Slashdot Mirror

The AMD scheme does AES-128 on the fly when reading anything from DRAM (!)

https://lwn.net/Articles/69982...

There are two separate features-Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV)-that both use the same hardware support that will be provided in upcoming processors. That support includes an AES-128 hardware engine inline with the RAM and memory controller so that memory can be encrypted and decrypted on the way in and out of the processor with "minimal performance impact". The data inside the processor (e.g. registers, caches) will be in the clear; there will just be a "little extra latency" when RAM is involved.

It seems like the ASIC (the AMD equivalent of Intel PCIDs which actually predates PCIDs) - is part of the AES key.

The hypervisor then allocates an "address space identifier" (ASID), which is what identifies the guest (and the key for that guest's memory). That ASID is provided to the secure processor with a request to generate or load a key into the AES engine and to encrypt the BIOS/OS image using that key. The hypervisor then sets up and runs the guest using the ASID assigned; the memory controller, AES engine, and secure processor will work together to ensure that the memory is encrypted and decrypted appropriately.

On the other hand it's aimed at hiding hypervisor data from guest OSs and vice versa. It's not designed to hide process or kernel data from other processes on the same OS. Then again AMD isn't vulnerable to the KPTI hole as far as I can tell - that's to do with Intel's implementation of speculative execution.

Of course AMD might be vulnerable to other bugs like this. Like you say, Spectre seems to affect "Intel, AMD and ARM".

https://www.exploit-db.com/doc...

Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, static analysis, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing/side-channel attacks. These attacks represent a serious threat to actual systems, since vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices

If AMD are confident enough in their AES engine to put in in inline with the RAM and memory controller, they could probably work out how to make it do process isolation by encryption. E.g. if you could set it up so kernel memory was AES 128 encrypted with a random key then it would matter less if a user process was able to read it.

But what happens when you have virtualization? AMD's scheme protects guests from hosts. I'm not sure how you could additionally protect kernels in a guest OS from processes in that same guest OS.

Attacks on popular add-ons: https://arstechnica.co.uk/info...

Paper discussing the problem: https://www.exploit-db.com/doc...

Why is it that Windows & Linux are always getting hacked but you never hear about exploits for the Mac huh? What gives!?

Because you're not paying attention.
https://www.exploit-db.com/exploits/36692/

https://www.exploit-db.com/exp...

On some models of printer, port 9100 can do a lot more than just accept data to be printed...

For instance, some Xerox printers let you upload firmware updates via port 9100, and vulnerabilities exist allowing remote code execution (see https://www.exploit-db.com/exp...)

Printers are fully capable computers, having processors far more powerful than even highend servers from a few years ago. If someone gains the ability to execute arbitrary code on one, then they have a foothold on your network capable of launching further attacks against other hosts.

Is not effected. The CERT link is kind of crap but they have reference links at the bottom which have more meat including a PoF you can do easily (http://RouterIP/;telnetd$IFS-p$IFS'45' is supposed to open telnet on port 45).

FTFA references

So you are bragging you are running Linux which has more vulnerabilities than Windows while being "forced" to run Windows for games? Aww poor baby!

Shellshock, Heartbleed, the assraping of Linux is just starting and its gonna get a HELL of a lot worse. While MSFT has had a big ass bullseye painted on them for years to drive them to increase their defenses Linux has been coasting on security by obscurity, well those days are over friend. Android is getting pounded by nasties and Linux is just getting beaten up as you can see and another Shellshock on the way there are even calls for a security audit in light of the constant pounding its gotten.

Frankly the FOSSie faction should be getting scared right about now, MSFT has been hardening their OS and getting their lessons in a war with the malware writers, now you have Low Rights Mode, ASLR and DEP, Secure Boot, Windows isn't the easy target anymore....Linux is. Between the coasting on security by obscurity, an OS made up of teeny tiny fiefdoms that don't collaborate or care, and oh yeah...a new spreading mess known as Systemd spreading tendrils in more and more critical systems while being run by a guy that blogs such "wisdom" as "can't get systemd running on ARM, shipping it anyway" the low hanging fruit? Its Linux and Android.

