This exact code is not available in public, but open source firmware of some Intel boards has it too. Firstly I supposed that vulnerable code was written by Lenovo or its Independent BIOS Vendor (IBV), but later it turned out that they've taken this totally mad driver from Intel reference code. Lots of interesting things happened since release of ThinkPwn exploit. Also, this time I did responsible disclosure to Intel and AMI, so, at the moment of this publication you already can patch some of vulnerable products. Today I’m sharing with you the story of my next x86 machine hacking - we’re going to talk about UEFI vulnerabilities, exploit mitigation features of System Management Mode and new exploit called Aptiocalypsis. Also, I released exploit for 0day vulnerability in SystemSmmRuntimeRt UEFI SMM driver called ThinkPwn.

In another, ' Exploring and exploiting Lenovo firmware secrets', I've shown how to achieve flash write protection bypass using any vulnerability that allows arbitrary System Management Mode code execution. In ' Exploiting SMM callout vulnerabilities in Lenovo firmware' I've shown some basic things related to exploitation and reverse engineering of its firmware on example of re-discovering already fixed 1day vulnerability. Two previous articles were about my Lenovo ThinkPad T450s laptop.

Hi, everyone! This blog post is another usual article about firmware security of x86 compatible machines.