News LogoFAIL exploit bypasses hardware and software security measures and is nearly impossible to detect or remove

Page 2 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Status
Not open for further replies.
T

TJ Hooker

Titan
Ambassador
Apr 15, 2014
11,486
1,640
72,390
JamesJones44 said:
Maybe I missed it, but what is the delivery method of this attack? USB drive, JavaScript execution by the browser, download a file, running an untrusted app, random UDP packet, etc?

I get how the exploit works, I'm just not seeing how this attack gets on to a system to begin with. If it's from simply seeing an infected image browsing the web because it gets cached, then this is a very serious exploit. It's is by downloading a file from your favorite pirate site or physically downloading an image, then this is a little be less worrying for those who know what to look for.

The blog post makes it sound more like the latter, but was curious if I missed how they delivered it.
Click to expand...
It requires the attacker to have physical access, or to have already obtained root access via some other exploit.

At which point they can place the malicious image in the EFI system partition, if the UEFI is configured to load custom images from that location. Or attempt to write the image directly to the UEFI flash, if the boot logo location isn't protected by a digital signature (most or all of the UEFI should be digitally signed).
 
Last edited:
  • Like
Reactions: KyaraM, bit_user and JamesJones44
warezme

warezme

Distinguished
Dec 18, 2006
2,450
56
19,890
All these vulnerabilities are always reported in grand style on what they do and how they work but never exactly how they get on your system or how they are mitigated other than contact your vendor. I understand most people don't care nor have the motivation to understand and possibly work to clear these issues but this is a tech site full of people that could collaborate on detection and mitigation process if they understood the mechanism of infection and possible remediation techniques.
 
  • Like
Reactions: KyaraM
G

gman68

Reputable
Oct 2, 2020
18
13
4,515
This isn't a new technique. Overwriting the bios (in various forms) is an exploit that has been used for well over 25 years. The fact that this wasn't already protected against in UEFI is a massive oversight though.
 
  • Like
Reactions: Order 66
bit_user

bit_user

Polypheme
Ambassador
Jan 20, 2010
14,464
6,004
62,040
JamesJones44 said:
Maybe I missed it, but what is the delivery method of this attack? USB drive, JavaScript execution by the browser, download a file, running an untrusted app, random UDP packet, etc?

I get how the exploit works, I'm just not seeing how this attack gets on to a system to begin with.
Click to expand...
As you seem to be appreciating, a remote attacker will need some other way to gain privileges on you system, in order to use this exploit.

That's what hackers do. They use one exploit to access another, until they gain control of your system (or get the data from it they're after).
 
digitalgriffin

digitalgriffin

Splendid
Jan 29, 2008
3,540
1,485
25,390
NinoPino said:
I'm curious to know if this will fix the issue., I'm not sure because with such incompetent programmers may be the image is parsed also when not displayed.
Click to expand...
Every BIOS has a fixed resolution logo stored in it. Asus for example has a utility that allows you to flash your own logo.

This functionality is in there for boutique vendors and system integrators.

This is actually a very simple exploit to execute. But it's also easy to detect. You just install hooks into the UEFI program vector and see if they go after the boot area image.
 
T

TJ Hooker

Titan
Ambassador
Apr 15, 2014
11,486
1,640
72,390
bit_user said:
Perhaps, but it's now a standard feature of UEFI.
Click to expand...
Do you have a source for that? My impression after reading about this vulnerability was that the ability to change the boot logo was a customization that some IBVs offered to some of their OEM customers. But the method of changing the boot logo, or whether it could be changed at all, was by no means universal.
 
FunSurfer

FunSurfer

Distinguished
Oct 26, 2009
963
41
19,240
So if the logo related files in the image-parsing libraries can be changed by a hacker during normal PC use with the OS, then a possible fix will be to save all the original logo files in another location as read only backup files and when the PC Shuts down the last command will be to overwrite the normal logo files with backed up files so the hacker files (if exist) that overwritten the original files will be overwritten again with the original files. This is the Hack-Back solution.
 
adamXpeter

adamXpeter

Prominent
Jun 19, 2022
22
4
515
Let's reverse the alarmist statement to get the truth. You don't have to reinstall your OS, it is enough to reflash with the latest UEFI you have when you see a new logo.
 
adamXpeter

adamXpeter

Prominent
Jun 19, 2022
22
4
515
T

TJ Hooker

Titan
Ambassador
Apr 15, 2014
11,486
1,640
72,390
versed.perception said:
This is simply untrue -"Many OEMs, such as Dell, do not allow their logos to be changed in the UEFI — and their image files are protected by Image Boot Guard; these systems are therefore immune to this exploit."

