News LogoFAIL exploit bypasses hardware and software security measures and is nearly impossible to detect or remove

[TJ Hooker]

Maybe I missed it, but what is the delivery method of this attack? USB drive, JavaScript execution by the browser, download a file, running an untrusted app, random UDP packet, etc?

I get how the exploit works, I'm just not seeing how this attack gets on to a system to begin with. If it's from simply seeing an infected image browsing the web because it gets cached, then this is a very serious exploit. It's is by downloading a file from your favorite pirate site or physically downloading an image, then this is a little be less worrying for those who know what to look for.

The blog post makes it sound more like the latter, but was curious if I missed how they delivered it.

It requires the attacker to have physical access, or to have already obtained root access via some other exploit.

At which point they can place the malicious image in the EFI system partition, if the UEFI is configured to load custom images from that location. Or attempt to write the image directly to the UEFI flash, if the boot logo location isn't protected by a digital signature (most or all of the UEFI should be digitally signed).

 

[warezme]

All these vulnerabilities are always reported in grand style on what they do and how they work but never exactly how they get on your system or how they are mitigated other than contact your vendor. I understand most people don't care nor have the motivation to understand and possibly work to clear these issues but this is a tech site full of people that could collaborate on detection and mitigation process if they understood the mechanism of infection and possible remediation techniques.

 

[Order 66]

I didn't know that something as simple as a boot logo could be a security risk.

 

[gman68]

This isn't a new technique. Overwriting the bios (in various forms) is an exploit that has been used for well over 25 years. The fact that this wasn't already protected against in UEFI is a massive oversight though.

 

[bit_user]

Maybe I missed it, but what is the delivery method of this attack? USB drive, JavaScript execution by the browser, download a file, running an untrusted app, random UDP packet, etc?

I get how the exploit works, I'm just not seeing how this attack gets on to a system to begin with.

As you seem to be appreciating, a remote attacker will need some other way to gain privileges on you system, in order to use this exploit.

That's what hackers do. They use one exploit to access another, until they gain control of your system (or get the data from it they're after).

 

[frogr]

both my accounting system

View: https://giphy.com/gifs/abacus-baco-abaco-9QdYHpU56jnoI
and my gaming system

View: https://giphy.com/gifs/OregonStateEcampus-osu-tic-tac-toe-LtGpcWj3donEg3Doj2
are intrinsically unhackable due to rigorous system design and validation.

 

[wingfinger]

I honestly thought all those boot up images were hardcoded.

I thought changing the logo was an old time asus MB feature. There was a tool you could download...

 

[bit_user]

I thought changing the logo was an old time asus MB feature. There was a tool you could download...

Perhaps, but it's now a standard feature of UEFI.

 

[digitalgriffin]

I'm curious to know if this will fix the issue., I'm not sure because with such incompetent programmers may be the image is parsed also when not displayed.

Every BIOS has a fixed resolution logo stored in it. Asus for example has a utility that allows you to flash your own logo.

This functionality is in there for boutique vendors and system integrators.

This is actually a very simple exploit to execute. But it's also easy to detect. You just install hooks into the UEFI program vector and see if they go after the boot area image.

 

[TJ Hooker]

Perhaps, but it's now a standard feature of UEFI.

Do you have a source for that? My impression after reading about this vulnerability was that the ability to change the boot logo was a customization that some IBVs offered to some of their OEM customers. But the method of changing the boot logo, or whether it could be changed at all, was by no means universal.

 

[FunSurfer]

So if the logo related files in the image-parsing libraries can be changed by a hacker during normal PC use with the OS, then a possible fix will be to save all the original logo files in another location as read only backup files and when the PC Shuts down the last command will be to overwrite the normal logo files with backed up files so the hacker files (if exist) that overwritten the original files will be overwritten again with the original files. This is the Hack-Back solution.

 

[versed.perception]

This is simply untrue -"Many OEMs, such as Dell, do not allow their logos to be changed in the UEFI — and their image files are protected by Image Boot Guard; these systems are therefore immune to this exploit."

How to reset a custom BIOS Splash screen to the Dell Splash Screen | Dell US

 

[adamXpeter]

Let's reverse the alarmist statement to get the truth. You don't have to reinstall your OS, it is enough to reflash with the latest UEFI you have when you see a new logo.

 

[USAFRet]

Let's reverse the alarmist statement to get the truth. You don't have to reinstall your OS, it is enough to reflash with the latest UEFI you have when you see a new logo.

The question is...with that much access to your system, what else have they done?

 

[adamXpeter]

The question is...with that much access to your system, what else have they done?

