Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Uh Oh, Exploit code targeting major Intel chip flaw to be posted 3/19/09
Network World ^ | 17 March 2009 | Jamey Heary

Posted on 03/19/2009 9:45:32 AM PDT by ShadowAce

This is the scariest, stealthiest, and most dangerous exploit I've seen come around since the legendary Blue Pill! No, I'm not just trying to sensationalize this or spread fear, uncertainty and doubt. This is serious and represents a massive new security threat for us all.

Security Researchers Joanna Rutkowska and Loic Duflot are planning to release a research paper + exploit code for a new SMM (System Management Mode) exploit that installs via an Intel® CPU caching vulnerability. Joanna, of blue pill fame, reported this on her blog

Joanna cleared it up for me that they are not releasing a SMM rootkit but rather a exploit. It will be up to some other folks to tie this in with a SMM rootkit like this one perhaps.

"Thursday, March 19th, 1600 UTC, we will publish a paper (+ exploits) on exploiting Intel® CPU cache mechanisms. The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Rafal implemented a working exploit with code execution in SMM in a matter of just a few hours."

The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it's not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy! It is very much like the blue pill attack (the PC is living in the matrix which is under your complete control) except that SMM attacks are at an even deeper hardware level of abstraction than a hypervisor exploit! SMM has been around in Intel chips since 386 processors so if you'd like further education or history lesson here is a good article.

Now remember that what Joanna and Loic will be releasing is a brand new, never before disclosed Intel caching hack that allows them to gain access to SMM space and run their new exploit. If you then use this exploit to run a SMM rootkit that has the ability to call home to its creator to get new code or deposit its findings your really gonna have a powerful hack. No software you can run on your operating system would be able to detect this type of exploit once you are powned.

So why would they release the exploit code to the public you ask. Aren't security researchers supposed to play by the rules and refrain from disclosure? Well here's the thing, both the CPU caching vulnerabilities and the SMM vulnerabilities already have been reported to intel. In fact, according to Joanna "the first mention of the possible attack using caching for compromising SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than... Intel's own employees." Both Joanna and Loic also officially reported this and other related bugs to Intel. Loic did so back in October 2008. (correction
: the previous tracking number I just deleted in the article is for a different bug that Joanna also discovered and is currently not patched by Intel yet.) Bottom line is that Intel has known about this vulnerability and others for years and it can be argued they haven't done due diligence to fix them yet. When this happens, security researchers have little choice but to release their finding publicly, the assumption being that if they have known about it for years then for sure someone with less than legal intentions is already exploiting it. Here is how Joanna puts it,

"If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later. So, don't blame researchers that they find and publish information about bugs — they actually do a favor to our society."

Is your PC currently powned by some hacker ninja using a SMM rootkit? How would you tell? You can't tell!!!!! MUWHAHA!

I just hope Intel fixes these vulnerabilities fast.

Keep checking this site on Thursday, the paper and code will be published here. Good article on previous theoretical SMM exploits can be found here.


TOPICS: Computers/Internet
KEYWORDS: hack; intel; intelsmm; rootkit; security; smm; x86

1 posted on 03/19/2009 9:45:32 AM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

2 posted on 03/19/2009 9:45:45 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Well, I guess I’m glad I’ve got AMD.


3 posted on 03/19/2009 9:57:35 AM PDT by the anti-liberal
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Is it a permanent write, or does the hack clear when you cold boot?


4 posted on 03/19/2009 10:04:36 AM PDT by zeugma (Will it be nukes or aliens? Time will tell.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: the anti-liberal
Well, I guess I’m glad I’ve got AMD.

Ditto.

5 posted on 03/19/2009 10:07:28 AM PDT by raybbr (It's going to get a lot worse now that the anchor babies are voting!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: the anti-liberal

>Well, I guess I’m glad I’ve got AMD.

Yep.


