ThinkPwn: A recently released exploit disables the firmware critical area registration protection on Lenovo ThinkPads and, possibly, laptops from other vendors.
The exploit virtually disables many of the new Windows security features, such as Secure Boot, Virtual Secure Mode and Credential Guard, which depends on how firmware is protected.
The exploit was named ThinkPwn, published earlier this week by a researcher named Dmytro Oleksiuk. The researcher did not share his findings with Lenovo before publishing the security vacuum. This makes it a zero-day, a exploit for which there are not yet available patches.
ThinkPwn targets a privilege escalation flaw in the Unified Extensible Firmware Interface (UEFI) driver, which allows an attacker to remove the flash write protection and run malicious code on SMM (System Management Mode), a privileged CPU mode .
According to Oleksiuk, exploit can be used to disable Secure Boot, a UEFI feature that cryptographically verifies the authenticity of the OS bootloader to prevent rootkits at boot level. The security loophole also violates Windows 10's Credential Guard feature, which uses virtualization security to prevent the theft of credentials. It can also do other "other bad things" according to the researcher.
According to Lenovo, the vulnerability found by Oleksiuk was not in its own UEFI code, but in an application provided to the company by an external partner who did not name it.
Please note that the problem has not yet been determined and that vulnerability could affect other vendors other than Lenovo. In ThinkPwn's release notes at GitHub, Oleksiuk reports that the vulnerability existed in the Intel reference code for 8-series chipsets but was not specified by 2014.
PoC: https://github.com/Cr4sh/ThinkPwn