Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2134395lqo; Mon, 13 May 2024 08:44:23 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWDzdtcr5Rg/89AHimizX2JBitDky1HegGPwXE90UK2jO4e9rGh5EbXprzu3vA2enIxgapR67foVveWRL2yz/zoh2jLxeuJ17RK6AScTw== X-Google-Smtp-Source: AGHT+IF77AdpRejYmhX7y0OqCSd6wkWOdhZSuSfWPDNBRqawzGGqgQDnDzRgCbv5nCQSg9ThJ1Vx X-Received: by 2002:a17:906:fc05:b0:a59:ae9b:c661 with SMTP id a640c23a62f3a-a5a2d5d49b3mr605345666b.40.1715615063586; Mon, 13 May 2024 08:44:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715615063; cv=none; d=google.com; s=arc-20160816; b=X6NezqkRhqJiFpDs3EMAlO+mQF7IR0ScMpZIFfd7wGMe09DaxemyKr2i2B7UTtujDe GjXZOJqMkHoFDhJBwndXkXZuX9tN4SRQP0wkirWvqyYNfQ8VXhT/mJfIQxXue5WSSJo7 jeumZqppYbRMTOflVwxj85Mu/mZoxaKCzcOHh5HshysLb6ud1BQm/2WpRQ2l7Jf/yT0j JzNZPCTMSNxl0C0qH9+GpWNysp2W/o2bBBf6uLqM8to2Cwgqf9bI7+3pEAPS73D/wIR7 53UdQ8Qe6nqH/i89aQo4Y39WuE4DIm0Xv4Z8s/GqPsEd9knL2st+Kkb69tMdhYWmmUDf tA6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:references:to:mime-version:user-agent:from:date :message-id:dkim-signature:delivered-to:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=2FmlAllE+zV4pnNVADDe0xxsdsSBXTyMV8Yk32qPIKA=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=klAZcgIgq46ZwjUz3Wc9fEVfLg6ihbs5Nco5vE6ocIw3jMGq882itgdaR/SkqOY7Kp Bv3l9w/VPKUtRgD0k+aEpixW4eP3C6TXR6xbzexf3E8EQJKtUXP4a8T1Q5ggJUeD15t3 MJJGg8UbN/XQMGrjevtc+cKDWviywePemyFn++2jWEcOxxFtZCCVIGi35+r4JnF06/EZ eAi3FXLaJCzmACqwtvaI8CjFz6uyY4iJOxdidK9Trkjn2bP8Lg3gRHWhGISzBBYioJCJ pMwIMCnOeQ85s88LQuJhUqhFVx2i/AsluwJjqfmfxES8PvzXwYOoDDOk3nb4ZhKT5TI/ 90RQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=H6zFMMix; spf=pass (google.com: domain of oss-security-return-30147-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30147-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id a640c23a62f3a-a5a17ba3a43si560777966b.636.2024.05.13.08.44.23 for ; Mon, 13 May 2024 08:44:23 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30147-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=H6zFMMix; spf=pass (google.com: domain of oss-security-return-30147-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30147-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (qmail 5193 invoked by uid 550); 13 May 2024 15:44:05 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 9895 invoked from network); 12 May 2024 02:44:30 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715481862; x=1716086662; darn=lists.openwall.com; h=in-reply-to:references:subject:to:mime-version:user-agent:reply-to :from:date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=SPG78aNoour3oga7elBEM8O5dpDmCAWhLpx7pTmPUfE=; b=H6zFMMixw2OKpjQ1l3mdvGCr7lAMWl3vFjo1YV0VzUPCT4Fv0KoxsJbAq16S8qxmlm 8lHISShZPwDEL6qQSR0H1yUum5mp09D3Ju3BPS2nwzqLPi7YV3slY8FLNmYO/wbpVAlx BZ9cTVdLdoYEwgXN/KSTxB3QU3M9jhFBGzKS9GCklmXUW7Pw2aXjWpbfe4GdbFqyxcZf NG56+FHVkKZqDwRAdhSAkrh/vjnbr/eREGaQkPCyeqyJaLfLU/leiDKwRgwr37W/QZ10 rB/WtsjZjw3kaWtgPDdvP1/HhMOa9S1UacBrZdZF05xeiR2IAyCgflFql+xJL5mghlGp DP/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715481862; x=1716086662; h=in-reply-to:references:subject:to:mime-version:user-agent:reply-to :from:date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=SPG78aNoour3oga7elBEM8O5dpDmCAWhLpx7pTmPUfE=; b=AF/ZQOXXI7deUQ9ZFI2JVF+SQ3yRQqbeWc36q54eOxyhbMPnknRz1/9njza5wwPeL7 M3kz+2JfTjbW/bchEP2r5hmgySOl8G6/3E7BewsggQUGueJLpLXfsvfSLuWbtNuunm3d 8pHNfMb5NSslK4zOS5x0TT6tOXwqpMAUSWaBUcFp86kInuCakunJah5nqMRbSWNO7dAP xuUA7H0uSW9rKm7VGJyMJLRAkU5w1OvLKSNCZtLDO8rOcyRp/kb87bDzzD2hiIwIxrdC v3mQixfvCYY0vzvrLTjOjCKIsmEvwoVaZdpP9xcYw0PkBvemmg+gc3tl4MwRLQ9xa9RI zSQw== X-Gm-Message-State: AOJu0YzocopFWU+1JViOuJbRORQdIfMhkfn0GUcAwLKNCbp8PqINxPos vCQEI2oGtdOLngOGyvpoLSwCVKE6urMG0yDR+U198EVPqmTzhz/VzdDOyeFb X-Received: by 2002:aca:1a13:0:b0:3c9:6c89:9a79 with SMTP id 5614622812f47-3c99704c359mr7264747b6e.21.1715481861494; Sat, 11 May 2024 19:44:21 -0700 (PDT) Message-ID: <66402D01.8090200@gmail.com> Date: Sat, 11 May 2024 21:44:17 -0500 From: Jacob Bachmeyer User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0 MIME-Version: 1.0 To: oss-security@lists.openwall.com