Click to expand...
This exploit requires being able to select an arbitrary boot logo file. The link you provided only details reverting to a pre-loaded Dell logo. Also, there's nothing to indicate that the boot logo in question isn't protected by Boot Guard, which prevents this exploit.
 
Last edited:
T

TJ Hooker

Titan
Ambassador
Apr 15, 2014
11,486
1,640
72,390
adamXpeter said:
Probably nothing serious like rebooting the system to flash the UEFI. Without that, the OS is untamed. Except if the three letter companies already coerced MS to give up serious signature checking, which they already did[1]. Yay, the joys of fight on terror, drugs and child trafficking!

[1] https://www.csoonline.com/article/5...explained-and-how-to-defend-against-them.html
Click to expand...
I thought Windows only enforced signature verification of drivers, no? I would imagine there would be non-driver malicious apps that could be installed and have potential to wreak havoc (I'm no expert though).
 
  • Like
Reactions: drajitsh
L

LongDono

Distinguished
May 22, 2015
1
1
18,515
adamXpeter said:
You don't have to reinstall your OS, it is enough to reflash with the latest UEFI you have when you see a new logo.
Click to expand...

"By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process" -- Arstechnica
 
  • Like
Reactions: bit_user
D

drajitsh

Distinguished
Sep 3, 2016
131
20
18,695
bit_user said:
If only the logo file is modified, then I'd expect disabling the logo would indeed protect you. What I don't know is whether it's any easier to modify the logo than any other aspect of UEFI.

Upgrading your motherboard "BIOS"/UEFI firmware should also help, once your motherboard vendor has released a version with the patched image libraries.


A really good exploit will cover its tracks, meaning it'll have reverted the logo file, once your machine is infected. If it's that good, then you could be infected by a root kit, which can be incredibly difficult to detect.


Good question. I'm not sure if there are any visible signs your UEFI firmware is being tampered with. One thing that could be a giveaway is some minor image corruption of the logo. I'm not sure if there's an image-based exploit that wouldn't visibly affect the image in some way, but it's plausible.


Probably requires admin privileges. For remote exploits which can achieve that, you have probably a lot more to worry about than this esoteric logo-based attack. It's not common to see vulnerabilities that give a remote actor admin privileges on your machine, but they sometimes do come up.
Click to expand...
Useful information. I actually like the post screen so I have the boot logo disabled.
 
  • Like
Reactions: bit_user
InvalidError

InvalidError

Titan
Moderator
May 18, 2007
23,817
5,267
108,890
Got to love vulnerability through unnecessary complexity. I'd gladly forfeit lots of cosmetic code for the sake of enhanced reliability, stability and security.
USAFRet said:
Actually, things like that are used to give the user some indication that the system is actually working. Rather than just a blank screen.
Click to expand...
Before boot logos, PCs used to display BOOT progress messages. You can still see the messages by disabling logos or pressing whatever key your BIOS uses to remove it while it is still in control. That is far more useful than a boot image.
 
  • Like
Reactions: bit_user
bit_user

bit_user

Polypheme
Ambassador
Jan 20, 2010
14,464
6,004
62,040
drajitsh said:
I actually like the post screen so I have the boot logo disabled.
Click to expand...
I was going to say this, too.

Whenever I get a new machine (either at home or at work), I take the time to review all of the BIOS settings. One thing I always do is disable the boot logo (if possible), since more more diagnostic information is usually shown instead. Another thing I do is to disable fast boot. This allows more self-tests to run at boot-time. If you happen to be waiting for the machine to boot up, you can usually bypass the extended self-test by hitting a key like escape, enter, etc.
 
Last edited:
  • Like
Reactions: drajitsh
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom