthenticated user must be able to access the web server on the affected devices.
6 |
7 | ## Product Description
8 |
9 | The Crestron AirMedia AM-100 allows users to "wirelessly present PowerPoint®, Excel®, Word, and PDF documents, as well as photos, on the room display from their personal iOS® or Android™ mobile device" or desktop/laptop. (via [http://www.crestron.com/microsites/airmedia-mobile-wireless-hd-presentations](http://www.crestron.com/microsites/airmedia-mobile-wireless-hd-presentations)).
10 |
11 | ## Affected Products
12 |
13 | * Crestron AirMedia AM-100 (firmware v1.1.1.11 - v1.2.1)
14 |
15 | ## Impact
16 |
17 | An unauthenticated entity may be able to execute arbitrary commands on the affected AM-100 as superuser ("root").
18 |
19 | # Vulnerability Information
20 |
21 | * Cylance Identifier: CLVA-2016-05-002
22 | * CVE Identifier: CVE-2016-5640
23 |
24 | ## Description
25 |
26 | A command injection vulnerability exists in `rftest.cgi` on the AM-100 embedded web server. The `ATE_COMMAND` POST parameter specifies the path to a command for the underlying OS to execute. By default, the value of this parameter is `/sbin/iwpriv`; however, the value of this parameter can be a relative or absolute path to any arbitrary command on the underlying OS.
27 |
28 | ## Impact
29 |
30 | Attackers may execute unauthorized commands, which could then be used to disable the software, or read and modify data for which the attacker does not have permissions to access directly. Additionally, as the embedded web server runs as root, subsequent commands/processes will also run as root, providing unfettered access to the system.
31 |
32 | ## Attack Scenario
33 |
34 | An unauthenticated entity with access to the AM-100 embedded web server could send HTTP POST data to `rftest.cgi`, specifying any arbitrary command to be executed.
35 |
36 | ## Resolution
37 |
38 | Crestron has released firmware version 1.4.0.13 to address this issue. Affected users should update the firmware of their AM-100 as soon as possible. Crestron partners can find the latest firmware at [http://www.crestron.com/products/model/AM-100](http://www.crestron.com/products/model/AM-100)
39 |
40 | ## Credit
41 |
42 | * Zach Lanier, Director of Research, Cylance
43 |
44 |
45 | ## Additional Information
46 | ### Details for CLVA-2016-05-002
47 |
48 | * Example of a benign/normal `POST` request body for `rftest.cgi`:
49 |
50 | ```
51 | POST https://[AM-100-ADDRESS]/cgi-bin/rftest.cgi?lang=en&src=AwServicesSetup.html&[TOKEN] HTTP/1.1
52 | ...
53 | ATE_COMMAND=%2Fsbin%2Fiwpriv+ra0+set+ATE%3DATESTART%3B%2Fsbin%2Fiwpriv+ra0+set+ATETXLEN%3D24%3B%2Fsbin%2Fiwpriv+ra0+set+ATE%3DTXCONT%3B&ATECHANNEL=&ATETXLEN=24&ATETXCNT=&ATETXMODE=&ATETXBW=&ATETXGI=&ATETXMCS=&ATETXANT=&ATERXANT=&ATERXFER=&ResetCounter=&ATEAUTOALC=&ATEIPG=&ATEPAYLOAD=&ATE=TXCONT
54 | ```
55 |
56 | * Example of expected response:
57 |
58 | ```
59 | HTTP/1.1 200 OK
60 | Content-Type: text/html
61 | Date: Wed, 26 Oct 2005 19:07:53 GMT
62 | Server: lighttpd/1.4.35-devel-4f1e285
63 |
64 |
65 |
66 |
67 |
68 |
69 | Crestron AirMedia
70 | ...
71 | ```
72 |
73 | * Example of malicious `POST` request body for `rftest.cgi`, specifying the `whoami` command for the `ATE_COMMAND` parameter:
74 |
75 | ```
76 | ATE_COMMAND=whoami&ATECHANNEL=&ATETXLEN=24&ATETXCNT=&ATETXMODE=&ATETXBW=&ATETXGI=&ATETXMCS=&ATETXANT=&ATERXANT=&ATERXFER=&ResetCounter=&ATEAUTOALC=&ATEIPG=&ATEPAYLOAD=&ATE=TXCONT
77 | ```
78 |
79 | * Response (note response contains `root`, indicating successful execution of `whoami`, as well as identifying that the web server runs as superuser):
80 |
81 | ```
82 | HTTP/1.1 200 OK
83 | Date: Wed, 26 Oct 2005 20:50:35 GMT
84 | Server: lighttpd/1.4.35-devel-4f1e285
85 | root
86 |
87 | Content-Type: text/html
88 |
89 | ...
90 | ```
91 |
92 | # CLVA-2016-05-002 Timeline
93 |
94 | * Discovery Date: 2016-05-12
95 | * Vendor Notification Date: 2016-05-19
96 | * CERT/CC Contact Date: 2016-05-27
97 | * Vendor Acknowledgement Date: 2016-06-06
98 | * Patch Release Date: 2016-08-01
99 | * Public Disclosure Date: 2016-08-01
100 |
--------------------------------------------------------------------------------
/CLVA-2017-01-002.md:
--------------------------------------------------------------------------------
1 | # [CLVA-2017-01-002]: Gigabyte BRIX BIOS Write Protection is not enabled
2 |
# Summary
3 |
Cylance identified a vulnerability in the UEFI firmware for the Gigabyte GB-BSi7H-6500 and GB-BXi7-5775 platforms, which could allow attacker modify firmware from ring 0.
## Product Description
4 |
The Gigabyte BRIX is a common Mini-PC Barebone platform (via [http://www.gigabyte.us/products/list.aspx?s=47&ck=104](http://www.gigabyte.us/products/list.aspx?s=47&ck=104)).
5 |
## Affected Products
6 |
* GB-BSi7H-6500 (UEFI firmware version: vF6 from 2016/05/18)
* GB-BXi7-5775 (UEFI firmware version: vF2 from 2016/07/19)
7 |
## Impact
8 |
An attacker can modify the SPI flash image to install a persistent rootkit/bootkit or corrupt the firmware due to disabled-by-default flash write protection features.
9 |
# Vulnerability Information
10 |
* Cylance Identifier: CLVA-2017-01-002
* CVE Identifier: CVE-2017-3198
11 |
## Description
12 |
A vulnerability has been identified in one of the UEFI firmwares from American Megatrends Inc. (AMI) used in Gigabyte's GB-BSi7H-6500 and GB-BXi7-5775 platforms. The security features (BIOSWE, BLE, SMM_BWP, PRx) for protecting the BIOS from arbitrary modifications are not enabled by default. The flash write protection mechanisms are not enabled by default and Intel BootGuard is not available for Gigabyte BRIX platforms. The firmware updates for Gigabyte BRIX platforms are not signed. During the firmware update process, an attacker may modify the platform firmware with persistent malicious code since no integrity check is performed.
13 |
## Impact
14 |
An attacker can use the AMI Firmware Update (AFU) to make arbitrary modifications of the SPI flash image from ring 0. As an example, this vulnerability may be used to write a rootkit/bootkit to the SPI flash image. The rootkit could persist across operating system re-installs and allow an attacker to bypass security features such as Secure Boot, Virtual Secure Mode, Device Guard.
An attacker can also modify firmware policies using the AMI BIOS Configuration Program (AMIBCP) to unlock the Intel Direct Connect Interface (DCI) which may be used for platform debugging when running an Intel Skylake CPU over USB3 with the Intel SVT adapter.
15 |
16 | ## Attack Scenario
17 |
18 | An attacker could use the AMI or Gigabyte firmware update tool to install a custom UEFI firmware or modify the SPI flash memory to install a persistent rootkit/bootkit.
19 |
## Resolution
Gigabyte has released UEFI firmware version F7 to address this issue for the GB-BSi7H-6500 platform. However, the GB-BXi7-5775 is End Of Life (EOL), and therefore may not be receiving an update. Affected users should update the firmware as soon as possible. Firmware updates can be found at [Gigabyte's Support Page](http://www.gigabyte.com/Support).
20 |
## Credit
* Alex Matrosov, Principal Research Scientist, Cylance
21 |
## Additional Information
22 | ### Details for CLVA-2017-01-002
23 |
* Example of the vulnerability detection by Chipsec `bios_wp` module
```
python chipsec_main.py -m common.bios_wp
24 | ```
* Output information from Chipsec:
25 |
26 | ```
[CHIPSEC] API mode: using CHIPSEC kernel module API
[CHIPSEC] OS : Windows 10 10.0.14393 AMD64
[CHIPSEC] Platform: Mobile 6th Generation Core Processor (Skylake U)
[CHIPSEC] VID: 8086
[CHIPSEC] DID: 1904
[+] loaded chipsec.modules.common.bios_wp
[*] running loaded modules ..
