Gigabyte Backdoor

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
M

mach3.2

Active Member
Feb 7, 2022
130
87
28
Reads a lot like one of the options that are turned on by default on MSI's newer BIOSes, offering to download some MSI software after boot.
 
  • Like
Reactions: T_Minus
Stephan

Stephan

Well-Known Member
Apr 21, 2017
933
710
93
Germany
Tech is called "Windows Platform Binary Table" see Remote Code Execution on Most Dell Computers | Hacker News

Many OEMs have been seen using WPBT. Lenovo, Dell, etc. literally for a decade. Windows 8 and later will try to execute it.

So don't use Windows on these motherboards. Don't buy the motherboard if it's really good but you can't patch it out because of hardware DRM lock aka signed BIOS images. Complain to the CEO in a nice, brief statement. If I care enough, I do.

Vote with your wallet, relentlessly.

And to really learn something about Windows, pull the ethernet plug. Install Windows. See what it takes to add all those drivers without any Internet. Start TCPview or some other sniffer. Plug machine into network. See if you can disable anything and everything that wants to call home. It will take you days. And you will always find more. CA updaters. Device manager, if you plug in a new device. The print server to retrieve that picture of your printer. Really hard exercise, because the people on the other side of the closed-source binaries that they lend you don't want that.
 
  • Like
Reactions: axavio, T_Minus, BoredSysadmin and 2 others
bob_dvb

bob_dvb

Active Member
Sep 7, 2018
214
116
43
Not quite London
www.orbit.me.uk
Not long ago I was trying to convince some colleagues that we would be okay buying Gigabyte instead of Dell. I was even citing STH to show how good getting an AMD Geneva Gigabyte system might be.

> "It's okay, they do ship lots of servers, maybe not as many as Dell, but they're an established brand, what could go wrong?"
Click to expand...
Balls.

Edit: Just to note, we'd not be using Windows on such servers, but it doesn't help the credibility of buying these systems to see such a hole.
 
  • Haha
Reactions: NablaSquaredG
O

oneplane

Well-Known Member
Jul 23, 2021
845
484
63
This is the result of trying to distinguish computer parts that should be fulfilling a generic function by slapping on some 'value added' nonsense that nobody asked for.

Instead of doing what they did, a much simpler and safer method could have been adding a USB flash drive on an internal USB port on the mainboard. When you're done or have had enough of it, you can unplug it, and gone is the vendor malware. But just like the malware that you get with practically any laptop you can buy from a consumer goods store, that's not where the money is for manufacturers. The money is in selling persistence to marketing departments.
 
E

edge

Active Member
Apr 22, 2013
203
71
28
marcoi said:
So what to do if you own the motherboard on the list?
Click to expand...
I have 3 Aorus x670e extreme MB that are on the list.

The main culprit in the BIOS is GCC (gigabyte control center). This is the firmware hook gigabyte uses to update your systems firmware, drivers, and malware. It can be set disabled.

I also disabled wake on lan.

The article includes URLs for the Gigabyte download sites - you can block those at firewall, but I am not confident the firmware flaw has the download sites hard coded.

**********************************************************
Update: I failed to mention that Gigabyte adds a hard coded username and password to your system when you install windows. While not an administrator privaledged account, it is an account with publicly known name and password siiting there waiting for a priviledge execution elevation bug. Time bomb.
 
Last edited:
  • Like
Reactions: marcoi
Patrick

Patrick

Administrator
Staff member
Dec 21, 2010
12,514
5,805
113
Stephan said:
Many OEMs have been seen using WPBT. Lenovo, Dell, etc. literally for a decade. Windows 8 and later will try to execute it.
Click to expand...
This. There are other remote execution bits on major PC brands like the lo-jack for computers, that are firmware based and will re-install even if you uninstall them in Windows.
 
CyklonDX

CyklonDX

Well-Known Member
Nov 8, 2022
846
279
63
I do recall viruses/worms on early implementation of usb - the early cards, as well as sometimes came out with it from factory - as early as on win 98.
Most was only working on windows - they were trying to execute ie activex code;

There were plenty of attacks on early intel me, but no1 was talking about them.
The oem attaching spyware, having built-in backdoors, and Trojans pre-installed was quite common back then too.

In short nothing has changed, but everything kinda went quiet during war on terror. Either gov moved to more sophisticated ways to penetrate systems, or they cracked down on them; but Windows 2000 pro (NT) platform made it much harder to execute code like that too.
(If one belives forum talks on warez forums like astalavista back then, would recall choppers flying over houses with magnet like/antenna attached - activating chips - and systems would proceed to download magic files...)


(SC also had chipped motherboards for servers that were calling home to china sometime ago)
 
Last edited:
BoredSysadmin

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
1,053
437
83
As Stephan correctly said, this hardly seems to be a new issue. I found this article from two years ago about the same vulnerability from the same researcher:
heimdalsecurity.com

New Flaw Discovered in the Microsoft Windows Platform Binary Table (WPBT)

The flaw discovered in the Microsoft Windows Platform Binary Table (WPBT) can be exploited in attacks meant to install rootkits on all Windows computers that were shipped since 2012.
heimdalsecurity.com heimdalsecurity.com
I "Love" Microsoft response:
"Microsoft recommended the use of a Windows Defender Application Control policy that allows users to control what binaries can run on a Windows device. "
In other words - don't worry about glaring hardware vulnerabilities. Just ensure you are running "trusted" apps only on windows.
 
tinfoil3d

tinfoil3d

QSFP28
May 11, 2020
879
404
63
Japan
I wonder if it's a laughing matter now if someday they'll start infecting linux filesystems with this crap... Meanwhile can just LOL at this. Don't blame gigabyte or other vendors. They're just using the tech windows offers.
 
Stephan

Stephan

Well-Known Member
Apr 21, 2017
933
710
93
Germany
Supply chain attacks are a real problem in 2023, aye. But you can't, because something in Linux would need to retrieve a working ELF binary and execute it. AFAIK there is no Linux binary in the BIOS and also no service on Linux distributions to do something stupid like this. On Windows you have no choice, closed source code. Vote with your wallet.
 
You must log in or register to reply here.
Top Bottom