Code found on the Internet uses LogoFAIL to install the Bootkitty Linux backdoor

Date:

Typically Secure Boot prevents this UEFI prevents all subsequent files from running unless they’ve a digital signature confirming that these files are trusted by the device manufacturer. The exploit bypasses this protection by injecting shellcode hidden in a malicious bitmap image displayed by UEFI during the boot process. The injected code installs a cryptographic key that digitally signs the malware GRUB file together with a backdoor Linux kernel image that runs in the later stages of the boot process on Linux machines.

Silently installing this key causes UEFI to treat the malicious GRUB and kernel image as trusted components, thus bypassing Secure Boot protections. The final result is a backdoor slipped into the Linux kernel before some other security measures are loaded.

- Advertisement -

Diagram illustrating the execution flow of the LogoFAIL Binarly exploit found in the wild.


Source: Binary

In a web-based interview, HD Moore, CTO and co-founder of runZero and an authority in firmware-based malware, explained the Binarly report:

The Binarly article indicates that somebody used the LogoFAIL bug to configure a UEFI payload that bypasses secure boot (firmware) by tricking the firmware into accepting a self-signed key (which is then stored in the firmware as a MOK variable). The bad code continues to be restricted to the UEFI user side, but the LogoFAIL exploit allows them to add their very own signing key to the firmware allow list (but doesn’t otherwise infect the firmware).

It is definitely a GRUB-based kernel backdoor versus a firmware backdoor, however it exploits a firmware bug (LogoFAIL) to allow installation without user interaction (registration, reboot, after which accepting the latest MOK signing key).

In a traditional secure boot setup, the administrator generates a neighborhood key, uses it to sign updated kernel/GRUB packages, instructs the firmware to register the key it has created, after which after a reboot, the administrator must accept this latest key via the console (or remotely via the bmc/ipmi bios console /ilo/drac/etc).

In this setup, an attacker can replace the known good GRUB+ kernel with a backdoor version by registering their very own signing key without user interaction via the LogoFAIL exploit, however it is definitely a GRUB-based bootkit and never hard-coded into the BIOS firmware or anything one other.

Machines vulnerable to the exploit include certain models sold by Acer, HP, Fujitsu, and Lenovo when shipped with Insyde’s UEFI and Linux. Evidence found in the exploit code indicates that the exploit could also be tailored to specific hardware configurations of such machines. Earlier this yr, Insyde released a patch to prevent the exploit from working. Unpatched devices remain vulnerable to attacks. Devices from these manufacturers using non-Insyde UEFI usually are not affected.

Rome
Rome
Rome Founder and Visionary Leader of GLCND.com & GlobalCmd A.I. As the visionary behind GLCND.com and GlobalCmd A.I., Rome is redefining how knowledge, inspiration, and innovation intersect. With a passion for empowering individuals and organizations, Rome has built GLCND.com into a leading professional platform that captivates and informs readers across diverse fields. Covering topics such as Business, Science, Entertainment, Health, and more, GLCND.com delivers high-quality content that inspires curiosity, sparks discovery, and provides meaningful insights—helping readers grow personally and professionally. Building on the success of GLCND.com, Rome launched GlobalCmd A.I., an advanced AI-powered system accessible at http://a.i.glcnd.com, to bring smarter decision-making tools to a rapidly evolving world. By combining the breadth of GLCND.com’s content with the precision of artificial intelligence, GlobalCmd A.I. delivers actionable insights and adaptive solutions tailored for individual and organizational success. Whether optimizing business strategies, advancing research and innovation, achieving wellness goals, or navigating complex challenges, GlobalCmd A.I. empowers users to unlock their potential and achieve transformative results. Under Rome’s leadership, GLCND.com and GlobalCmd A.I. are setting new standards for content creation and decision intelligence. By delivering engaging, high-quality content alongside cutting-edge tools, Rome ensures that users have the resources they need to make informed choices, achieve their goals, and thrive in an ever-changing world. With a focus on inspiring content and smarter decisions, Rome is shaping the future where knowledge and technology work seamlessly together to drive success.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Share post:

Our Newsletter

Subscribe Us To Receive Our Latest News Directly In Your Inbox!

We don’t spam! Read our privacy policy for more info.

Advertisement

Popular

More like this
Related

Argentina accuses Venezuela of harassing opposition members hiding in its embassy in Caracas

CARACAS, Venezuela — The Argentine government on Wednesday accused...

The Rise, Fall and Future of Intel: What Went Wrong?

Intel has long been synonymous with dominating the PC...

A federal lawsuit is filed against the Tangipahoa school system over alleged sexual abuse

A civil rights lawyer stands with the family of...