There are several ways to exploit LogoFAIL. Remote attacks work by first exploiting an unpatched vulnerability in a browser, media player, or other app and using the administrative control gained to replace the legitimate logo image processed early in the boot process with an identical-looking one that exploits a parser flaw. The other way is to gain brief access to a vulnerable device while it’s unlocked and replace the legitimate image file with a malicious one.
In short, the adversary requires elevated access to replace a file on the EFI partition. In this case, you should consider the machine compromised with or without this flaw.
You weren’t hoping that Secure Boot saves your ass, were you?
Yeah, if someone has write access to your boot partition then you’re kind of already screwed.
The worst part it persists through reinstalls (if i understood correctly)
The idea is also that a compromised system will remains compromised after all storage drives are removed.
So if I have my computer set that it needs a sudo password for most changes am I good?
Yes, that’s my understanding. A normal user cannot do this. (And of course, an attacker shouldn’t not control a local user in the first place.)
Physical access is also a risk, but physical access trumps everything.
I’ve never been a fan of the UEFI logo inserting itself into the boot screen. It’s basically just an advertisement for the hardware vendor because they’re jealous of the OS having the spotlight. And it’s an ad that, like so many other ads before it, screws over the security and privacy of the advertisee because fuck you that’s why.
Did anyone really think that making UEFI systems the equivalent of a mini OS was a good idea? Or having them be accessible to the proper OS? Was there really no pushback, when UEFI was being standardized, to say “images that an OS can write to are not critical to initializing hardware functionality, don’t include that”? Was that question not asked for every single piece of functionality in the standard?
Did anyone really think that making UEFI systems the equivalent of a mini OS was a good idea
UEFI and Secure Boot were pushed forcibly by MS. That’s why FAT32 is the ESP filesystem.
If I had to guess, a brief was drafted at MS to improve on BIOS, which is pretty shit, it has to be said. It was probably engineering led and not an embrace, extinguish thing. A budget and dev team and a crack team of lawyers would have been whistled up and given a couple of years to deliver. The other usual suspects (Intel and co) would be strong armed in to take whatever was produced and off we trot. No doubt the best and brightest would have been employed but they only had a couple of years and they were only a few people.
UEFI and its flaws are testament to the sheer arrogance of a huge company that thinks it can put a man on the moon with a Clapham omnibus style budget and approach. Management identify a snag and say “fiat” (let it be). Well it was and is and it has a few problems.
The fundamental problem with UEFI is it was largely designed by one team. The wikipedia page: https://en.wikipedia.org/wiki/UEFI is hilarious in describing it as open. Yes it is open … per se … provided you decide that FAT32 (patent encumbered) is a suitable file system for the foundations of an open standard.
I love open, me.
UEFI is flawed for sure, but there’s no way that any remaining patents on FAT32 haven’t expired by now.
As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.
So, does disabling the boot logo prevent the attack, or would it only make the attack obvious?
deleted by creator
