The Empire Strikes Back Apple – how your Mac firmware security is completely broken

["fG" <fulldisclosure () put as>]

Hi,

Most Mac models suffer from a critical vulnerability in the S3
suspend/resume cycle.
When they resume from a suspend cycle the BIOS flash protections are
removed and unlocked. This means the BIOS can be overwritten from userland
at that moment.
The Dark Jedi vulnerability achieved this by modifying the S3 boot script
but Apple's implementation is even worse and the only requirement is to
put the computer to sleep.

Please refer to
https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/
for longer description and proof.

All Mac models except newest ones (released in 2014/2015?) should be
vulnerable. The newest ones require some tests because I don't have any
available at the moment.

Have fun,
fG!



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/