Results 1 to 5 of 5

Thread: Intel CPU Privilege Escalation Exploit

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Intel CPU Privilege Escalation Exploit

    Joanna Rutkowska has posted information on the Invisible Things Lab's blog, including a white paper and proof-of-concept code for an attack that allows for privilege escalation from Ring 0 to SMM (System Management Mode) on many recent motherboards with Intel CPUs.

    Check out the ITL blog for more details and to download the white paper: http://theinvisiblethings.blogspot.c...intel-cpu.html

  2. #2
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Smile

    Greetings.

    I remember reading about this a few days ago. Thanks for reminding me tony.

    anyhow here is another link from were i read about this the other day.:
    http://www.networkworld.com/community/node/39825

    This is the scariest, stealthiest, and most dangerous exploit I've seen come around since the legendary Blue Pill! No, I'm not just trying to sensationalize this or spread fear, uncertainty and doubt. This is serious and represents a massive new security threat for us all.
    Security Researchers Joanna Rutkowska and Loic Duflot are planning to release a research paper + exploit code for a new SMM (System Management Mode) exploit that installs via an Intel® CPU caching vulnerability. Joanna, of blue pill fame, reported this on her blog
    Joanna cleared it up for me that they are not releasing a SMM rootkit but rather a exploit. It will be up to some other folks to tie this in with a SMM rootkit like this one perhaps.
    "Thursday, March 19th, 1600 UTC, we will publish a paper (+ exploits) on exploiting Intel® CPU cache mechanisms. The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Rafal implemented a working exploit with code execution in SMM in a matter of just a few hours."
    The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it's not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy! It is very much like the blue pill attack (the PC is living in the matrix which is under your complete control) except that SMM attacks are at an even deeper hardware level of abstraction than a hypervisor exploit! SMM has been around in Intel chips since 386 processors so if you'd like further education or history lesson here is a good article.
    Now remember that what Joanna and Loic will be releasing is a brand new, never before disclosed Intel caching hack that allows them to gain access to SMM space and run their new exploit. If you then use this exploit to run a SMM rootkit that has the ability to call home to its creator to get new code or deposit its findings your really gonna have a powerful hack. No software you can run on your operating system would be able to detect this type of exploit once you are p0wned.
    So why would they release the exploit code to the public you ask. Aren't security researchers supposed to play by the rules and refrain from disclosure? Well here's the thing, both the CPU caching vulnerabilities and the SMM vulnerabilities already have been reported to intel. In fact, according to Joanna "the first mention of the possible attack using caching for compromising SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than... Intel's own employees." Both Joanna and Loic also officially reported this and other related bugs to Intel. Loic did so back in October 2008. (correction
    : the previous tracking number I just deleted in the article is for a different bug that Joanna also discovered and is currently not patched by Intel yet.) Bottom line is that Intel has known about this vulnerability and others for years and it can be argued they haven't done due diligence to fix them yet. When this happens, security researchers have little choice but to release their finding publicly, the assumption being that if they have known about it for years then for sure someone with less than legal intentions is already exploiting it. Here is how Joanna puts it,
    "If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later. So, don't blame researchers that they find and publish information about bugs — they actually do a favor to our society."
    Is your PC currently p0wned by some hacker ninja using a SMM rootkit? How would you tell? You can't tell!!!!! MUWHAHA!
    I just hope Intel fixes these vulnerabilities fast.
    Keep checking this site on Thursday, the paper and code will be published here. Good article on previous theoretical SMM exploits can be found here.



    The opinions and information presented here are my personal views and not those of my employer.
    The scariest bit is the fact that this has been discovered a few times over the years, and it's not good news that Intel have never tried to patch this.

  3. #3
    Banned
    Join Date
    Jan 2008
    Posts
    605
    Privilege escalation? You would need to be admin to run it.

  4. #4
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I heard about this more in the context of rootkits. Basically, if your system was compromised, and someone made use of this vulnerability, it would be very hard to remove the rootkit. Reimaging wouldn't take care of it, since the kit would be at the hardware level.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  5. #5
    *tadada dadat dadat dada* !!
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Similar Threads

  1. Windows privilege escalation using Program.exe.
    By reedarvin in forum The Security Tutorials Forum
    Replies: 15
    Last Post: November 12th, 2005, 09:39 PM
  2. AMD File Anti-Trust VS Intel!
    By The Grunt in forum Hardware
    Replies: 9
    Last Post: June 29th, 2005, 08:25 PM
  3. Network Security made easy?
    By Tiger Shark in forum Microsoft Security Discussions
    Replies: 5
    Last Post: January 14th, 2005, 08:47 PM
  4. AMD vs. Intel
    By xmaddness in forum Other Tutorials Forum
    Replies: 26
    Last Post: November 10th, 2004, 02:11 AM
  5. Cloaked Exploit Scanner II
    By ntsa in forum The Security Tutorials Forum
    Replies: 3
    Last Post: July 21st, 2002, 04:00 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •