Exploiting Lenovo's UEFI vulnerability/backdoor to flash unsigned BIOS

[harryK]

Dmytro Oleksiuk aka Cr4sh recently documented a privileges escalation vulnerability in Lenovo's EFI code which, among other things, can be used to remove write protection of the BIOS portion of the firmware (the EC portion is already writable, making the keyboard and battery mods possible). Cr4sh went as far as releasing a proof of concept of the vulnerability https://github.com/Cr4sh/ThinkPwn/ and people already started thinking about the possible use case of flashing a whitelist-free bios, at least on *30 generation machines https://github.com/Cr4sh/ThinkPwn/issues/2

So, what do the authors of the brilliant keyboard mod (hamish, nitrocaster, I am looking at you ) think about all this? DDDDD

[nitrocaster]

Looks like a nice opportunity. I haven't looked at the BIOS code yet, though.

[TheChuckster]

Depends on how "write protection" works, someone would have to study the BIOS code, and use this exploit to have the UEFI call a custom function that rewrites the firmware (in the escalated privilege level). hamish didn't want to mess with firmware flashing code, understandably so; you end up with tons of bricked hardware along the way until you figure it out. I guess since I have a chip clip and flashing hardware, it's not the end of the world to mess up. Still, someone needs to RE the actual firmware flashing process (hamish took a bit of a look at the EC flashing code).