• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

CTS-Labs Posts Ryzen Windows Credential Guard Bypass Proof-of-concept Video

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
46,274 (7.69/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
CTS-Labs, following up on Tuesday's "Masterkey" exploit proof-of-concept video, posted a guide to bypassing Windows Credential Guard on an AMD Ryzen-powered machine. We once again begin in a privileged shell session, of an AMD-powered machine whose Secure Processor that has been compromised using admin privileges, by exploiting it using any of the 13 vulnerabilities chronicled by CTS-Labs. Mimikatz, a tool that is used by hackers to steal network credentials, should normally not work on a machine with Windows Credential Guard enabled. Using a modified version of Mimikatz, the CTS-Labs researchers are able to bypass Windows Credential Guard (which relies on hardware-level security features present on the processor), leveraging the AMD Secure Processor malware microcode they wrote.



The proof-of-concept video follows.


View at TechPowerUp Main Site
 
Joined
Dec 29, 2010
Messages
3,439 (0.71/day)
Processor AMD 5900x
Motherboard Asus x570 Strix-E
Cooling Hardware Labs
Memory G.Skill 4000c17 2x16gb
Video Card(s) RTX 3090
Storage Sabrent
Display(s) Samsung G9
Case Phanteks 719
Audio Device(s) Fiio K5 Pro
Power Supply EVGA 1000 P2
Mouse Logitech G600
Keyboard Corsair K95
We once again begin in a privileged shell session

Seriously, again?
 
Joined
Jul 16, 2014
Messages
8,115 (2.29/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
So CTS does appear intent on trying to destroy AMD.
 
Joined
Dec 29, 2010
Messages
3,439 (0.71/day)
Processor AMD 5900x
Motherboard Asus x570 Strix-E
Cooling Hardware Labs
Memory G.Skill 4000c17 2x16gb
Video Card(s) RTX 3090
Storage Sabrent
Display(s) Samsung G9
Case Phanteks 719
Audio Device(s) Fiio K5 Pro
Power Supply EVGA 1000 P2
Mouse Logitech G600
Keyboard Corsair K95
Joined
Apr 10, 2013
Messages
302 (0.08/day)
Location
Michigan, USA
Processor AMD 1700X
Motherboard Crosshair VI Hero
Memory F4-3200C14D-16GFX
Video Card(s) GTX 1070
Storage 960 Pro
Display(s) PG279Q
Case HAF X
Power Supply Silencer MK III 850
Mouse Logitech G700s
Keyboard Logitech G105
Software Windows 10
Again, drip drip drip. This is easy stuff folks. AMD has already acknowledged these vulnerabilities, AMD is preparing fixes, and all will be well in a few weeks. AMD's stock isn't moving, no need to start squabbling. TPU is just showing the video as it is news worthy since the vulnerabilities have been claimed, verified by AMD, fixes already in progress. Once fixed in a couple weeks you won't read any more stories like this.
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Joined
Nov 13, 2007
Messages
10,209 (1.71/day)
Location
Austin Texas
Processor 13700KF Undervolted @ 5.6/ 5.5, 4.8Ghz Ring 200W PL1
Motherboard MSI 690-I PRO
Cooling Thermalright Peerless Assassin 120 w/ Arctic P12 Fans
Memory 48 GB DDR5 7600 MHZ CL36
Video Card(s) RTX 4090 FE
Storage 2x 2TB WDC SN850, 1TB Samsung 960 prr
Display(s) Alienware 32" 4k 240hz OLED
Case SLIGER S620
Audio Device(s) Yes
Power Supply Corsair SF750
Mouse Xlite V2
Keyboard RoyalAxe
Software Windows 11
Benchmark Scores They're pretty good, nothing crazy.
Whoooaaa.... that's such a big flaw... Couldn't have typed this in the command shell

C:\>bcdedit /copy {current} /d "No Hyper-V"
The entry was successfully copied to {your key}.

C:\>bcdedit /set {your key} hypervisorlaunchtype off
The operation completed successfully.

Definitely needed an AMD system for that.
 