References: In-Reply-To: Content-Type: multipart/mixed; boundary="------------000100080402000705020703" Subject: Re: [oss-security] Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory --------------000100080402000705020703 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Corey Lopez wrote: > I have dual boot Windows 11 Home Edition and Debian based setup on my laptop. > > Distributor ID: Kali > Description: Kali GNU/Linux Rolling > Release: 2024.1 > Codename: kali-rolling > > After realizing a security breach on my Kali system I discovered /etc/network/interface > had the immutable attribute set while trying to restrict access using chmod. I decided to > investigate other files on my system with the immutable attribute set by running this > command as root: > > # find / -type f -exec lsattr {} + 2>/dev/null > immutable-list-find.txt > > This led me the directory /sys/firmware/efi/efivars/ where I discovered efi variables > pertaining Microsoft's Device Firmware Configuration Interface (DFCI). Were the EFI variables marked immutable or did you make a list of every file on the system and notice them on that list? > Microsoft's > DFCI enables zero touch remote configuration of UEFI BIOS giving the ability to > manage BIOS settings and hardware. The DFCI allows for remote disabling or enabling > of cameras, microphones, radios, boot external media, bootstrapping an OS, cpu > virtualization, and I/O virtualization. According to Microsoft's github page, the zero > touch certificate is shared by all DFCI-enabled systems and does not need to be injected > at manufacturing. > > Microsoft advertises DFCI as a defense mechanism against rootkits, however it seems that it > is being used as a UEFI bootkit. According to Microsoft DFCI is not available for Windows 10 > or 11 Home Edition. My Acer Aspire 3 15 has Windows 11 Home Edition, and was purchased > as a consumer product versus a commercial. This means that not only is there a capability that > DFCI can be implemented on a consumer product, but through a Linux based operating system. > I will admit that this seems strange, but it appears that your laptop has firmware support for DFCI even though, by Microsoft's claims, it should not be eligible for that feature. > I will provide the ASCII output of each file that I found on my Kali Linux system from the > /sys/firmware/efi/efivars/ directory. I will not provide the entire hexdump output to save space. > However, I will provide more if requested after my initial posting. > > [... snip ASCII columns from hex dump; reformatted below ...] For a first step, I note that those EFI variables appear to contain XML, and have (using ` sed -e '/^|/{: L;/|$/N;s/|\n|//;t L}' | sed -e '/|$/{N;N;s/\(.\{16\}\)|\n\*\n|/\1\1/}' -e 's/^|\.\.\.\.//' -e 's/\.|\n/\n/' -e 's/\.|$//' | awk '/^<\?xml/ { print | "xml_pp"; close("xml_pp"); next } 1' `) converted that back to readable ASCII, with the XML nicely pretty-printed; attached in full, some possibly interesting details inline below: > File Name: DfciPermissionCurrent-3a9777ea-0d9f-4b65-9ef3-7caa7c41994b > > ASCII Output: > > > > 2024-01-30T13:51:08 > [...] > 0 > The "Date" field is potentially interesting if you had the laptop at that time, but if the laptop is newer than that date, it and the other dates are likely manufacturing-related timestamps. > File Name: DfciSettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01 > > ASCII Output: > > > > 2024-01-30T13:51:34 > The dates are close together; did you have that laptop prior to January 30th, 2024? > > [...] > > Device.Password.Password > No System Password > > I could not pass up this apparent detail that it seems Microsoft may be putting passwords in plaintext again, unless that field merely reports a status. > > Dfci.RecoveryUrl.String > > > This and several following fields all have no value whatsoever, while others seem to me to have neutral values; this looks like DFCI is present but unconfigured. > [...] > > 0 > > > File Name: UEFISettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01 > > ASCII Output: > > > > 