Extreme Privilege Escalation on Windows 8 - UEFI Systems

Explore extreme privilege escalation techniques on Windows 8 and UEFI systems in this Black Hat conference talk. Delve into the expanded attack surface created by the UEFI specification's runtime services interface and Windows 8's new APIs. Discover two vulnerabilities in Intel's UEFI reference implementation and learn the unique exploitation methods required. Examine topics such as post-exploitation privilege escalation, UEFI audits, firmware capsule updates, and cryptographic verification. Witness a live demonstration of the "Queens Gambit" and "Dixie" vulnerabilities, including warm resets and flash chip manipulation. Gain insights into the vulnerability disclosure process, Intel's response, and attacks on HP systems. Understand the workings of System Management Mode and explore concepts like "The Watcher" and "Ultimate Nullifier." Analyze ping packets, manual configurations, and reset vectors to grasp the full scope of these advanced privilege escalation techniques.

Introduction
Who are we
Outline
Command Prompt
Post exploitation privilege escalation
Post exploitation privilege escalation options
Dark world
Extreme privilege escalation
Target of attack
UEFI
BIOS
UEFI Audit
UEFI Capsule Update
Firmware Capsule
Capsule Update
Coalescing
Cryptographic Verification
Capsule
Bugs
Open Source
Vulnerabilities
Memory Map
Queens Gambit
Dixie
Whitepaper Summary
Live Demo
Warm Reset
Flash Chip
Vulnerability Disclosure Process
Intels Response
Attacked an HP System
Jim Waldron
System Management Mode
How The Watcher Works
Ultimate Nullifier
Ping packets
Manual configuration
Spoof concept
Reset vector