Joined
Sep 6, 2013
Messages
2,973 (0.77/day)
Location
Athens, Greece
System Name 3 desktop systems: Gaming / Internet / HTPC
Processor Ryzen 5 5500 / Ryzen 5 4600G / FX 6300 (12 years latter got to see how bad Bulldozer is)
Motherboard MSI X470 Gaming Plus Max (1) / MSI X470 Gaming Plus Max (2) / Gigabyte GA-990XA-UD3
Cooling Νoctua U12S / Segotep T4 / Snowman M-T6
Memory 16GB G.Skill RIPJAWS 3600 / 16GB G.Skill Aegis 3200 / 16GB Kingston 2400MHz (DDR3)
Video Card(s) ASRock RX 6600 + GT 710 (PhysX)/ Vega 7 integrated / Radeon RX 580
Storage NVMes, NVMes everywhere / NVMes, more NVMes / Various storage, SATA SSD mostly
Display(s) Philips 43PUS8857/12 UHD TV (120Hz, HDR, FreeSync Premium) ---- 19'' HP monitor + BlitzWolf BW-V5
Case Sharkoon Rebel 12 / Sharkoon Rebel 9 / Xigmatek Midguard
Audio Device(s) onboard
Power Supply Chieftec 850W / Silver Power 400W / Sharkoon 650W
Mouse CoolerMaster Devastator III Plus / Coolermaster Devastator / Logitech
Keyboard CoolerMaster Devastator III Plus / Coolermaster Devastator / Logitech
Software Windows 10 / Windows 10 / Windows 7
Just one simple question.

It is obvious that CTS Labs will keep posting one video here, one video there because that's what they are getting payed to do, or because that's what they believe will keep their name on the news.

So, here is the question.

IS TPU going to become the main advertising platform for CTS Labs? And if yes, WHY?

Just update an older article. Is it so difficult? Or is it a great idea to make the security market the next online soap opera, so that tech sites can have plenty of drama to post?
 
Low quality post by ikeke
Joined
May 6, 2012
Messages
184 (0.04/day)
Location
Estonia
System Name Steamy
Processor Ryzen 7 2700X
Motherboard Asrock AB350M-Pro4
Cooling Wraith Prism
Memory 2x8GB HX429C15PB3AK2/16
Video Card(s) R9 290X WC
Storage 960Evo 500GB nvme
Case Fractal Design Define Mini C
Power Supply Seasonic SS-660XP2
Software Windows 10 Pro
Benchmark Scores http://hwbot.org/user/kinski/ http://valid.x86.fr/qfxqhj https://goo.gl/uWkw7n
3l33t h@x0r


(Y)
 
Low quality post by DeathtoGnomes
Joined
Jul 16, 2014
Messages
8,115 (2.29/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Just one simple question.

It is obvious that CTS Labs will keep posting one video here, one video there because that's what they are getting payed to do, or because that's what they believe will keep their name on the news.

So, here is the question.

IS TPU going to become the main advertising platform for CTS Labs? And if yes, WHY?

Just update an older article. Is it so difficult? Or is it a great idea to make the security market the next online soap opera, so that tech sites can have plenty of drama to post?

yes CTS is getting "payed", keep up with the rest of us !
 
Joined
Mar 18, 2008
Messages
5,717 (0.98/day)
System Name Virtual Reality / Bioinformatics
Processor Undead CPU
Motherboard Undead TUF X99
Cooling Noctua NH-D15
Memory GSkill 128GB DDR4-3000
Video Card(s) EVGA RTX 3090 FTW3 Ultra
Storage Samsung 960 Pro 1TB + 860 EVO 2TB + WD Black 5TB
Display(s) 32'' 4K Dell
Case Fractal Design R5
Audio Device(s) BOSE 2.0
Power Supply Seasonic 850watt
Mouse Logitech Master MX
Keyboard Corsair K70 Cherry MX Blue
VR HMD HTC Vive + Oculus Quest 2
Software Windows 10 P
Keep them coming. I do wonder why they did not bother releasing all of their PoC video at the same time. They surely spent a year or so on these concepts and have already recorded these PoC video a long time ago. Yet somehow their date is Mar21-2018. A little haste to defend themselves huh? I am sure industrial veterans like themselves wouldn't do something so amature as shooting video in their basement one day at a time.

Meanwhile I expect a lot of the comments here to be flagged as "low quality" :D

Dissecting the source and credibility of the source is extreme crucial in the age of massive data manipulation. End data consumers have every right to question the source and intent of the data before even diving into the content of the data.
 
Joined
Dec 3, 2014
Messages
338 (0.10/day)
Location
Marabá - Pará - Brazil
System Name KarymidoN TitaN
Processor AMD Ryzen 7 5700X
Motherboard ASUS TUF X570
Cooling Custom Watercooling Loop
Memory 2x Kingston FURY RGB 16gb @ 3200mhz 18-20-20-39
Video Card(s) MSI GTX 1070 GAMING X 8GB
Storage Kingston NV2 1TB| 4TB HDD
Display(s) 4X 1080P LG Monitors
Case Thermaltake Core V71
Power Supply Corsair TX 600
Mouse Logitech G300S
Again, drip drip drip. This is easy stuff folks. AMD has already acknowledged these vulnerabilities, AMD is preparing fixes, and all will be well in a few weeks. AMD's stock isn't moving, no need to start squabbling. TPU is just showing the video as it is news worthy since the vulnerabilities have been claimed, verified by AMD, fixes already in progress. Once fixed in a couple weeks you won't read any more stories like this.