So get ready for it, because it looks like in less than 24 months you'll be posting "I HAVE to run Linux on one system for a program I need, the rest are running Windows". And when that day comes? You can thank Torvalds and all the other arrogant old guys that can't see beyond their own little gardens that have let Linux become a weak walled buggy mess.

You have obviously never used the Metasploit Meterpreter. It can pivot off any running process and run commands with that privilege level. It can also traverse your network creating tunnels as it goes along. This is why you want to prevent privilege escalation and the tunnel creation. If they can't escalate or create a tunnel then they are stuck on the first box that is exploited. It's damage control. It also buys you time to respond. If you can detect the activity you want to be able to stop it before the threat spreads.

In an eCommerce environment this is the difference between losing your user database and losing customer information. There have been many breaches in recent history where user data was leaked but no customer information was compromised. The bank is able to reset all passwords before damage is done. I imagine there was some form of internal security that kept the intruder away from sensitive data on another server deeper in the network.

A layered security approach has benefits. Is it overkill? That depends on a changing threat landscape. Tomorrow we may all be vulnerable again.

Check the exploit DB for APACHE exploits and come back a paranoid security advocate:

http://www.exploit-db.com/sear...

http://www.exploit-db.com/exploits/3664/

That won't help if tomorrow someone finds a vulnerability in the openssh server that enables to bypass that (maybe something like this one from 2011). And that someone instead of announcing it worldwide (i.e. the NSA) start to use it to deploy their own backdoors in your server. Not having access to the service in the first place will avoid potential future exploits on it. Of course, could be exploits for the portknocker daemon, but as is simpler than the sshd (or any other service you have published that is not meant for the world) should be easier to check/audit it (only 2 vulnerabilities were found so far that im aware of, and implies or already being logged in the system, or being successfully authenticated.)

And, btw, the Single Packet Authentication uses a certificate too to open the port for your IP. And then you can use your own ssh certificate or password to login.

I don't understand how they could root you if you're not running any plugin and have Javascript disabled, could you explain ?

By exploiting vulnerabilities in the browser. Being a piece of software it's no more secure than any other out there. Spoofing user-agent might help, but the dilemma runs like this:

• * Using a non-popular browser (e.g., Midori, Lynx) would make you slightly less prone to these attacks as the focus is usually on the popular ones (Firefox, IE).
• * The browser in question might have "leaks" (e.g. cookies) which Tor community tries actively to plug against by releasing a standard bundle based on a popular browser.

Yeah... tell that to the operators of all the compromised *nix systems over the years... Linux is so secure and so is osx. Windows had a *LOT* of security issues, the most exploited one in 1999 being the fact that email (outlook and outlook express) ran javascript, and put it in the *LOCAL* (unrestricted) security domain as opposed to say *UNTRUSTED*. That was 14 years ago... they have gotten a lot better. At this point, between Windows, OSX and Linux, I would probably put Windows slightly ahead. Most Windows exploits come from popular 3rd party apps/plugins (Acrobat, Flash, Java) and not so much the OS, or core parts.

With Linux, you *could* argue that a flaw in OpenSSL isn't an OS flaw, but considering windows is a lot more than the kernel, and most distros will use OpenSSL it can be included. They all have their flaws. Windows is more targeted as a numbers game... 90% of the users, running with 95% compatibility across versions... vs. OSX 10-13% of users with 85% compatibility, or Linux which has maybe 30% compatibility between differing systems. Linux attacks are precisely targeted, Windows are scatter-gun any exploit you can find, push it out, and OSX is mostly targeted via Trojans inside pirated software releases.

It is emphatically *not* that they are more secure... also, you do *NOT* need root for an effective exploit.. most user systems only have a single user account, and as long as that account is compromised, you have all you need.

Unless coupled with a DNS rebinding attack (or something of similar nature) where an exploited computer on the network is used to take control of the router and give the hacker access. Because you know there have been no major exploits lately, that could be used as a launching point for this also.

Exploits like this are even more dangerous, because where people are apt to catch on their computer is exploited at some point, they may never notice their router is acting up.

Bzzt, wrong. MP3s have been the vectors for exploits too.

>Your MP3s are safe from viruses

http://www.exploit-db.com/exploits/14309/
http://www.gnucitizen.org/blog/backdooring-mp3-files/
http://www.theregister.co.uk/2002/04/29/winamps_malicious_mp3_vuln/

Any interpreter can be used to run an exploit if the interpreter has a flaw. The seemingly huge number of flaws in interpreters shows that it is either hard or people that write software make a lot of mistakes.

Yeah, the "in the wild" part is the countless rooted Linux web servers on the internet , serving primarily windows clients through hacked advertisements which attempt to inject malware via browser bugs.

http://www.exploit-db.com/platform/?p=linux&pg=38

Where usually the "exploit" ends because there are no "dozens of working linux priviledge escalation bugs" anywhere outside of your imagination.

hahaha..

http://www.exploit-db.com/exploits/18411/

http://www.exploit-db.com/exploits/18280/

http://www.exploit-db.com/exploits/18163/

http://www.exploit-db.com/exploits/17391/

http://www.exploit-db.com/exploits/17787/

lol.. I got bored copy pasting because there are just so many bugs that are found out. Why do linux developers suck so bad? They are continuing to plug leaks while hackers continue to find bugs. Ofcource I know these are probably patched by now, but if you want unpatched ones you need to pay ;-) they are not for free.. hehe. Meanwhile windows kernel has had very little bugs so far and most windows security exploits are due to buggy drivers, msoffice, flash, pdf, ,etc vulnerabilities. If you cant see this difference then you are a stupid person and you should kill all your friends and then kill yourself. :-D

Most Linux boxes that are broken into, are abandoned or maintained by people who can't run anything on any OS without messing up

lol wut? Blame the user. Nice OSS strategy. linux only works if its locked down.. like on android.. or you are forced to hire a person to administer it .. like on servers. for general use case.. linux is a complete failure.

Where usually the "exploit" ends because there are no "dozens of working linux priviledge escalation bugs" anywhere outside of your imagination.

hahaha..

http://www.exploit-db.com/exploits/18411/

http://www.exploit-db.com/exploits/18280/

http://www.exploit-db.com/exploits/18163/

http://www.exploit-db.com/exploits/17391/

http://www.exploit-db.com/exploits/17787/

lol.. I got bored copy pasting because there are just so many bugs that are found out. Why do linux developers suck so bad? They are continuing to plug leaks while hackers continue to find bugs. Ofcource I know these are probably patched by now, but if you want unpatched ones you need to pay ;-) they are not for free.. hehe. Meanwhile windows kernel has had very little bugs so far and most windows security exploits are due to buggy drivers, msoffice, flash, pdf, ,etc vulnerabilities. If you cant see this difference then you are a stupid person and you should kill all your friends and then kill yourself. :-D

Most Linux boxes that are broken into, are abandoned or maintained by people who can't run anything on any OS without messing up

lol wut? Blame the user. Nice OSS strategy. linux only works if its locked down.. like on android.. or you are forced to hire a person to administer it .. like on servers. for general use case.. linux is a complete failure.