[*] running module: chipsec.modules.common.bios_wp
[*] Module path: c:\Chipsec\chipsec\modules\common\bios_wp.pyc
[x][ =======================================================================
[x][ Module: BIOS Region Write Protection
[x][ =======================================================================
[*] BC = 0x00000A88 << BIOS Control (b:d.f 00:31.5 + 0xDC)
[00] BIOSWE = 0 << BIOS Write Enable
[01] BLE = 0 << BIOS Lock Enable
[02] SRC = 2 << SPI Read Configuration
[04] TSS = 0 << Top Swap Status
[05] SMM_BWP = 0 << SMM BIOS Write Protection
[06] BBS = 0 << Boot BIOS Strap
[07] BILD = 1 << BIOS Interface Lock Down
[-] BIOS region write protection is disabled!
[*] BIOS Region: Base = 0x00A00000, Limit = 0x00FFFFFF
SPI Protected Ranges
------------------------------------------------------------
PRx (offset) | Value | Base | Limit | WP? | RP?
------------------------------------------------------------
PR0 (84) | 00000000 | 00000000 | 00000000 | 0 | 0
PR1 (88) | 00000000 | 00000000 | 00000000 | 0 | 0
PR2 (8C) | 00000000 | 00000000 | 00000000 | 0 | 0
PR3 (90) | 00000000 | 00000000 | 00000000 | 0 | 0
PR4 (94) | 00000000 | 00000000 | 00000000 | 0 | 0
[!] None of the SPI protected ranges write-protect BIOS region
[!] BIOS should enable all available SMM based write protection mechanisms or configure SPI protected ranges to protect the entire BIOS region
[-] FAILED: BIOS is NOT protected completely
27 | ```
# CLVA-2017-01-002 Timeline
28 |
* Discovery Date: 2016-12-20
* Vendor Notification Date: 2017-01-17
* CERT/CC Contact Date: 2017-01-18
* Vendor Acknowledgement Date: 2017-02-17
29 | * Patch Release Date: 2017-03-30
* Public Disclosure Date: 2017-03-30
--------------------------------------------------------------------------------
/CLVA-2017-01-001.md:
--------------------------------------------------------------------------------
1 | # [CLVA-2017-01-001]: Gigabyte BRIX arbitrary System Management Mode code execution
2 |
3 | # Summary
4 |
5 | Cylance identified a vulnerability in the UEFI firmware for the Gigabyte GB-BSi7H-6500 and GB-BXi7-5775 platforms, which could allow arbitrary code execution in System Management Mode (ring -2) by programs running in ring 0.
6 |
7 | ## Product Description
8 |
9 | The Gigabyte BRIX is a common Mini-PC Barebone platform (via [http://www.gigabyte.us/products/list.aspx?s=47&ck=104](http://www.gigabyte.us/products/list.aspx?s=47&ck=104)).
10 |
11 | ## Affected Products
12 |
13 | * GB-BSi7H-6500 - UEFI firmware version: vF6 (2016/05/18)
14 | * GB-BXi7-5775 - UEFI firmware version: vF2 (2016/07/19)
15 | * Vulnerable code is located inside SMM driver: SmiFlash (GUID: BC327DBD-B982-4F55-9F79-056AD7E987C5)
16 |
17 | ## Impact
18 |
19 | An attacker can exploit this vulnerability to elevate privileges, execute arbitrary code in System Management Mode, and install a backdoor to the system at a firmware level.
20 |
21 | # Vulnerability Information
22 |
23 | * Cylance Identifier: CLVA-2017-01-001
24 | * CVE Identifier: CVE-2017-3197
25 |
26 | ## Description
27 |
28 | A vulnerability has been identified in one of the software System Management Interrupt (SWSMI) handlers in the UEFI firmware from American Megatrends Inc. (AMI) used in Gigabyte's GB-BSi7H-6500 and GB-BXi7-5775 platforms. The firmware for these models do not use the SPI Protected Ranges (PRx) flash write protection which would prevent an attacker from overwriting the SMRAM and gaining code execution in System Management Mode.
29 |
30 | ## Impact
31 |
32 | An attacker can exploit this vulnerability to elevate privileges, execute arbitrary code, and install a backdoor in System Management Mode. Backdoors installed at the SMM level could persist across operating system re-installs. Additionally, this vulnerability could be used to bypass UEFI firmware security mechanisms which would allow an attacker to modify the SPI flash image to infect the image with a rootkit or bootkit.
33 |
34 | ## Attack Scenario
35 |
36 | An attacker can send malicious requests to the vulnerable SMI handler from ring-0 (ring-0 execution can be obtained either through a kernel vulnerability or a vulnerable 3rd party driver such as Capcom.sys) to trigger the vulnerability and execute code in System Management Mode (SMM). The code executing in the SMM context can install a persistent rootkit/bootkit in the SPI flash chip which would persist across operating system installations.