My main issue with this whole thing is how they released the info, showing BIG ISSUES, UNPATCHABLE! CAN'T BE FIXED!
First of All, if the attacker has ADMIN Access to your PC, he cand do anithing he wants, doenst matter if your use intel, Amd, Arm, VIA... but OK, Blame and focus only on AMD, fine. AMD with 24h of advance warning had to analise and give a statement about it (intel had months to analise and prepare before spectre and meltdown became public, but ok!) It becomes quite clear that CTS Labs had no intention of discovering flaws so those flaws can be fixed (helping make users more secure) it looks to me that they only wanted to deliver a blow to AMD to benefit from it, its a personal agenda. (my Opinion, Sorry my bad english)
 

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
46,274 (7.69/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
or else they will admit they were wrong in covering that 1st story without any research

What a pathetic lie. Our first article was far more technically detailed than most other sites. Our report was "look, here's what these guys say they found," which is as far as every other publication's story was, on that day, not even reports from stock research firms with a vested interest in driving down AMD stock had your definition of "research" (i.e. thou shalt personally test every vulnerability to be true and then post news). Nobody had a "research package" to verify those claims and post "here's what these guys found, we tested them to be true, here's our work." No tech site has it yet. AMD's response doesn't qualify as a rebuttal.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,956 (3.71/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
I do wonder why they did not bother releasing all of their PoC video at the same time.
In my initial phone call they asked me for suggestions, so I recommended "make a video, just simple filming, no cg, no green screens". Now it seems they record them one by one and release asap. I tend to agree with you that this is suboptimal, rather record them all and release at the same time, possibly with media getting early access under embargo so they can prepare stories.
 
Joined
Sep 6, 2013
Messages
2,973 (0.77/day)
Location
Athens, Greece
System Name 3 desktop systems: Gaming / Internet / HTPC
Processor Ryzen 5 5500 / Ryzen 5 4600G / FX 6300 (12 years latter got to see how bad Bulldozer is)
Motherboard MSI X470 Gaming Plus Max (1) / MSI X470 Gaming Plus Max (2) / Gigabyte GA-990XA-UD3
Cooling Νoctua U12S / Segotep T4 / Snowman M-T6
Memory 16GB G.Skill RIPJAWS 3600 / 16GB G.Skill Aegis 3200 / 16GB Kingston 2400MHz (DDR3)
Video Card(s) ASRock RX 6600 + GT 710 (PhysX)/ Vega 7 integrated / Radeon RX 580
Storage NVMes, NVMes everywhere / NVMes, more NVMes / Various storage, SATA SSD mostly
Display(s) Philips 43PUS8857/12 UHD TV (120Hz, HDR, FreeSync Premium) ---- 19'' HP monitor + BlitzWolf BW-V5
Case Sharkoon Rebel 12 / Sharkoon Rebel 9 / Xigmatek Midguard
Audio Device(s) onboard
Power Supply Chieftec 850W / Silver Power 400W / Sharkoon 650W
Mouse CoolerMaster Devastator III Plus / Coolermaster Devastator / Logitech
Keyboard CoolerMaster Devastator III Plus / Coolermaster Devastator / Logitech
Software Windows 10 / Windows 10 / Windows 7
Joined
Oct 9, 2009
Messages
716 (0.14/day)
Location
Finland
System Name RGB-PC v2.0
Processor AMD Ryzen 7950X
Motherboard Asus Crosshair X670E Extreme
Cooling Corsair iCUE H150i RGB PRO XT
Memory 4x16GB DDR5-5200 CL36 G.SKILL Trident Z5 NEO RGB
Video Card(s) Asus Strix RTX 2080 Ti
Storage 2x2TB Samsung 980 PRO
Display(s) Acer Nitro XV273K 27" 4K 120Hz (G-SYNC compatible)
Case Lian Li O11 Dynamic EVO
Audio Device(s) Audioquest Dragon Red + Sennheiser HD 650
Power Supply Asus Thor II 1000W + Cablemod ModMesh Pro sleeved cables
Mouse Logitech G500s
Keyboard Corsair K70 RGB with low profile red cherrys
Software Windows 11 Pro 64-bit

the54thvoid

Intoxicated Moderator
Staff member
Joined
Dec 14, 2009
Messages
12,378 (2.37/day)
Location
Glasgow - home of formal profanity
Processor Ryzen 7800X3D
Motherboard MSI MAG Mortar B650 (wifi)
Cooling be quiet! Dark Rock Pro 4
Memory 32GB Kingston Fury
Video Card(s) Gainward RTX4070ti
Storage Seagate FireCuda 530 M.2 1TB / Samsumg 960 Pro M.2 512Gb
Display(s) LG 32" 165Hz 1440p GSYNC
Case Asus Prime AP201
Audio Device(s) On Board
Power Supply be quiet! Pure POwer M12 850w Gold (ATX3.0)
Software W10
Handed out a couple of short bans, tired of seeing this kind of shitposting

