Wednesday, March 21st 2018

CTS-Labs Posts Ryzen Windows Credential Guard Bypass Proof-of-concept Video

CTS-Labs, following up on Tuesday's "Masterkey" exploit proof-of-concept video, posted a guide to bypassing Windows Credential Guard on an AMD Ryzen-powered machine. We once again begin in a privileged shell session, of an AMD-powered machine whose Secure Processor that has been compromised using admin privileges, by exploiting it using any of the 13 vulnerabilities chronicled by CTS-Labs. Mimikatz, a tool that is used by hackers to steal network credentials, should normally not work on a machine with Windows Credential Guard enabled. Using a modified version of Mimikatz, the CTS-Labs researchers are able to bypass Windows Credential Guard (which relies on hardware-level security features present on the processor), leveraging the AMD Secure Processor malware microcode they wrote.
The proof-of-concept video follows.

Add your own comment

88 Comments on CTS-Labs Posts Ryzen Windows Credential Guard Bypass Proof-of-concept Video

#1
thesmokingman
We once again begin in a privileged shell session
Seriously, again?
Posted on Reply
#2
DeathtoGnomes
So CTS does appear intent on trying to destroy AMD.
Posted on Reply
#3
thesmokingman
"DeathtoGnomes said:
So CTS does appear intent on trying to destroy AMD.
And TPU apparently lol.
Posted on Reply
#4
Joss
"thesmokingman said:
And TPU apparently
lol :D
Posted on Reply
#5
ssdpro
Again, drip drip drip. This is easy stuff folks. AMD has already acknowledged these vulnerabilities, AMD is preparing fixes, and all will be well in a few weeks. AMD's stock isn't moving, no need to start squabbling. TPU is just showing the video as it is news worthy since the vulnerabilities have been claimed, verified by AMD, fixes already in progress. Once fixed in a couple weeks you won't read any more stories like this.
Posted on Reply
#6
Chaitanya
"thesmokingman said:
And TPU apparently lol.
Tpu has dug itself into the hole to the point that they have no option but to cover this or else they will admit they were wrong in covering that 1st story without any research. Also its the first time I saw Wizzard come out so aggresively trying to defend his editor and had to write a moderation add-on.
Posted on Reply
#7
R0H1T
Just like clockwork, next bug to be called EPYCfail :rolleyes:
Posted on Reply
#8
RejZoR
I mean, I don't see anything wrong with TPU covering this stuff. They are news and tech site, it's expected for them to keep us posted with such stuff. It's up to CTS Labs that run this drama queen thing all over the place...
Posted on Reply
#9
R-T-B
"thesmokingman said:
Seriously, again?
Yes, seriously every time and still serious.
Posted on Reply
#10
phanbuey
Whoooaaa.... that's such a big flaw... Couldn't have typed this in the command shell

C:\>bcdedit /copy {current} /d "No Hyper-V"
The entry was successfully copied to {your key}.

C:\>bcdedit /set {your key} hypervisorlaunchtype off
The operation completed successfully.

Definitely needed an AMD system for that.
Posted on Reply
#11
john_
Just one simple question.

It is obvious that CTS Labs will keep posting one video here, one video there because that's what they are getting payed to do, or because that's what they believe will keep their name on the news.

So, here is the question.

IS TPU going to become the main advertising platform for CTS Labs? And if yes, WHY?

Just update an older article. Is it so difficult? Or is it a great idea to make the security market the next online soap opera, so that tech sites can have plenty of drama to post?
Posted on Reply
#12
ikeke
3l33t h@x0r

<div class="youtube-embed" data-id="u8qgehH3kEQ"><img src="https://i.ytimg.com/vi/u8qgehH3kEQ/hqdefault.jpg" /><div class="youtube-play"></div><a href="https://www.youtube.com/watch?v=u8qgehH3kEQ" target="_blank" class="youtube-title"></a></div>

(Y)
Posted on Reply
#13
DeathtoGnomes
"john_ said:
Just one simple question.

It is obvious that CTS Labs will keep posting one video here, one video there because that's what they are getting payed to do, or because that's what they believe will keep their name on the news.

So, here is the question.

IS TPU going to become the main advertising platform for CTS Labs? And if yes, WHY?

Just update an older article. Is it so difficult? Or is it a great idea to make the security market the next online soap opera, so that tech sites can have plenty of drama to post?
yes CTS is getting "payed", keep up with the rest of us !
Posted on Reply
#14
xkm1948
Keep them coming. I do wonder why they did not bother releasing all of their PoC video at the same time. They surely spent a year or so on these concepts and have already recorded these PoC video a long time ago. Yet somehow their date is Mar21-2018. A little haste to defend themselves huh? I am sure industrial veterans like themselves wouldn't do something so amature as shooting video in their basement one day at a time.

