Hi Dimirti, The specification says it is supported (and slightly expanded) in Windows 10, and I can confirm through testing the method still works on Windows 10 - I was successfully able to extract files from a Windows BitLockered drive.
On 13 August 2015 at 14:33, Limanovski, Dimitri <dimitri.limanov...@blackrock.com> wrote: > Hi Kevin, > I too was looking at this, and it does look absolutely horrendous. More so, > that Microsoft does not provide a good measure to control WPBT: in the > official doc there's some watered down paragraph about "good security > measures", but there's no way to enforce binary signing, or CA-like > validation of the signature. One thing is not clear is whether Windows 10 is > vulnerable to the same functionality, and whether the malicious actors can > write to WPBT directly, or, like the case with Lenovo, have to hijack > "trusted" OEM apps that are allowed to do so. > > Dimitri > > -----Original Message----- > From: Kevin Beaumont [mailto:kevin.beaum...@gmail.com] > Sent: Wednesday, August 12, 2015 7:45 AM > To: bugtraq@securityfocus.com > Subject: Windows Platform Binary Table (WPBT) - BIOS PE backdoor > > PRECURSOR > > There will be debate about if this is a vulnerability. It affects a majority > of user PCs -- including all Enterprise editions of Windows, there is no way > to disable it, and allows direct code execution into secure boot sequences. > I believe it is worth discussing. > > SCOPE > > Microsoft documented a feature in Windows 8 and above called Windows Platform > Binary Table. Up until two days ago, this was a single Word document not > referenced elsewhere on Google: > > > http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us > > This feature allows a BIOS to deliver the payload of an executable, which is > run in memory, silently, each time a system is booted. The executable code > is run under under Session Manager context (i.e. > SYSTEM). > > This technique is being used by Lenovo and HP to silently deliver software, > even after systems are completely wiped. This issue came to light in this > forum thread: > http://arstechnica.com/civis/viewtopic.php?p=29551819#p29551819 > > Additionally, the code is injected and executed in Windows after the Windows > kernel has booted - meaning hard drives are accessible. In a HP document - > http://h10032.www1.hp.com/ctg/Manual/c03857419.pdf page > 18 - they reference they use Windows Platform Binary Table to inject their > code into encrypted systems (e.g. BitLocker) (!!!!). > > MITIGATIONS > > It is not possible to disable this functionality. If you can gain access to > the BIOS, you can inject code into the Windows boot sequence using the > documentation linked above. The BIOS delivered PE code is not countersigned > by Microsoft. > > Microsoft say: "If partners intentionally or unintentionally introduce > malware or unwanted software though the WPBT, Microsoft may remove such > software through the use of antimalware software. Software that is > determined to be malicious may be subject to immediate removal without > notice." > > However, you are relying on Microsoft being aware of attacks. Since the code > is executed in memory and not written to disk prior to activation, Windows > Defender does not even scan the executed code. > > > This message may contain information that is confidential or privileged. If > you are not the intended recipient, please advise the sender immediately and > delete this message. See > http://www.blackrock.com/corporate/en-us/compliance/email-disclaimers for > further information. Please refer to > http://www.blackrock.com/corporate/en-us/compliance/privacy-policy for more > information about BlackRock’s Privacy Policy. > > For a list of BlackRock's office addresses worldwide, see > http://www.blackrock.com/corporate/en-us/about-us/contacts-locations. > > © 2014 BlackRock, Inc. All rights reserved.