The 2015 Pwnie Winner For Best Privilege Escalation Bug

UEFI SMM Privilege Escalation

Credit: Corey Kallenberg

Firmware update code in the open source UEFI reference implementation was identified as containing several vulnerabilities last year. Successful exploitation resulted in the ability for a privileged ring 3 process to stage a payload in the context of the firmware and then invoke and exploit the vulnerable UEFI firmware update code. This userland (ring 3) to firmware/SMM (“ring -2”) privilege escalation vulnerability is present on the majority of PC OEMs, affecting over 500+ models from HP alone. Other vendors have also issued patches for dozens of their models, and because the UEFI reference implementation is used as the starting point by many OEMs, many other vendors are known to be vulnerable that will probably never acknowledge it, or release patches. Work by Corey Kallenberg, Xeno Kovah, John Butterworth and Sam Cornwell.