Meanwhile I expect a lot of the comments here to be flagged as "low quality" :D

Dissecting the source and credibility of the source is extreme crucial in the age of massive data manipulation. End data consumers have every right to question the source and intent of the data before even diving into the content of the data.
Posted on Reply
#15
KarymidoN
"ssdpro said:
Again, drip drip drip. This is easy stuff folks. AMD has already acknowledged these vulnerabilities, AMD is preparing fixes, and all will be well in a few weeks. AMD's stock isn't moving, no need to start squabbling. TPU is just showing the video as it is news worthy since the vulnerabilities have been claimed, verified by AMD, fixes already in progress. Once fixed in a couple weeks you won't read any more stories like this.
My main issue with this whole thing is how they released the info, showing BIG ISSUES, UNPATCHABLE! CAN'T BE FIXED!
First of All, if the attacker has ADMIN Access to your PC, he cand do anithing he wants, doenst matter if your use intel, Amd, Arm, VIA... but OK, Blame and focus only on AMD, fine. AMD with 24h of advance warning had to analise and give a statement about it (intel had months to analise and prepare before spectre and meltdown became public, but ok!) It becomes quite clear that CTS Labs had no intention of discovering flaws so those flaws can be fixed (helping make users more secure) it looks to me that they only wanted to deliver a blow to AMD to benefit from it, its a personal agenda. (my Opinion, Sorry my bad english)
Posted on Reply
#16
btarunr
Editor & Senior Moderator
"Chaitanya said:
or else they will admit they were wrong in covering that 1st story without any research
What a pathetic lie. Our first article was far more technically detailed than most other sites. Our report was "look, here's what these guys say they found," which is as far as every other publication's story was, on that day, not even reports from stock research firms with a vested interest in driving down AMD stock had your definition of "research" (i.e. thou shalt personally test every vulnerability to be true and then post news). Nobody had a "research package" to verify those claims and post "here's what these guys found, we tested them to be true, here's our work." No tech site has it yet. AMD's response doesn't qualify as a rebuttal.
Posted on Reply
#17
W1zzard
"xkm1948 said:
I do wonder why they did not bother releasing all of their PoC video at the same time.
In my initial phone call they asked me for suggestions, so I recommended "make a video, just simple filming, no cg, no green screens". Now it seems they record them one by one and release asap. I tend to agree with you that this is suboptimal, rather record them all and release at the same time, possibly with media getting early access under embargo so they can prepare stories.
Posted on Reply
#18
john_
"DeathtoGnomes said:
yes CTS is getting "payed", keep up with the rest of us !
To stay on the news as long as possible. Got it now?
Posted on Reply
#19
W1zzard
Handed out a couple of short bans, tired of seeing this kind of shitposting
Posted on Reply
#20
dicktracy
"thesmokingman said:
And TPU apparently lol.
No. You're just not used to being outside of the AMD circlejerk bubble. AMD even said these exploits are real and will patch them later.
Posted on Reply
#22
the54thvoid
"W1zzard said:
Handed out a couple of short bans, tired of seeing this kind of shitposting
While I find the focus on CTS distasteful, the rhetoric and accusations against TPU are something that should have been dealt with a long time ago. TPU has had militants rally against it for a while now (usually in AMD/Nvidia threads) and the constant "TPU is a shill" cry has gone unpunished, until now. If you invite someone into your house and they shit on your carpet - you really ought to kick them out before they've pulled their trousers up.

As for further coverage of CTS labs technical pieces, it should be noted that the majority of TPU members (from what I've seen) are not that tech savvy. This is not my site (nor do I own one) but as Anandtech and others have done, a fair reflection on the merits of CTS background funding and PR roadshow wouldn't go amiss. There is one thing that will be proven in time and that is a very viable path for discrediting this exploit expose:

CTS says it's not fixable
CTS gives AMD 24 hours notice that they have found said exploit.
AMD says a firmware patch will fix it and they are working on it.

so.....

If patch fixes problem, and it does so within 90 days (standard industry timescale for exploit announcement)...
There would be no issue at all. This is the crux of it all - by not giving due time as is normally allowed, CTS have used unfair media leverage to make AMD look bad. If AMD do patch this (apparently unfixable issue) it makes CTS look like opportunistic little scum bags. This exploit would be history before it was even news but CTS intentionally released the exploit reveal with as little time as possible for AMD to make them look crap.

Therefore, all the PR the tech sites are allowing CTS 'airtime' is actually helping them look better when we're not giving AMD time to work on it as Google gave Intel (and AMD) when Spectre/Meltdown were discovered.

So, even those doing this :banghead: at those saying there is no flaw, of course there's a flaw but it could have been dealt with 'properly' and had it been done so (been fixed by AMD), we would not have had all this hyperbolic forum activity.

Is there an exploit? YES. Did CTS stitch AMD up? YES. TPU has not sufficiently asked why that is, that is why there is a great resentment in the forums.
Then again, in 'x' weeks time, if AMD hasn't fixed it, then we can get all pissy again.....
Posted on Reply
#23
Mister Jinx
Hello to all
I am interested in news an appreciative of time and work put on this site (i appreciated nextpowerup too, a lot of news/info different from usual). I agreed to some reviews/editorials while i disagreed with other ones, anyways I personally see the risk for this website to burn itself. I know that depending on the stance you get accused of being pro or against the different "camps", however with this CTS vs AMD at moment you are not giving any service nor special info.

There is no added value in the last posts you are putting on the site, it has been cleared in a quite definitive way that you need "administrative" access to the machine to compromise it, and if the machine is behind a protected network you need to pierce the defenses, before.

I think everybody here has witnessed in the past years to several patches to different bugs in processors, chipsets and so on, from each "camp". Mostly often we discovered the bug or the glitch after the a solution was posted .

Now it seems really beating the dead horse, it does not give any help or additional info. If you keep posting news about this affair that add zero to what already written it will really give the idea that your are click-baiting, and this is good in the short term but on the long term it will heavily hurt.
Posted on Reply
#24
HTC
Perhaps it's best to place any subsequent CTS-Labs PoC videos in the original 13 vulnerabilities topic?

While the vulnerabilities are real and have been confirmed as such, CTS-Labs is very much in question because of how they handed the disclosure, if not for other reasons as well. As such, it seems to me that it's a dis-service to "TPUers" to keep posting new topics about this when it could be covered in the original topic.
Posted on Reply
Add your own comment