smm_ptr module

A tool to test SMI handlers for pointer validation vulnerabilities

Reference:

• Presented in CanSecWest 2015:

  • c7zero.info: A New Class of Vulnerability in SMI Handlers of BIOS/UEFI Firmware

Usage: chipsec_main -m tools.smm.smm_ptr -l log.txt \ [-a <mode>,<config_file>|<smic_start:smic_end>,<size>,<address>]

• mode: SMI fuzzing mode

  • config = use SMI configuration file <config_file>

  • fuzz = fuzz all SMI handlers with code in the range <smic_start:smic_end>

  • fuzzmore = fuzz mode + pass 2nd-order pointers within buffer to SMI handlers

• size: size of the memory buffer (in Hex)

• address: physical address of memory buffer to pass in GP regs to SMI handlers (in Hex)

  • smram = option passes address of SMRAM base (system may hang in this mode!)

In config mode, SMI configuration file should have the following format

SMI_code=<SMI code> or *
SMI_data=<SMI data> or *
RAX=<value of RAX> or * or PTR or VAL
RBX=<value of RBX> or * or PTR or VAL
RCX=<value of RCX> or * or PTR or VAL
RDX=<value of RDX> or * or PTR or VAL
RSI=<value of RSI> or * or PTR or VAL
RDI=<value of RDI> or * or PTR or VAL
[PTR_OFFSET=<offset to pointer in the buffer>]
[SIG=<signature>]
[SIG_OFFSET=<offset to signature in the buffer>]
[Name=<SMI name>]
[Desc=<SMI description>]

Where:

• []: optional line

• *: Don’t Care (the module will replace * with 0x0)

• PTR: Physical address SMI handler will write to (the module will replace PTR with physical address provided as a command-line argument)

• VAL: Value SMI handler will write to PTR address (the module will replace VAL with hardcoded _FILL_VALUE_xx)

Examples:

>>> chipsec_main.py -m tools.smm.smm_ptr
>>> chipsec_main.py -m tools.smm.smm_ptr -a fuzzmore,0x0:0xFF -l smm.log

Warning

• This is a potentially destructive test