6 posted on 03/19/2009 10:07:36 AM PDT by OneWingedShark (Q: Why am I here? A: To do Justly, to love mercy, and to walk humbly with my God.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: the anti-liberal; raybbr; OneWingedShark; ShadowAce
Well, I guess I’m glad I’ve got AMD.
AMD also uses SMM. I'm wondering if this "exploit" only works on Intel(?)
And if you need ring 0 priviledge, doesn't that make a remote hack impossible?
Anyone? Anyone? Bueller?
7 posted on 03/19/2009 10:10:29 AM PDT by astyanax (Status quo, you know, is Latin for 'the mess we're in.' Ronald Reagan)
[ Post Reply | Private Reply | To 3 | View Replies]

To: zeugma

Is there any memory within the chip itself?


8 posted on 03/19/2009 10:10:38 AM PDT by Hoosier-Daddy ("It does no good to be a super power if you have to worry what the neighbors think." BuffaloJack)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce

They have no business posting this. They should send the hack to Intel. To do anything else is akin to a breach of national security.


9 posted on 03/19/2009 10:11:47 AM PDT by Hoosier-Daddy ("It does no good to be a super power if you have to worry what the neighbors think." BuffaloJack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: the anti-liberal
Well, I guess I’m glad I’ve got AMD.

Me too, at least at home. :-)

10 posted on 03/19/2009 10:16:19 AM PDT by TChris (There is no freedom without the possibility of failure.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce

They have no business posting this. They should send the hack to Intel. To do anything else is akin to a breach of national security.


11 posted on 03/19/2009 10:22:44 AM PDT by Hoosier-Daddy ("It does no good to be a super power if you have to worry what the neighbors think." BuffaloJack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Hoosier-Daddy
Did you read the article?

both the CPU caching vulnerabilities and the SMM vulnerabilities already have been reported to intel. In fact, according to Joanna "the first mention of the possible attack using caching for compromising SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than... Intel's own employees."

12 posted on 03/19/2009 10:40:38 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 9 | View Replies]

To: astyanax
You are correct.

"If there is a bug somewhere and if it stays unpatched..." and if someone could somehow rewrite firmware from unpriviledged user application, and if, after all that, someone could somehow "call home" (critical for any exploit to be useful, and has to be executed, again, using the unpriviledged user level, which will be intercepted by even primitive firewalls) ...

I'd say the chances for exploiting this in an undetecteble rootkit are pretty "remote". Not that vigilance is not warranted, but releasing the exploits will help others, besides Intel, to find a rootkit detection and/or fix on a callback level.

Well done, Joanna!

13 posted on 03/19/2009 10:42:59 AM PDT by CutePuppy (If you don't ask the right questions you may not get the right answers)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Hoosier-Daddy

It’s a good thing. Those of us that are trying to defend the enterprise don’t have time to go poking into every nook and cranny in systems looking for holes that can be attacked. Joanna and other researchers’ data is vital to defending systems from attack. The data provided can be used to design detection and prevention strategies aimed at thwarting potential attacks.


14 posted on 03/19/2009 11:32:25 AM PDT by DaisyCutter
[ Post Reply | Private Reply | To 11 | View Replies]

To: ShadowAce
Okay, so how would Intel "fix" these vulns in existing chips? I'm not a chip guru, but I know the microcode can be patched from the outside -- would that be the nature of the fix?

Or would that be the nature of the attack -- a bogus "Intel CPU patch" that gets into the regular OS updates (whether Windows or Mac)?

15 posted on 03/19/2009 5:54:37 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

A detector shouldn’t be impossible. Running SMM code causes the CPU state saved and restored, flushes the cache and can mess with program timekeeping. Such operations are not common, so a constant recurrence of them would be an indicator you’ve been rooted.

Beyond that, you need specialized hardware to really see what’s going on. Our resident FPGA programmer (sorry, can’t remember which FReeper you are) could shed more light on that.


16 posted on 03/19/2009 7:53:07 PM PDT by antiRepublicrat (Sacred cows make the best hamburger.)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson