Home

Awesome

baton drop (CVE-2022-21894): Secure Boot Security Feature Bypass Vulnerability

Windows Boot Applications allow the truncatememory setting to remove blocks of memory containing "persistent" ranges of serialised data from the memory map, leading to Secure Boot bypass.

This issue was fixed by two different changes:

Exploitation

The attacker needs to ensure the serialised Secure Boot Policy is allocated above a known physical address.

The avoidlowmemory element can be used to ensure all allocations of physical memory are above a specified physical address:

hvloader.efi can be loaded with the nointegritychecks element to load a self-signed mcupdate.dll, whose entry point will be called before ExitBootServices.

Alternatively, on non-AMD64 systems, winload.efi before TH2 can be used with the testsigning element; this allows self-signed binaries with the szOID_NT5_CRYPTO EKU in the certificate.

On ARMv7 systems, loading a patched self-signed hal.dll with an import to mcupdate.dll will be necessary to get code execution.

On x86 and AMD64 systems, the file loaded as mcupdate.dll must be named mcupdate_*.dll, where * is the CPUID manufacturer string (GenuineIntel, AuthenticAMD etc).

On ARM64 systems, this technique cannot be used due to the earliest available production signed build being a WinPE of RS2; thus currently only tethered code execution can be performed (using bootdebug).

Included files

This repository includes the following files:

Postscript

This issue can be used to dump BitLocker keys (where Secure Boot is used for integrity validation).

The fix for this issue also fixed another issue which has no CVE.

No known vulnerable boot application has been revoked yet.

Update (2023-05-10)

An incomplete revocation occured, and another CVE (CVE-2023-24932). There's still vulnerable bootmgfws that were not revoked, as well as additional patches only fixing the case where bootmgr loads bootmgr. It only took a pasted bootkit to get MS to act ;)
If you're creative enough you'll find a way to work around the revocation of over 2000 bootmgfw files ;)