Where usually the "exploit" ends because there are no "dozens of working linux priviledge escalation bugs" anywhere outside of your imagination.

hahaha..

http://www.exploit-db.com/exploits/18411/

http://www.exploit-db.com/exploits/18280/

http://www.exploit-db.com/exploits/18163/

http://www.exploit-db.com/exploits/17391/

http://www.exploit-db.com/exploits/17787/

lol.. I got bored copy pasting because there are just so many bugs that are found out. Why do linux developers suck so bad? They are continuing to plug leaks while hackers continue to find bugs. Ofcource I know these are probably patched by now, but if you want unpatched ones you need to pay ;-) they are not for free.. hehe. Meanwhile windows kernel has had very little bugs so far and most windows security exploits are due to buggy drivers, msoffice, flash, pdf, ,etc vulnerabilities. If you cant see this difference then you are a stupid person and you should kill all your friends and then kill yourself. :-D

Most Linux boxes that are broken into, are abandoned or maintained by people who can't run anything on any OS without messing up

lol wut? Blame the user. Nice OSS strategy. linux only works if its locked down.. like on android.. or you are forced to hire a person to administer it .. like on servers. for general use case.. linux is a complete failure.

Where usually the "exploit" ends because there are no "dozens of working linux priviledge escalation bugs" anywhere outside of your imagination.

hahaha..

http://www.exploit-db.com/exploits/18411/

http://www.exploit-db.com/exploits/18280/

http://www.exploit-db.com/exploits/18163/

http://www.exploit-db.com/exploits/17391/

http://www.exploit-db.com/exploits/17787/

lol.. I got bored copy pasting because there are just so many bugs that are found out. Why do linux developers suck so bad? They are continuing to plug leaks while hackers continue to find bugs. Ofcource I know these are probably patched by now, but if you want unpatched ones you need to pay ;-) they are not for free.. hehe. Meanwhile windows kernel has had very little bugs so far and most windows security exploits are due to buggy drivers, msoffice, flash, pdf, ,etc vulnerabilities. If you cant see this difference then you are a stupid person and you should kill all your friends and then kill yourself. :-D

Most Linux boxes that are broken into, are abandoned or maintained by people who can't run anything on any OS without messing up

lol wut? Blame the user. Nice OSS strategy. linux only works if its locked down.. like on android.. or you are forced to hire a person to administer it .. like on servers. for general use case.. linux is a complete failure.

Where usually the "exploit" ends because there are no "dozens of working linux priviledge escalation bugs" anywhere outside of your imagination.

hahaha..

http://www.exploit-db.com/exploits/18411/

http://www.exploit-db.com/exploits/18280/

http://www.exploit-db.com/exploits/18163/

http://www.exploit-db.com/exploits/17391/

http://www.exploit-db.com/exploits/17787/

lol.. I got bored copy pasting because there are just so many bugs that are found out. Why do linux developers suck so bad? They are continuing to plug leaks while hackers continue to find bugs. Ofcource I know these are probably patched by now, but if you want unpatched ones you need to pay ;-) they are not for free.. hehe. Meanwhile windows kernel has had very little bugs so far and most windows security exploits are due to buggy drivers, msoffice, flash, pdf, ,etc vulnerabilities. If you cant see this difference then you are a stupid person and you should kill all your friends and then kill yourself. :-D

Most Linux boxes that are broken into, are abandoned or maintained by people who can't run anything on any OS without messing up

lol wut? Blame the user. Nice OSS strategy. linux only works if its locked down.. like on android.. or you are forced to hire a person to administer it .. like on servers. for general use case.. linux is a complete failure.

http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=Linux&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= Do you have a point? My list goes over 23 pages, yours not even over 3 and a half.

Because there aren't any, I worked for them and customers that called in were routinely told there is nothing to worry about when it comes to malware.
On their corporate side you would be amazed at who states exactly the same thing when they should know better.

Just a taste:
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=OS+X&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

The structured framework approach seems to be the effort of the security/pen-test industry. Metasploit is basically a very structured approach to exploit code offering payloads in the form of shellcode (notably the meterpreter), crypters to go with that, and basic trojan/binder functionality. It also has a few auxillary modules for various stuff. There's also CANVAS and Core Impact but those are expensive and I've never played with them. Before and besides that exploits were and are written in the form of small programs in C/Perl/whatever like the ones you can find at http://www.exploit-db.com/.

