ASUS Eee PC主板BIOS SMM权限提升漏洞

来源:岁月联盟 编辑:zhuzhu 时间:2009-08-24
ASUS Eee PC主板BIOS SMM权限提升漏洞 影响版本:
Asus EeePC
Asus P5*
Asus B50A
Asus P6T漏洞描述:
BUGTRAQ  ID: 35995

Eee PC是华硕推出的系列小型笔记本电脑。

华硕主板的BIOS固件包含有带有多个SMI处理器的特殊代码,在引导的时候这些处理器以系统管理模式运行并加载到受保护的内存部分(SMRAM)。

以下是其中的一个SMI处理器$SMISS处理器代码的反汇编:

0003F073: 50                           push        ax
0003F074: B4A1                         mov         ah,0A1
** 0003F076: 9A197D00F0                   call        0F000:07D19
0003F07B: 2404                         and         al,004
0003F07D: 7414                         je          00003F093
0003F07F: B434                         mov         ah,034
** 0003F081: 9A708000F0                   call        0F000:08070
0003F086: 2410                         and         al,010
0003F088: 7409                         je          00003F093
0003F08A: B430                         mov         ah,030
** 0003F08C: 9A708000F0                   call        0F000:08070
0003F091: 2410                         and         al,010
0003F093: 3C01                         cmp         al,001
0003F095: 58                           pop         ax
0003F096: CB                           retf

0003F097: 0E                           push        cs
0003F098: E8D8FF                       call        00003F073
0003F09B: B80100                       mov         ax,00001
0003F09E: 0F82C500                     jb          00003F167
0003F0A2: B81034                       mov         ax,03410
** 0003F0A5: 9A7B8000F0                   call        0F000:0807B
0003F0AA: B81030                       mov         ax,03010
** 0003F0AD: 9AAF8000F0                   call        0F000:080AF
0003F0B2: 80265601FC                   and         b,[0156],0FC
0003F0B7: 33DB                         xor         bx,bx
0003F0B9: B88083                       mov         ax,08380
** 0003F0BC: 9A89A100F0                   call        0F000:0A189
** 0003F0C1: 9AE0BD00F0                   call        0F000:0BDE0
0003F0C6: 3C04                         cmp         al,004
0003F0C8: 750B                         jne         00003F0D5
0003F0CA: BB5400                       mov         bx,00054
0003F0CD: B88083                       mov         ax,08380
** 0003F0D0: 9A89A100F0                   call        0F000:0A189
** 0003F0D5: 9AD0BD00F0                   call        0F000:0BDD0
0003F0DA: 7505                         jne         00003F0E1
0003F0DC: 800E560101                   or          b,[0156],001
0003F0E1: E8260E                       call        00003FF0A
0003F0E4: E82EFE                       call        00003EF15
0003F0E7: E8A200                       call        00003F18C
** 0003F0EA: 9AE0BD00F0                   call        0F000:0BDE0
0003F0EF: BEFFFF                       mov         si,0FFFF
0003F0F2: 3C01                         cmp         al,001
0003F0F4: 740B                         je          00003F101
0003F0F6: B8B315                       mov         ax,015B3
** 0003F0F9: 9A7DA100F0                   call        0F000:0A17D
0003F0FE: 7501                         jne         00003F101
0003F100: 46                           inc         si
0003F101: B9E800                       mov         cx,000E8
0003F104: BB0800                       mov         bx,00008
0003F107: E8ED00                       call        00003F1F7
0003F10A: B9E900                       mov         cx,000E9
0003F10D: BB1000                       mov         bx,00010
0003F110: E8E400                       call        00003F1F7
0003F113: B9EA00                       mov         cx,000EA
0003F116: BB0010                       mov         bx,01000
0003F119: E8DB00                       call        00003F1F7
0003F11C: B9EB00                       mov         cx,000EB
0003F11F: BB0040                       mov         bx,04000
0003F122: E8D200                       call        00003F1F7
0003F125: 9A1C0161AA                   call        0AA61:0011C
** 0003F12A: 9ACF0600F0                   call        0F000:006CF
** 0003F12F: 9AE0BD00F0                   call        0F000:0BDE0
0003F134: BBE282                       mov         bx,082E2
0003F137: 48                           dec         ax
0003F138: D0E0                         shl         al,1
0003F13A: 02D8                         add         bl,al
0003F13C: 80D700                       adc         bh,000
** 0003F13F: 9AD0BD00F0                   call        0F000:0BDD0
0003F144: 2EFF17                       call        w,cs:[bx]
0003F147: A05601                       mov         al,[0156]
0003F14A: 0C02                         or          al,002
0003F14C: E6B3                         out         0B3,al
0003F14E: EB00                         jmps        00003F150
0003F150: E8C100                       call        00003F214
0003F150: E8C100                       call        00003F214
0003F153: A1C600                       mov         ax,[00C6]
0003F156: 8B16CE00                     mov         dx,[00CE]
0003F15A: EF                           out         dx,ax
0003F15B: B96400                       mov         cx,00064
0003F15E: E6ED                         out         0ED,al
0003F160: EB00                         jmps        00003F162
0003F162: E2FA                         loop        00003F15E
0003F164: B80000                       mov         ax,00000
0003F167: CB                           retf

反汇编中包含有一些对0F000代码段的调用(用**标记出的指令部分)。0F000代码段翻译到物理内存地址F0000h - 100000h,这个地址范围包含有POST等BIOS代码和BIOS中断。由于代码段没有得到SMM内存保护,任何拥有对物理内存访问权限的进程都可以替换这个地址范围的内容。

例如,上述SMI处理器的线性地址0F000:08070被翻译到物理地址F8070h,在引导期间使用800h+offset端口在电源管理I/O空间读取寄存器的BIOS代码加载了这个地址:

00008387: BA0008                       mov         dx,00800
0000838A: 02D4                         add         dl,ah
0000838C: 80D600                       adc         dh,000
0000838F: C3                           retn
00008390: 52                           push        dx
00008391: E8F3FF                       call        000008387
00008394: EC                           in          al,dx
00008395: 5A                           pop         dx
00008396: C3                           retn

; These instructions are loaded to 0F000:08070 address
; (F8070h in physical memory) by the BIOS from ROM chip
00008397: E8F6FF                       call        000008390
0000839A: CB                           retf

可以使用到恶意代码的跳转替换这些BIOS指令,因此SMI处理器会以SMM权限执行代码。<*参考 
core collapse (core_collapse@hush.com)

链接:http://marc.info/?l=bugtraq&m=124967745920658&w=2
http://www.phrack.org/issues.html?issue=66&id=11#article
*>
SEBUG安全建议:
厂商补丁:

Asus
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.asus.com.tw

图片内容