PKFail- 'Secure Boot' isn't because pajeets working for companies based in Worse China are lazy and do nothing but copy sample code - DO NOT REDEEM DO NOT TRUST DO NOT REDEEM DO NOT TRUST DO NOT REDEEM DO NOT TRUST DO NOT REDEEM DO NOT TRUST DO NOT REDEEM DO NOT TRUST DO NOT REDEEM DO NOT TRUST DO NOT REDEEM DO NOT TRUST DO NOT REDEEM DO NOT TRUST DO NOT REDEEM DO NOT TRUST

[⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛]

According to the security firm Binarly, tens of computer manufacturers, across hundreds if not thousands of different models, used an example 'platform key' (the master signing key for firmware on the system) which had been provided by the AMI bios and marked as "DO NOT TRUST". This has been happening for more than a decade and affects at least Acer, Dell, Gigabyte, Intel, Supermicro, Aopen, Foremelife, Fujitsu, HP, and Lenovo.

The implication of this is that malicious software can be created to run with the highest possible privileges in any of these systems and hide itself from anything at the operating system level.

Apparently they found it in this Git repository (since deleted)

http://web.archive.org/web/20230514210613/https://github.com/raywu-aaeon/Ryzen2000_4000

Which is archived here:

https://archive.org/download/aaeon-uefi-firmware-git-repos/Ryzen2000_4000.git.zip

Apparently the private key is in FW_priKey.pfx. It wants an import password, which apparently is only four characters, but I'm not bored enough to build the 'jumbo' version of john the ripper to crack it yet.

 

[The Mass Shooter Ron Soye]

Secure Boot is evil and this is actually a good thing. Do redeem.

 

[Another Char Clone]

PK keys shouldn't really be used to verify anything. As far as I can tell, its just a key to put Secure Boot into setup enforcing mode. The stuff that boots up is supposed to be verified by the DB key. And if you use Shim on Linux, the MOK keystore.

Good thing I make my own PK key.

Edit: Looks like its used to verify KEK updates that then verify DB key updates. Still a good idea to change it, I don't want anyone but me changing the keys on my system.

 

[Uncle Sid]

Everything's been fucked from ring -1 ever since intel started putting Management Engine on every CPU die other than the ones for the CPUs they only sell to the NSA in 2008.

 

[Prokhor Zakharov]

Just scanned my latest firmware image, clean. So, HP appears to be unaffected for intel based systems.

 

[xmpp]

└─$ john FW_priKey.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
abcd             (FW_priKey.pfx)

It seems the password for the .pfx is 'abcd'

 

[Prokhor Zakharov]

└─$ john FW_priKey.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
abcd             (FW_priKey.pfx)

It seems the password for the .pfx is 'abcd'

That is just fucking pathetic.

Confirmed, password is really abcd

Imagine being paid to be this retarded.

Edit: Hold on, the certificate expired back in 2021, how the fuck is this a problem then?

 

[xmpp]

That is just fucking pathetic.

Confirmed, password is really abcd

Edit: Hold on, the certificate expired back in 2021, how the fuck is this a problem then?

Anyone using a private key from an expired certificate is a retard.

View attachment 6239933

There's a few issues here.
1. It's an example key provided with American Megatrends documentation, vendors with no idea decided it was a good idea to sign production level firmware with this exact key.
2. Not only was this done by 1 manafacturer, but multiple of them.
3. An employee accidentally leaks source, and said example key.
4. These keys are not date validated by anything, so for example an expired SSL certificate would be cross checked by the browser and display as out of date, you could theoretically sign these firmwares with a key that expired in 1970 and it would still work, according to Binarly these were still being used in firmware released in 2024.

 

[Prokhor Zakharov]

There's a few issues here.
1. It's an example key provided with American Megatrends documentation, vendors with no idea decided it was a good idea to sign production level firmware with this exact key.
2. Not only was this done by 1 manafacturer, but multiple of them.
3. An employee accidentally leaks source, and said example key.
4. These keys are not date validated by anything, so for example an expired SSL certificate would be cross checked by the browser and display as out of date, you could theoretically sign these firmwares with a key that expired in 1970 and it would still work, according to Binarly these were still being used in firmware released in 2024.

This is amazing. The people involved in this should be hung by their nutsack from a flag pole. This is nothing short of a complete failure across multiple companies where someone should have noticed this was a problem. The people doing this are supposed to be in "high trust" positions. No one should be trusting these people with literally anything.

 

[Lord of the Large Pants]

Which Pajeet did this?

 

[Legalize Nuclear Bombs]

"Secure" boot has been nothing but a pathetic joke since many years. Plenty of firmware either uses straight up leaked keys and even if they aren't leaked then those keys are used to sign vulnerable bootloaders written by jeets that you can now use to load whatever the fuck you want anyway. Almost all OEMs and even Microsoft themselves are guilty of this, given that they now employ brown and smelly pajeets exclusively.

Still a good idea to change it, I don't want anyone but me changing the keys on my system.

The only proper way to use secure clown boot is by rolling your own keys, just like you said. Too bad you can't do that shit if you run windows.

Imagine trusting any system where you don't own the keys, lmao.

 

[Black Man Underwear]

I expect my $6,000,000 Google Play card in restitution.

When can I expect to redeem it?

 

[Prokhor Zakharov]

For anyone that wants to play with it, here is the certificate containing the key in PFX format, within a ZIP file.

The password for key decryption/certificate importation is: DONOTTRUST

The ZIP file itself is not password protected.

 

[Sam Losco]

lol
No one should be surprised by this that has paid any bit of attention to all the security problems in modern computer systems and all the DB leaks/hacks that continue to happen.
Systems are too complex and no one really knows what they are doing, especially those that are in a position to make the policy decisions. The decision makers are all business degree majors. There are so any different systems that no one can be an expert on everything they work on, everyone has to be a jack of all trades, master of none.

 

[Prokhor Zakharov]

KFer @PunkinMan has made a very interesting post related to this issue in the Community Driven Happenings thread:

https://kiwifarms.st/threads/community-driven-happenings-feed-version-2.114933/post-18952399

It contains a method where you can check your system directly to see if you are impacted. If you are impacted, you can join in the chorus of owners that are yelling at their respective OEMs that made their system/board to fix this shit.