Exploiting Lenovo's UEFI vulnerability/backdoor to flash unsigned BIOS

X230/X240 series specific matters only
Post Reply
Message
Author
harryK
Freshman Member
Posts: 66
Joined: Fri Jun 13, 2014 6:28 pm
Location: Manchester, England

Exploiting Lenovo's UEFI vulnerability/backdoor to flash unsigned BIOS

#1 Post by harryK » Wed Jul 06, 2016 2:00 pm

Dmytro Oleksiuk aka Cr4sh recently documented a privileges escalation vulnerability in Lenovo's EFI code which, among other things, can be used to remove write protection of the BIOS portion of the firmware (the EC portion is already writable, making the keyboard and battery mods possible). Cr4sh went as far as releasing a proof of concept of the vulnerability https://github.com/Cr4sh/ThinkPwn/ and people already started thinking about the possible use case of flashing a whitelist-free bios, at least on *30 generation machines https://github.com/Cr4sh/ThinkPwn/issues/2

So, what do the authors of the brilliant keyboard mod (hamish, nitrocaster, I am looking at you :-) ) think about all this? :-DDDDDD

nitrocaster
Junior Member
Junior Member
Posts: 400
Joined: Fri Mar 04, 2016 8:38 am
Location: Moscow, Russia

Re: Exploiting Lenovo's UEFI vulnerability/backdoor to flash unsigned BIOS

#2 Post by nitrocaster » Sat Jul 09, 2016 6:39 pm

Looks like a nice opportunity. I haven't looked at the BIOS code yet, though.
For those who interested in buying X220/X230 FHD kit: Read this before sending me a PM!
X230: i7-3520M | 16GB RAM | 512GB M.2 Micron M600 | LG LP125WF2-SPB4 FHD IPS | 9c Li-Ion | Win8.1 Pro 64

TheChuckster
Posts: 38
Joined: Fri Jan 27, 2017 5:26 pm
Location: San Francisco, CA

Re: Exploiting Lenovo's UEFI vulnerability/backdoor to flash unsigned BIOS

#3 Post by TheChuckster » Thu Feb 02, 2017 3:09 am

Depends on how "write protection" works, someone would have to study the BIOS code, and use this exploit to have the UEFI call a custom function that rewrites the firmware (in the escalated privilege level). hamish didn't want to mess with firmware flashing code, understandably so; you end up with tons of bricked hardware along the way until you figure it out. I guess since I have a chip clip and flashing hardware, it's not the end of the world to mess up. Still, someone needs to RE the actual firmware flashing process (hamish took a bit of a look at the EC flashing code).

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “ThinkPad X230 and later Series”

Who is online

Users browsing this forum: No registered users and 2 guests