{"id":131697,"date":"2024-11-30T08:00:45","date_gmt":"2024-11-30T01:00:45","guid":{"rendered":"https:\/\/hotvideos24.online\/?p=131697"},"modified":"2024-11-30T08:00:45","modified_gmt":"2024-11-30T01:00:45","slug":"code-found-online-exploits-logofail-to-install-bootkitty-linux-backdoor","status":"publish","type":"post","link":"https:\/\/hotvideos24.online\/?p=131697","title":{"rendered":"Code found online exploits LogoFAIL to install Bootkitty Linux backdoor"},"content":{"rendered":"<p> <script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3711241968723425\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-format=\"fluid\"\r\n     data-ad-layout-key=\"-fb+5w+4e-db+86\"\r\n     data-ad-client=\"ca-pub-3711241968723425\"\r\n     data-ad-slot=\"7910942971\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script><br \/>\n<\/p>\n<div>\n<p>Normally, Secure Boot prevents the <a href=\"https:\/\/en.wikipedia.org\/wiki\/UEFI\">UEFI<\/a> from running all subsequent files unless they bear a digital signature certifying those files are trusted by the device maker. The exploit bypasses this protection by injecting shell code stashed in a malicious bitmap image displayed by the UEFI\u00a0during the boot-up process. The injected code installs a cryptographic key that digitally signs a malicious <a href=\"https:\/\/en.wikipedia.org\/wiki\/GNU_GRUB\">GRUB<\/a> file along with a backdoored image of the Linux kernel, both of which run during later stages of the boot process on Linux machines.<\/p>\n<p>The silent installation of this key induces the UEFI to treat the malicious GRUB and kernel image as trusted components, and thereby bypass Secure Boot protections. The final result is a backdoor slipped into the Linux kernel before any other security defenses are loaded.<\/p>\n<figure class=\"ars-wp-img-shortcode id-2064098 align-fullwidth\">\n<div>\n                        <img width=\"1999\" height=\"1400\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/11\/logofail-exploit-execution.png\" class=\"fullwidth full\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/11\/logofail-exploit-execution.png 1999w, https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/11\/logofail-exploit-execution-640x448.png 640w, https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/11\/logofail-exploit-execution-1024x717.png 1024w, https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/11\/logofail-exploit-execution-768x538.png 768w, https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/11\/logofail-exploit-execution-1536x1076.png 1536w, https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/11\/logofail-exploit-execution-980x686.png 980w, https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/11\/logofail-exploit-execution-1440x1009.png 1440w\" sizes=\"auto, (max-width: 1999px) 100vw, 1999px\"\/>\n                  <\/div><figcaption>\n<div class=\"caption font-impact mb-4 mt-2 inline-flex flex-row items-stretch gap-1 text-base leading-tight text-gray-300\">\n<p>\n      Diagram illustrating the execution flow of the LogoFAIL exploit Binarly found in the wild.<\/p>\n<p>              <span class=\"caption-credit mt-2 text-xs\"><br \/>\n          Credit:<\/p>\n<p>          Binarly<\/p>\n<p>                  <\/span>\n          <\/p>\n<\/p><\/div>\n<\/figcaption><\/figure>\n<p>In an online interview, HD Moore, CTO and co-founder at runZero and an expert in firmware-based malware, explained the Binarly report this way:<\/p>\n<blockquote>\n<p>The Binarly paper points to someone using the LogoFAIL bug to configure a UEFI payload that bypasses secure boot (firmware) by tricking the firmware into accepting their self-signed key (which is then stored in the firmware as the MOK variable). The evil code is still limited to the user-side of UEFI, but the LogoFAIL exploit does let them add their own signing key to the firmware&#8217;s allow list (but does not infect the firmware in any way otherwise).<\/p>\n<p>It&#8217;s still effectively a GRUB-based kernel backdoor versus a firmware backdoor, but it does abuse a firmware bug (LogoFAIL) to allow installation without user interaction (enrolling, rebooting, then accepting the new MOK signing key).<\/p>\n<p>In a normal secure boot setup, the admin generates a local key, uses this to sign their updated kernel\/GRUB packages, tells the firmware to enroll the key they made, then after reboot, the admin has to accept this new key via the console (or remotely via bmc\/ipmi\/ilo\/drac\/etc bios console).<\/p>\n<p>In this setup, the attacker can replace the known-good GRUB + kernel with a backdoored version by enrolling their own signing key without user interaction via the LogoFAIL exploit, but it\u2019s still effectively a GRUB-based bootkit, and doesn&#8217;t get hardcoded into the BIOS firmware or anything.<\/p>\n<\/blockquote>\n<p>Machines vulnerable to the exploit include some models sold by Acer, HP, Fujitsu, and Lenovo when they ship with a UEFI developed by manufacturer Insyde and run Linux. Evidence found in the exploit code indicates the exploit may be tailored for specific hardware configurations of such machines. Insyde issued a patch earlier this year that prevents the exploit from working. Unpatched devices remain vulnerable. Devices from these manufacturers that use non-Insyde UEFIs aren&#8217;t affected.<\/p>\n<\/p><\/div>\n<p><script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3711241968723425\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-format=\"fluid\"\r\n     data-ad-layout-key=\"-fb+5w+4e-db+86\"\r\n     data-ad-client=\"ca-pub-3711241968723425\"\r\n     data-ad-slot=\"7910942971\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script><br \/>\n<br \/><div data-type=\"_mgwidget\" data-widget-id=\"1660802\">\r\n<\/div>\r\n<script>(function(w,q){w[q]=w[q]||[];w[q].push([\"_mgc.load\"])})(window,\"_mgq\");\r\n<\/script>\r\n<br \/>\n<br \/><a href=\"https:\/\/arstechnica.com\/security\/2024\/11\/code-found-online-exploits-logofail-to-install-bootkitty-linux-backdoor\/\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Normally, Secure Boot prevents the UEFI from running all subsequent files unless they bear a digital signature certifying those files are trusted by the device maker. The exploit bypasses this &hellip; <a href=\"https:\/\/hotvideos24.online\/?p=131697\" class=\"more-link\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8630],"tags":[],"class_list":["post-131697","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"_links":{"self":[{"href":"https:\/\/hotvideos24.online\/index.php?rest_route=\/wp\/v2\/posts\/131697","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hotvideos24.online\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hotvideos24.online\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hotvideos24.online\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hotvideos24.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=131697"}],"version-history":[{"count":0,"href":"https:\/\/hotvideos24.online\/index.php?rest_route=\/wp\/v2\/posts\/131697\/revisions"}],"wp:attachment":[{"href":"https:\/\/hotvideos24.online\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=131697"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hotvideos24.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=131697"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hotvideos24.online\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=131697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}