2024-01-30T13:51:34 > > [... snip apparent duplicate settings ...] > > 0 > I did discover loop devices on my system that I could not remove with the > losetup command. I had to manually remove them with the rm -f command from > the /dev/disks directory. Using rm does not remove the devices at all: they are still present in the kernel, and you only removed the nodes from the filesystem. > Also, I ran the lsof command, which helped me discover > the type of file systems that were being used. This prompted me to use apt purge > to remove Gnome Virtual File System from my laptop. > > # lsof /dev/loop* > > I received this in response: > > can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs > can't stat() fuse.portal file system /run/user/1000/doc > Others have explained this weirdness; it is actually normal functionality, except possibly for loop devices having been in use. Just to make sure, you did run lsof *before* using rm, right? > This should be enough to give others places to look to determine if they have been > infected, however I will be more than happy to provide more if needed. > See if the mystery loop devices come back after a reboot, and if so, use losetup to determine what files they are attached to; that information is needed to distinguish between normal operation and a possible persistent compromise. Also, I vaguely remember that attempting to detach a loop device that is not attached can also report an error. They may not actually be in use after all. -- Jacob --------------000100080402000705020703 Content-Type: text/plain; name="dfcidump.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="dfcidump.txt" File Name: DfciDeviceIdentifier-4123a1a9-6f50-4b58-9c3d-56fc24c6c89e ASCII output: Manufacturer Acer Product Name Aspire A315-44P Serial Number NXKSJAA0044050439E3400 2 File Name: DfciIdentityCurrent-de6a8726-05df-43ce-b600-92bd5d286cfd (NOTE: something that stood out to me is the Zero Touch ID: 0989C5F7EA3379388F79990875B23E031A5DA554) ASCII Output: User Cert not installed User1 Cert not installed User2 Cert not installed Owner Cert not installed ZeroTouch 0989C5F7EA3379388F79990875B23E031A5DA554 File Name: DfciPermissionCurrent-3a9777ea-0d9f-4b65-9ef3-7caa7c41994b ASCII Output: 2024-01-30T13:51:08 Dfci.OwnerKey.Enum 9 128 Dfci.ZtdKey.Enum 1 Dfci.ZtdUnenroll.Enable 0 Dfci.Ztd.Recovery.Enable 0 0 File Name: DfciSettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01 ASCII Output: 2024-01-30T13:51:34 Device.BootOrderLock.Enable Disabled Device.USBBoot.Enable Enabled Dfci.BootOnboardNetwork.Enable Disabled Device.Password.Password No System Password Dfci.RecoveryUrl.String Dfci.RecoveryBootstrapUrl.String Dfci.HttpsCert.Binary Dfci.RegistrationId.String Dfci.TenantId.String MDM.FriendlyName.String MDM.TenantName.String Device.CpuAndIoVirtualization.Enable Enabled Dfci3.OnboardWpbt.Enable Enabled Dfci3.AssetTag.String Dfci.OnboardAudio.Enable Enabled Dfci.OnboardRadios.Enable Enabled Device.IRCamera.Enable Disabled Device.FrontCamera.Enable Disabled Device.RearCamera.Enable Disabled Dfci3.ProcessorSMT.Enable Disabled Dfci.CpuAndIoVirtualization.Enable Disabled Dfci.BootExternalMedia.Enable Enabled Dfci.OnboardCameras.Enable Unknown 0 File Name: UEFISettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01 ASCII Output: 2024-01-30T13:51:34 Device.BootOrderLock.Enable Disabled Device.USBBoot.Enable Enabled Dfci.BootOnboardNetwork.Enable Disabled Device.Password.Password No System Password Dfci.RecoveryUrl.String Dfci.RecoveryBootstrapUrl.String Dfci.HttpsCert.Binary Dfci.RegistrationId.String Dfci.TenantId.String MDM.FriendlyName.String MDM.TenantName.String Device.CpuAndIoVirtualization.Enable Enabled Dfci3.OnboardWpbt.Enable Enabled Dfci3.AssetTag.String Dfci.OnboardAudio.Enable Enabled Dfci.OnboardRadios.Enable Enabled Device.IRCamera.Enable Disabled Device.FrontCamera.Enable Disabled Device.RearCamera.Enable Disabled Dfci3.ProcessorSMT.Enable Disabled Dfci.CpuAndIoVirtualization.Enable Disabled Dfci.BootExternalMedia.Enable Enabled Dfci.OnboardCameras.Enable Unknown 0 --------------000100080402000705020703--