

Privilege Escalation on Windows 8/UEFI Systems - chopin
https://www.mitre.org/publications/technical-papers/presentation-extreme-privilege-escalation-on-windows-8uefi-systems

======
Someone1234
"privileged userland process" is a circular way of saying administrator. They
claim administrator is "ring 3" or "admin ring 3" which is super-confusing...

Essentially what this is is a way of installing malware into the kernel
bypassing the driver signing requirements. You need admin access already.

It might be useful, but they're clearly trying to make it appear more
significant than it is by their technically inaccurate word choices.

~~~
userbinator
I think if you are the admin/root you own the machine anyway, so there's
really no vulnerability here.

 _Essentially what this is is a way of installing malware into the kernel
bypassing the driver signing requirements._

It's funny that being able to load unsigned drivers and/or access hardware
directly from userspace in Linux when you are root is not considered a
vulnerability, whereas on Windows it is... and it agrees with my hypothesis
that proprietary operating systems are moving towards a model of "execution of
any code that isn't approved by Microsoft/Apple/Google/$some_corporate_entity
is a vulnerability."

~~~
cesarb
Loading unsigned drivers and/or accessing hardware directly from userspace in
Linux when you are root and have booted with UEFI "Secure Boot" enabled is
considered a vulnerability. If it weren't, Microsoft would not sign the shim
Linux distributions use.

------
al2o3cr
"Vulnerabilities in this interface can potentially allow a privileged userland
process to escalate its privileges from ring 3 all the way up to that of the
platform firmware, which attains permanent control of the very-powerful System
Management Mode."

That's the part to get worried about right there - fiddling with SMM is
Serious Business. For instance, it's the sort of place NSA hides rootkits:

[http://en.wikipedia.org/wiki/System_Management_Mode#Problems](http://en.wikipedia.org/wiki/System_Management_Mode#Problems)

