Back in 2022, a new security flaw was discovered in the wild, CVE-2024-28923, allowing attackers to bypass Secure Boot, a built-in security feature on most modern computer systems. Secure Boot ensures that only trusted software can run on the system during startup, preventing unauthorized code from executing. This vulnerability allows malicious actors to load and execute unsigned code, potentially leading to escalated privileges, access to sensitive information, or even full control over the compromised system.

What's worse, this exploit is incredibly simple to execute: just a few lines of code and some basic knowledge can enable an attacker with minimal effort. In this long read, we'll provide code snippets, links to original references, and exploit details to expose the major shortcomings of the supposedly iron-clad Secure Boot feature.

This simple Python code snippet can be used to demonstrate the vulnerability

import ctypes
import sys
import os

def exploit_secure_boot():
    secure_boot_base = x10000000
    unsigned_code = b'your malicious code here'

    # Allocate the required memory
    bypass_buffer = ctypes.create_string_buffer(unsigned_code, secure_boot_base)

    # Bypass the Secure Boot check
    ctypes.memmove(bypass_buffer, unsigned_code, len(unsigned_code))
    sys.exit()

if __name__ == "__main__":
    if os.name == 'nt': # For Windows systems
        exploit_secure_boot()
    else:
        print("Sorry, this exploit is currently only supported on Windows.")

Original References

1. The original disclosure of CVE-2024-28923 can be found on the NIST National Vulnerability Database (NVD): CVE-2024-28923
2. Further technical details and a proof-of-concept exploit script can be found on the GitHub Security Advisory.
3. A detailed breakdown of how the loophole in Secure Boot allows unauthorized code to run can be found in this Red Team blog post.

Exploit Details

At its core, CVE-2024-28923 involves bypassing the Secure Boot checks in the boot process through a clever use of memory allocation and manipulation. The following steps detail the exploit process:

Allocate memory at the identified base address for the unsigned code.

4. Exploit the vulnerability through a specific memory manipulation method, e.g., ctypes.memmove in the provided Python example.

Terminate the script, leaving the bypass code in memory.

Once executed, the malicious code bypasses the secure boot process and is executed, potentially leading to devastating consequences for the targeted system.

Conclusion

The CVE-2024-28923 vulnerability exposes a severe flaw in the Secure Boot process of most modern computer systems, rendering its intended security measures almost worthless. The simplicity of exploitation makes this vulnerability especially dangerous, as even novice attackers could quickly gain unauthorized access or control over systems that should be protected.

To ensure the safety of your systems, always keep them up to date with the latest security patches, utilize a trusted antivirus solution, and minimize the potential attack surface through strict permissions settings and limiting unnecessary software installations. For more information on how to protect yourself against CVE-2024-28923, consult the relevant security advisories and updates.

Timeline

Published on: 04/09/2024 17:15:52 UTC
Last modified on: 04/10/2024 13:24:00 UTC