搜索
查看: 2667|回复: 7
收起左侧

AMI 固件源码和私有签名密钥泄露

[复制链接]
360Tencent
发表于 2013-4-6 00:07:15 | 显示全部楼层 |阅读模式
本帖最后由 360Tencent 于 2013-4-6 21:22 编辑

http://adamcaudill.com/2013/04/0 ... g-leaky-ftp-server/


通过ftp.jetway.com.tw(N小时前进入这个FTP不需要验证,这种白痴级别的失误对从事工业间谍活动或者情报收集的xx来讲绝对是可遇不可求,千年等一回)下载到Ivy Bridge 文件夹下018s.zip 压缩包的xx可以利用其中的固件源码(最新版)和Ivy Bridge架构的私有签名密钥轻而易举地伪造UEFI/BIOS 更新(对专业人士而言),如果某厂商的其他产品同样适用这次泄露的私有密钥,那情况就更妙了。即便厂商应对及时,估计这次泄露事件的影响也会持续一段时间,因为普通用户没有遇到问题不会闲着没事跑去升级固件。其实最亮的不是某厂商FTP的安全防护,而是这个叫Adam Caudill的家伙等不及厂家给FTP上锁就迫不急待地公开了自己的发现(前后时差大约有2小时)。

By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated & installed for the vendor’s products that use this ‘Ivy Bridge’ firmware. If the vendor used this same key for other products - the impact could be even worse. Even with a quick reaction, odds are users will be unprotected for some time. As users often don’t install firmware updates unless they are having issues - I expect this one to be around for a while.

This kind of leak is a dream come true for advanced corporate espionage or intelligence operations. The ability to create a nearly undetectable, permanent hole in a system’s security is an ideal scenario for covert information collection.


http://blog.virustracker.info/?p=163

Thanks to the Taiwanese FTP, and thanks to Adam Caudill who could not wait for publishing his blog post, we have now the key. And if we have it, others might too.


http://www.mmnt.net/db/0/0/ftp.jetway.com.tw/CODE/ :)

骄傲的苹果
发表于 2013-4-6 08:36:01 来自手机 | 显示全部楼层
不知道用来干什么的!
xing2005206
发表于 2013-4-6 08:54:01 | 显示全部楼层
有源码又咋的,谁没事老是更新BIOS。
jason_jiang
发表于 2013-4-6 08:57:03 | 显示全部楼层
捷波这次亮了
不过我会告诉你以前仁宝一大堆生产流程文档都在不加密的ftp上吗
虚云大师
发表于 2013-4-6 09:27:08 | 显示全部楼层
写的真好 很喜欢
22667999
发表于 2013-4-6 10:16:10 | 显示全部楼层
微软真相了
expensive6688
发表于 2013-4-6 14:51:03 | 显示全部楼层
微软这次的“安全启动”悲剧了,
360Tencent
 楼主| 发表于 2013-4-11 14:33:54 | 显示全部楼层

http://adamcaudill.com/2013/04/0 ... g-leaky-ftp-server/

Update: I’ve just spoken to AMI, and received some very important information; so here are the key points and clarifications:

To clarify, the ‘vendor’ I refer to is a customer of AMI; it is this customer’s public FTP server that exposed this information.
Per AMI, the signing key included in the ‘Ivy Bridge’ archive is a default test key; AMI instructs customers to change the key before building for a production environment. It’s not currently known if the customer was following recommended practices.
The ‘Ivy Bridge’ code was unmodified, meaning that the customer had not made any alterations to this specific copy.
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛|卡饭乐购| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 苏ICP备07004770号 ) GMT+8, 2019-11-17 08:28 , Processed in 0.087070 second(s), 17 queries .

快速回复 返回顶部 返回列表