A new 0day vulnerability in Lenovo firmware that allows arbitrary SMM code execution on a wide range of Lenovo models


Really interesting paper by Dmytro Oleksiuk, about his research on Lenovo Thinkpad Firmware:

In this article I will continue to publish my research of Lenovo ThinkPad’s firmware. 
Previously I shown how to discover and exploit SMM callout vulnerabilities on example of SystemSmmAhciAspiLegacyRt UEFI driver1day vulnerability.

Also, I introduced a small toolkit called fwexpl that provides API for comfortable development of firmware exploits for Windows platform.

My previous Lenovo exploit was able to execute custom code in SMM, such conditions allow relatively easy bypass of BIOS_CNTL security mechanism which protect firmware code stored inside SPI flash chip on motherboard from unauthorized modifications by operating system (BIOS_CNTL bypass also was discussed in my another article “Breaking UEFI security with software DMA attacks”).

In this article, Dmytro presents a new 0day vulnerability in Lenovo firmware that allows arbitrary SMM code execution on a wide range of Lenovo models.

On his github profile Oleksiuk has published also a proof-of-concept, called ThinkPwn:

[embed]https://github.com/Cr4sh/ThinkPwn[/embed]

Ultimately, a long and complex article, but of great level. 
I recommend a careful reading:

[embed]https://github.com/Cr4sh/ThinkPwn[/embed]