Probably nothing serious like rebooting the system to flash the UEFI. Without that, the OS is untamed. Except if the three letter companies already coerced MS to give up serious signature checking, which they already did[1]. Yay, the joys of fight on terror, drugs and child trafficking!

[1] https://www.csoonline.com/article/5...explained-and-how-to-defend-against-them.html

 

[TJ Hooker]

This is simply untrue -"Many OEMs, such as Dell, do not allow their logos to be changed in the UEFI — and their image files are protected by Image Boot Guard; these systems are therefore immune to this exploit."

How to reset a custom BIOS Splash screen to the Dell Splash Screen | Dell US

This exploit requires being able to select an arbitrary boot logo file. The link you provided only details reverting to a pre-loaded Dell logo. Also, there's nothing to indicate that the boot logo in question isn't protected by Boot Guard, which prevents this exploit.

 

[TJ Hooker]

Probably nothing serious like rebooting the system to flash the UEFI. Without that, the OS is untamed. Except if the three letter companies already coerced MS to give up serious signature checking, which they already did[1]. Yay, the joys of fight on terror, drugs and child trafficking!

[1] https://www.csoonline.com/article/5...explained-and-how-to-defend-against-them.html

I thought Windows only enforced signature verification of drivers, no? I would imagine there would be non-driver malicious apps that could be installed and have potential to wreak havoc (I'm no expert though).

 

[LongDono]

You don't have to reinstall your OS, it is enough to reflash with the latest UEFI you have when you see a new logo.

"By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process" -- Arstechnica

 

[drajitsh]

If only the logo file is modified, then I'd expect disabling the logo would indeed protect you. What I don't know is whether it's any easier to modify the logo than any other aspect of UEFI.

Upgrading your motherboard "BIOS"/UEFI firmware should also help, once your motherboard vendor has released a version with the patched image libraries.


A really good exploit will cover its tracks, meaning it'll have reverted the logo file, once your machine is infected. If it's that good, then you could be infected by a root kit, which can be incredibly difficult to detect.


Good question. I'm not sure if there are any visible signs your UEFI firmware is being tampered with. One thing that could be a giveaway is some minor image corruption of the logo. I'm not sure if there's an image-based exploit that wouldn't visibly affect the image in some way, but it's plausible.


Probably requires admin privileges. For remote exploits which can achieve that, you have probably a lot more to worry about than this esoteric logo-based attack. It's not common to see vulnerabilities that give a remote actor admin privileges on your machine, but they sometimes do come up.

Useful information. I actually like the post screen so I have the boot logo disabled.

 

[InvalidError]

Got to love vulnerability through unnecessary complexity. I'd gladly forfeit lots of cosmetic code for the sake of enhanced reliability, stability and security.

Actually, things like that are used to give the user some indication that the system is actually working. Rather than just a blank screen.

Before boot logos, PCs used to display BOOT progress messages. You can still see the messages by disabling logos or pressing whatever key your BIOS uses to remove it while it is still in control. That is far more useful than a boot image.

 

[bit_user]

I actually like the post screen so I have the boot logo disabled.

I was going to say this, too.

Whenever I get a new machine (either at home or at work), I take the time to review all of the BIOS settings. One thing I always do is disable the boot logo (if possible), since more more diagnostic information is usually shown instead. Another thing I do is to disable fast boot. This allows more self-tests to run at boot-time. If you happen to be waiting for the machine to boot up, you can usually bypass the extended self-test by hitting a key like escape, enter, etc.

 

[Argolith]

Simple solution: Remove the boot logo. Your system boots faster since it doesn't have to display a useless logo for (up to) several seconds.

Yeah, sure, it's the 1MB image taking up seconds to load, not the OS or anything that actually takes time to boot.

 

[Argolith]

I'm curious to know if this will fix the issue., I'm not sure because with such incompetent programmers may be the image is parsed also when not displayed.

Waiting for you to release a vendor agnostic UEFI replacement, Mr Infallible Programmer.

 

[NinoPino]

Yeah, sure, it's the 1MB image taking up seconds to load, not the OS or anything that actually takes time to boot.

The logo is displayed with a delay of some seconds to allow it is viewed. In a 10 seconds boot you can cut 2,3 seconds. Not so bad.

 

[bit_user]

The logo is displayed with a delay of some seconds to allow it is viewed. In a 10 seconds boot you can cut 2,3 seconds. Not so bad.

Did you actually time end-to-end bootup with & without the logo? Or are you just assuming that nothing is happening in the background, while the logo is displayed?