Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pentium Computers Vulnerable to Attack?

Posted by ryuzaki0 on from the sounds-like-more-work-than-it's-worth dept.

An anonymous reader writes "One of the latest security scares is coming from security experts at CanSecWest/core '06 in the form of a possible hardware-specific attack. The attack is based on the built-in procedure that Pentium based chips use when they overheat. From the article: 'When the processor begins to overheat or encounters other conditions that could threaten the motherboard, the computer interrupts its normal operation, momentarily freezes and stores its activity, said Loïc Duflot, a computer security specialist for the French government's Secretary General for National Defense information technology laboratory. Cyberattackers can take over a computer by appropriating that safeguard to make the machine interrupt operations and enter System Management Mode, Duflot said. Attackers then enter the System Management RAM and replace the default emergency-response software with custom software that, when run, will give them full administrative privileges.'"

24 of 227 comments (clear)

  1. the sky is falling by Anonymous Coward · · Score: 5, Funny

    physical access means the h4x0rs can take over your computer now, news at 11.

  2. Aren't you already screwed? by saleenS281 · · Score: 5, Interesting

    What am I missing here? If they already have that much access to the system, aren't you already screwed?

    1. Re:Aren't you already screwed? by Ars+Dilbert · · Score: 3, Informative

      I suppose this could be used to elevate one's privileges. Restricted user runs the exploit code, and it spawns a process that runs under admin or system credentials.

    2. Re:Aren't you already screwed? by mercut · · Score: 3, Informative

      What a crock. At least the editors could have linked to the actual presentation (beware, it's a ppt). I was at CanSec West and this is not as scary as you would think. The exploit requires escalated privileges to begin with. The only thing it can currently be used for is bypassing secure levels inside of OpenBSD, where you already have root. Next time the editors could do a little research before posting, oh wait, this is slashdot. --m

    3. Re:Aren't you already screwed? by gfody · · Score: 4, Funny

      you mean Chloe O'Brian did it while you were electrocuting president logan's nipples with a busted lamp

      --

      bite my glorious golden ass.
  3. Physical access by Toba82 · · Score: 4, Insightful

    Physical access trumps all security. Everyone knows this. This really isn't news, just an interesting new exploit that happens to affect a lot of... systems that are already vulnerable from the same people in the same situation.

    Move along, folks.

    --
    I pretend to know more than I really do by mooching off google and wikipedia.
  4. Sensational headline about a poor article. by dfn_deux · · Score: 5, Informative

    This hack assumes that the intruder already has write access to the nvram of the system. Also, the headline is just a cut/paste of a small portion of a poor article with few technical details. There is no PoC code, nor any specific chip mentioned. The headline refers to Pentium chips specifically and the articles says "any x86 based architecture, needless to say these are not interchangable terms... Shame on you Slashdot editors for posting this garbage...

    --
    -*The above statement is printed entirely on recycled electrons*-
    1. Re:Sensational headline about a poor article. by Jonboy+X · · Score: 5, Interesting
      By this point you may be asking yourself, "WTF is FCW.com anyway?" Their about page explains:
      Established in 1987, FCW Media Group uniquely integrates government, business and technology news and information to produce resources that help government IT decision-makers achieve results and meet agency missions. Our market-leading print, online, event and custom media products form an integrated information system that serves the information needs of all members of the government IT buying team-agency executives, program managers, IT managers and systems integrators-across all segments of federal, state and local government.

      FCW stands for Federal Computer Week, a trade rag that US gov't stooges use to figure out how to best waste our tax dollars of shiny boxes with blinky lights. Their topic headings include the buzzwords:
      • Defense
      • Enterprise Architecture
      • Executive
      • Integrators
      • Intelligent Infrastructure
      • Product Solutions
      • Program Management
      • Security/Homeland Security
      • Wireless

      The anonymous submitter might do well to remain so. Scuttlemonkey, OTOH, may have to enter the witness protection program. He's getting as bad as Zonk.
      --

      "In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
  5. Security Experts Untie! by AKAImBatman · · Score: 4, Funny

    I am so glad that we have legions of Security Experts to protect us against every possible Rube Goldberg attack out there. Thanks to their tireless commitment to security, I can sleep safer at night by knowing that no one will take a blowtorch to my processor, install custom software, and then override the security safeguards that they could have gotten through by booting into safe mode. These people are truly a God-send. </sarcasm>

    --
    Javascript + Nintendo DSi = DSiCade
  6. Good Times by allanc · · Score: 4, Funny

    Remember that old Good Times virus hoax? People who were In The Know knew that it was a hoax because it claimed that, just by opening it, it could physically destroy your computer.