37 |
38 | ## Resolution
39 |
40 | Gigabyte has released UEFI firmware version F7 to address this issue for the GB-BSi7H-6500 platform. However, the GB-BXi7-5775 is End Of Life (EOL), and therefore may not be receiving an update. Affected users should update the firmware as soon as possible. Firmware updates can be found at [Gigabyte's Support Page](http://www.gigabyte.com/Support).
41 |
42 | ## Credit
43 |
44 | * Alex Matrosov, Principal Research Scientist, Cylance
45 |
46 | ## Additional Information
47 | ### Details for CLVA-2017-01-001
48 |
49 | * Example of the vulnerability for SWSMI 0x25 with [Chipsec SMI fuzzer](https://github.com/chipsec/chipsec/blob/master/chipsec/modules/tools/smm/smm_ptr.py)
50 |
51 | ```
52 | python chipsec_main.py -m tools.smm.smm_ptr -a fuzz,0x25:0x25
53 | ```
54 |
55 | * Output information from Chipsec SMI fuzzer:
56 |
57 | ```
58 | [CHIPSEC] API mode: using CHIPSEC kernel module API
59 | [CHIPSEC] OS : Windows 10 10.0.14393 AMD64
60 | [CHIPSEC] Platform: Mobile 6th Generation Core Processor (Skylake U)
61 | [CHIPSEC] VID: 8086
62 | [CHIPSEC] DID: 1904
63 |
64 | [+] loaded chipsec.modules.tools.smm.smm_ptr
65 | [*] running loaded modules ..
66 |
67 | [*] running module: chipsec.modules.tools.smm.smm_ptr
68 | [*] Module path: c:\Chipsec\chipsec\modules\tools\smm\smm_ptr.pyc
69 | [*] Module arguments (2):
70 | ['fuzz', '0x25:0x25']
71 | [x][ =======================================================================
72 | [x][ Module: A tool to test SMI handlers for pointer validation vulnerabilities
73 | [x][ =======================================================================
74 |
75 |
76 | [*] Allocated memory buffer (to pass to SMI handlers) : 0x0000000087773000
77 | [*] Allocated 2nd buffer (address will be in the 1st buffer): 0x0000000087772000
78 |
79 | [*] Configuration
80 | SMI testing mode : fuzzmore
81 | Range of SMI codes (B2) : 0x25:0x25
82 | Memory buffer pointer : 0x0000000087773000 (address passed in GP regs to SMI)
83 | Filling/checking memory? : YES
84 | Second buffer pointer : 0x0000000087772000 (address written to memory buffer)
85 | Number of bytes to fill : 0x500
86 | Byte to fill with : 0x11
87 | Additional options (can be changed in the source code):
88 | Fuzzing SMI functions in ECX? : 1
89 | Max value of SMI function in ECX : 0x10
90 | Max value of SMI data (B3) : 0x100
91 | Max offset of the pointer in the buffer: 0x20
92 | Passing pointer in all GP registers? : 0
93 | Default values of the registers : 0x5A5A5A5A5A5A5A5A
94 | Dump all register values every SMI : 0
95 | Bail on first detection : 1
96 |
97 | [*] >>> Fuzzing SMI handlers..
98 | [*] AX in RAX will be overwridden with values of SW SMI ports 0xB2/0xB3
99 | DX in RDX will be overwridden with value 0x00B2
100 |
101 | [*] Setting values of general purpose registers to 0x5A5A5A5A5A5A5A5A
102 |
103 | [*] reloading buffer with PTR at offset 0x0..
104 | [*] writing 0x500 bytes at 0x0000000087773000 -> PTR at +0x0
105 | [*] writing buffer at PA 0x0000000087772000 with 0x500 bytes '�'
106 |
107 | [*] fuzzing SMI# 0x25 (data: 0x00)
108 | >> function (RCX): 0x0000000000000000
109 | RBX: 0x0000000087773000
110 | > SMI 25 (data: 00)
111 | < checking buffers
112 | contents changed at 0x0000000087773000 +[4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, 485, 486, 487, 488, 489, 490, 491, 492, 493, 494, 495, 496, 497, 498, 499, 500, 501, 502, 503, 504, 505, 506, 507, 508, 509, 510, 511, 512, 513, 514, 515, 516, 517, 518, 519, 520, 521, 522, 523, 524, 525, 526, 527, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 541, 542, 543, 544, 545, 546, 547, 548, 549, 550, 551, 552, 553, 554, 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, 585, 586, 587, 588, 589, 590, 591, 592, 593, 594, 595, 596, 597, 598, 599, 600, 601, 602, 603, 604, 605, 606, 607, 608, 609, 610, 611, 612, 613, 614, 615, 616, 617, 618, 619, 620, 621, 622, 623, 624, 625, 626, 627, 628, 629, 630, 631, 632, 633, 634, 635, 636, 637, 638, 639, 640, 641, 642, 643, 644, 645, 646, 647, 648, 649, 650, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671, 672, 673, 674, 675, 676, 677, 678, 679, 680, 681, 682, 683, 684, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 698, 699, 700, 701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 711, 712, 713, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 789, 790, 791, 792, 793, 794, 795, 796, 797, 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813, 814, 815, 816, 817, 818, 819, 820, 821, 822, 823, 824, 825, 826, 827, 828, 829, 830, 831, 832, 833, 834, 835, 836, 837, 838, 839, 840, 841, 842, 843, 844, 845, 846, 847, 848, 849, 850, 851, 852, 853, 854, 855, 856, 857, 858, 859, 860, 861, 862, 863, 864, 865, 866, 867, 868, 869, 870, 871, 872, 873, 874, 875, 876, 877, 878, 879, 880, 881, 882, 883, 884, 885, 886, 887, 888, 889, 890, 891, 892, 893, 894, 895, 896, 897, 898, 899, 900, 901, 902, 903, 904, 905, 906, 907, 908, 909, 910, 911, 912, 913, 914, 915, 916, 917, 918, 919, 920, 921, 922, 923, 924, 925, 926, 927, 928, 929, 930, 931, 932, 933, 934, 935, 936, 937, 938, 939, 940, 941, 942, 943, 944, 945, 946, 947, 948, 949, 950, 951, 952, 953, 954, 955, 956, 957, 958, 959, 960, 961, 962, 963, 964, 965, 966, 967, 968, 969, 970, 971, 972, 973, 974, 975, 976, 977, 978, 979, 980, 981, 982, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992, 993, 994, 995, 996, 997, 998, 999, 1000, 1001, 1002, 1003, 1004, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1016, 1017, 1018, 1019, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, 1042, 1043, 1044, 1045, 1046, 1047, 1048, 1049, 1050, 1051, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1067, 1068, 1069, 1070, 1071, 1072, 1073, 1074, 1075, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084, 1085, 1086, 1087, 1088, 1089, 1090, 1091, 1092, 1093, 1094, 1095, 1096, 1097, 1098, 1099, 1100, 1101, 1102, 1103, 1104, 1105, 1106, 1107, 1108, 1109, 1110, 1111, 1112, 1113, 1114, 1115, 1116, 1117, 1118, 1119, 1120, 1121, 1122, 1123, 1124, 1125, 1126, 1127, 1128, 1129, 1130, 1131, 1132, 1133, 1134, 1135, 1136, 1137, 1138, 1139, 1140, 1141, 1142, 1143, 1144, 1145, 1146, 1147, 1148, 1149, 1150, 1151, 1152, 1153, 1154, 1155, 1156, 1157, 1158, 1159, 1160, 1161, 1162, 1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1188, 1189, 1190, 1191, 1192, 1193, 1194, 1195, 1196, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207, 1208, 1209, 1210, 1211, 1212, 1213, 1214, 1215, 1216, 1217, 1218, 1219, 1220, 1221, 1222, 1223, 1224, 1225, 1226, 1227, 1228, 1229, 1230, 1231, 1232, 1233, 1234, 1235, 1236, 1237, 1238, 1239, 1240, 1241, 1242, 1243, 1244, 1245, 1246, 1247, 1248, 1249, 1250, 1251, 1252, 1253, 1254, 1255, 1256, 1257, 1258, 1259, 1260, 1261, 1262, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279]
113 | restoring 0x500 bytes at 0x0000000087773000
114 | [!] DETECTED: SMI# 25 data 0 (rax=5A5A5A5A5A5A5A5A rbx=87773000 rcx=0 rdx=5A5A5A5A5A5A5A5A rsi=5A5A5A5A5A5A5A5A rdi=5A5A5A5A5A5A5A5A)
115 | [!] Potentially bad SMI detected! Stopped fuzing (see FUZZ_BAIL_ON_1ST_DETECT option)
116 | [-] <<< Done: found 1 potential occurrences of unchecked input pointers
117 | ```
118 |
119 | # CLVA-2017-01-001 Timeline
120 |
121 | * Discovery Date: 2016-12-20
122 | * Vendor Notification Date: 2017-01-17
* CERT/CC Contact Date: 2017-01-18
* Vendor Acknowledgement Date: 2017-02-17
123 | * Patch Release Date: 2017-03-30
124 | * Public Disclosure Date: 2017-03-31
--------------------------------------------------------------------------------