You're new to the intertubes, huh? Lynx has been as unsafe as any browser from time to time.

Yeah, 32 pages of Linux exploits vs 175 pages for Windows really drives your point home.

Anyways, you're talking about "linux kernel and nt kernel bugs" and provide a link to db listing _everything_ that can count as exploit - kernel, core libs, 3rd party soft, local, remote, root, DoS, shells, reverse shells - all in one mixed listing. Very helpful, that.

Yeah, 32 pages of Linux exploits vs 175 pages for Windows really drives your point home.

Anyways, you're talking about "linux kernel and nt kernel bugs" and provide a link to db listing _everything_ that can count as exploit - kernel, core libs, 3rd party soft, local, remote, root, DoS, shells, reverse shells - all in one mixed listing. Very helpful, that.

So Linux is only secure if you hire a system administrator to install and configure it. And yet.. Linux webservers keep getting defaced daily. And yet ... Linux kernel has *always* had more security bugs than the NT kernel. If every security bug in Linux was front page news on slashdot like Windows bugs Linux would probably have 0.1 market sharre instead of 0.3. (LOL)

http://www.exploit-db.com/platform/?p=linux

Any file can be used to exploit an application.
Sorry in advance for the grotesque URL.
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=vlc&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

Why is it so surprising? Sounds like the most mundane thing if you pay attention to security mailing lists. (Hint: You wont see linux security bugs hitting the frontpage on slashdot for obvious reasons) Linux has had dozens of privilege escalation vulnerabilities, more so than NT. (Although on windows.. most of the idiots run as admin.. so it isn't required anyway)

http://www.exploit-db.com/platform/?p=linux

#1 is common, #2 is rare

Bullshit. Seriously, I have nothing else to say. That's just flat out *wrong*. Hell, a quick google search for "ubuntu local privilege exploit" gave me this gem for 10.04 from late September: http://www.exploit-db.com/exploits/15074/

And that was the *first hit*.

Foxit is fine for home assuming you remember to correctly untick all the adware options. But in a work environment (I work at a printers) on average i'd say Foxit incorrectly renders PDFs about 5% of the time, leading to support calls whereas Adobe Readers incorrect rendering is pretty non-existent. (I actually tried switching work over to Foxit a while ago, nothing but support hassle from incorrectly rendered PDFs)

I'm not defending Adobe here because I think their reader is a bloated pos, but if you're going to recommend a third party PDF viewer then Sumatra is the best, it's light weight, loads damn near instantly and doesn't include a JS engine side stepping a lot of security issues.

Also, on the major attacks/flaws thing. Actually Foxit has had some seriously bad security issues, you need only google for "foxit reader security holes" or look on explot-db to see them.

I wonder if the book covers how to hack JomSocial? ;)

http://www.exploit-db.com/exploits/15164/

Having sifted through Joomla extension exploit reports, and found a lot of false reports, I will say that this report looks real http://www.exploit-db.com/exploits/15164/

I would also suspect that on various versions of php, it should be possible to guess the file name of the upload, even if the display index feature is disabled n the webserver, so the workaround may not be as useful as it is suggested.

I have not looked at the code, but I suspect that one could make an educated guess about the file name if one uploaded a couple videos.

I guess the moral is that if you are using jomsocial, UPGRADE.

I wonder if the book covers how to hack JomSocial? ;)

http://www.exploit-db.com/exploits/15164/

Having sifted through Joomla extension exploit reports, and found a lot of false reports, I will say that this report looks real http://www.exploit-db.com/exploits/15164/

I would also suspect that on various versions of php, it should be possible to guess the file name of the upload, even if the display index feature is disabled n the webserver, so the workaround may not be as useful as it is suggested.

I have not looked at the code, but I suspect that one could make an educated guess about the file name if one uploaded a couple videos.

I guess the moral is that if you are using jomsocial, UPGRADE.

Who cares about your router when I can just own your modem? http://www.exploit-db.com/download_pdf/13592

No kidding.