The security researchers who found a way to compromise Intel's Management Engine last year have just released proof-of-concept exploit code for the now-patched vulnerability.
Mark Ermolov and Maxim Goryachy at Positive Technologies have published a detailed walkthrough for accessing an Intel's Management Engine (IME) feature known as Joint Test Action Group (JTAG), which provides debugging access to the processor via USB. The PoC incorporates the work of Dmitry Sklyarov, another researcher from the company.
The PoC code doesn't represent a significant security threat to Intel systems, given that there's a patch and the requirements for exploitation include physical access via USB. It's mainly a matter of academic interest to security researchers, though it also serves as a reminder that the IME expands the hardware attack surface.
The IME is microcontroller designed to work with the Platform Controller Hub chip, alongside integrated peripherals. Running its own MINIX microkernel, it oversees much of the data moving between the processor and external devices and its access to processor data makes it an appealing target.
The disclosure of a vulnerability last year in Intel's Active Management Technology, a firmware application that runs on the IME, amplified longstanding concerns that Intel's chip management tech could serve as as a backdoor into Intel systems.
In May last year, the Electronic Frontier Foundation asked Intel to provide a way to disable the IME. In August, Positive Technologies revealed that Intel already offered a kill switch to customers with high security requirements.
Intel's super-secret Management Engine firmware now glimpsed, fingered via USBREAD MORE
In September, the researchers let slip that they would be demonstrating an additional IME bug at Black Hat Europe come December. That turned out to be the JTAG exploit.
Intel issued a patch for the JTAG vulnerability (INTEL-SA-00086) last November and updated its fix in February 2018. The flaw allowed the PoC code to activate JTAG for the IME core, thereby letting the attacker run unsigned code. The PoC was developed on a Gigabyte Brix GP-BPCE-3350C, which is a Celeron-based compact PC.
Ermolov and Goryachy recommend that those interested in testing the code do so on a similar box, but note that it should work on other Intel Apollo Lake-based PCs.
Either way, TXE firmware version 220.127.116.117 is required. So too is a utility called Intel TXE System Tools. Intel doesn't make its ME/TXE/SPS System Tools available to end users but some of its OEM partners include them with software and driver updates. A special USB 3.0 debugging connector is also necessary, though those who enjoy hacking hardware can make their own by isolating the D+, D-, and Vcc contacts on a USB 3.0 Type A Male to Type A Male cable.
In other words, the exploitation process is rather involved and not for the faint of heart. ®