While I find the focus on CTS distasteful, the rhetoric and accusations against TPU are something that should have been dealt with a long time ago. TPU has had militants rally against it for a while now (usually in AMD/Nvidia threads) and the constant "TPU is a shill" cry has gone unpunished, until now. If you invite someone into your house and they shit on your carpet - you really ought to kick them out before they've pulled their trousers up.

As for further coverage of CTS labs technical pieces, it should be noted that the majority of TPU members (from what I've seen) are not that tech savvy. This is not my site (nor do I own one) but as Anandtech and others have done, a fair reflection on the merits of CTS background funding and PR roadshow wouldn't go amiss. There is one thing that will be proven in time and that is a very viable path for discrediting this exploit expose:

CTS says it's not fixable
CTS gives AMD 24 hours notice that they have found said exploit.
AMD says a firmware patch will fix it and they are working on it.

so.....

If patch fixes problem, and it does so within 90 days (standard industry timescale for exploit announcement)...
There would be no issue at all. This is the crux of it all - by not giving due time as is normally allowed, CTS have used unfair media leverage to make AMD look bad. If AMD do patch this (apparently unfixable issue) it makes CTS look like opportunistic little scum bags. This exploit would be history before it was even news but CTS intentionally released the exploit reveal with as little time as possible for AMD to make them look crap.

Therefore, all the PR the tech sites are allowing CTS 'airtime' is actually helping them look better when we're not giving AMD time to work on it as Google gave Intel (and AMD) when Spectre/Meltdown were discovered.

So, even those doing this :banghead: at those saying there is no flaw, of course there's a flaw but it could have been dealt with 'properly' and had it been done so (been fixed by AMD), we would not have had all this hyperbolic forum activity.

Is there an exploit? YES. Did CTS stitch AMD up? YES. TPU has not sufficiently asked why that is, that is why there is a great resentment in the forums.
Then again, in 'x' weeks time, if AMD hasn't fixed it, then we can get all pissy again.....
 
Joined
Mar 21, 2018
Messages
4 (0.00/day)
Hello to all
I am interested in news an appreciative of time and work put on this site (i appreciated nextpowerup too, a lot of news/info different from usual). I agreed to some reviews/editorials while i disagreed with other ones, anyways I personally see the risk for this website to burn itself. I know that depending on the stance you get accused of being pro or against the different "camps", however with this CTS vs AMD at moment you are not giving any service nor special info.

There is no added value in the last posts you are putting on the site, it has been cleared in a quite definitive way that you need "administrative" access to the machine to compromise it, and if the machine is behind a protected network you need to pierce the defenses, before.

I think everybody here has witnessed in the past years to several patches to different bugs in processors, chipsets and so on, from each "camp". Mostly often we discovered the bug or the glitch after the a solution was posted .

Now it seems really beating the dead horse, it does not give any help or additional info. If you keep posting news about this affair that add zero to what already written it will really give the idea that your are click-baiting, and this is good in the short term but on the long term it will heavily hurt.
 

HTC

Joined
Apr 1, 2008
Messages
4,601 (0.79/day)
Location
Portugal
System Name HTC's System
Processor Ryzen 5 2600X
Motherboard Asrock Taichi X370
Cooling NH-C14, with the AM4 mounting kit
Memory G.Skill Kit 16GB DDR4 F4 - 3200 C16D - 16 GTZB
Video Card(s) Sapphire Nitro+ Radeon RX 480 OC 4 GB
Storage 1 Samsung NVMe 960 EVO 250 GB + 1 3.5" Seagate IronWolf Pro 6TB 7200RPM 256MB SATA III
Display(s) LG 27UD58
Case Fractal Design Define R6 USB-C
Audio Device(s) Onboard
Power Supply Corsair TX 850M 80+ Gold
Mouse Razer Deathadder Elite
Software Ubuntu 19.04 LTS
Perhaps it's best to place any subsequent CTS-Labs PoC videos in the original 13 vulnerabilities topic?

While the vulnerabilities are real and have been confirmed as such, CTS-Labs is very much in question because of how they handed the disclosure, if not for other reasons as well. As such, it seems to me that it's a dis-service to "TPUers" to keep posting new topics about this when it could be covered in the original topic.
 
Top