    Then a few years later, Microsoft brought us Outlook with automatic attachment opening, making the first part possible, and now Intel has given us the potential for the second part.

    Good Times apparently wasn't a hoax, it was just ahead of its times. :)

    1. Re:Good Times by ObsessiveMathsFreak · · Score: 4, Insightful

      Then a few years later, Microsoft brought us Outlook with automatic attachment opening, making the first part possible,

      The watershed for me, will always be the IE images exploits, where a malicious website could run code, simply by your browser attemtping to download a carefully crafted image file.

      There I was, for years, telling people; "There's no way you can get a virus by just looking at an picture on the internet". Boy was I wrong.

      Bottom line, not matter what you pronounce impossible through software, invariably, somewhere out there, there exists a bug to accomplish just that.

      --
      May the Maths Be with you!
  7. Sensationalist by MobyDisk · · Score: 4, Funny

    This attack would already require the malicious software to already be running on the machine and already have super-user access. Once you get there, it doesn't matter. The attack is worthless. Unfortunately, the article is short on details - so you can't tell if there is nothing to see, or if the report is just bad. I suspect there is nothing to see.

    Along a similar vein, I have developed a martial art where I can kill anyone in one blow. It requires that my opponent is already tied-up, asleep, and I have a gun.

  8. In other news... by endrue · · Score: 4, Funny

    Pentium computers are vulnerable to baseball bats!

    Seriously, if they have access then you are screwed anyways...

    - Andrew

    --
    I meta-moderate because I care.
  9. Not being a retard still work, though? Right? by SlappyBastard · · Score: 4, Insightful

    So, if I have a real firewall setup and I don't open every attachment I'm sent, I'm still safe, right? At the end of the day, you still have to run the exploit for it to work. So, how is that any worse than the rootkits running around at the moment? The vast majority of viruses still specifically depend on users who haven't hardened their systems.

    --
    I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
  10. Re:FUD? by PsychicX · · Score: 5, Insightful

    That's where this article gets a little sketchy.

    When the processor begins to overheat or encounters other conditions that could threaten the motherboard, the computer interrupts its normal operation, momentarily freezes and stores its activity,
    Ok, fine.
    Every computer that runs on x86 chip architecture may be vulnerable to this attack
    Wait. How did we get here?

    Let's go through this, again. Intel Pentium 4s are hot. No surprise there. They enter special modes when overheating that may introduce a security vulnerability. Fine. How does this cross over to AMD and Via chips again? AMD and Via processors don't have special modes like that. If system heat becomes critical they will simply shut the system down flat out. On a Pentium 4, overheating is not entirely unexpected, particularly on the high edge of the clock speeds. On an AMD or Via, overheating is a major failure condition, probably caused by a heatsink falling off.

    So, how are all x86 chips vulnerable, exactly? (Incidentally, between this and this, AMD is really looking to be a much safer deal, not to mention faster, cooler, more power efficient, etc.)

  11. The devil is in the details by zenhkim · · Score: 5, Insightful

    Just went and RTFA, and I'm frustrated by a lack of hard details about the new threat:

    - The article states that all x86 processors "could" be vulnerable. Does that mean the *entire* series of Pentium chips, even the older PIII and PII's? If so, are they equally as easy to compromise as the modern versions?

    - There is no mention of AMD architecture. Doesn't AMD have an equivalent "overheat failsafe" halt-and-cooldown function? Wouldn't that make AMDs vulnerable to this type of exploit as well, or do they require a slightly different attack?

    - Isn't the motherboard BIOS FlashROM responsible for the monitoring of and responding to dangerous CPU temperatures? Haven't they already been safeguarded against unauthorized writes, due to the Chernobyl virus?

    I think I'll hold off on ordering the prototype Borg implants when they come on the market.... :-(

    --
    "All hands, BRACE FOR IMPACT!"
  12. Good thing macs aren't vulnerable. by numbski · · Score: 5, Funny
    Whoo, I'm safe!
    # machine
    i486
    Well, crap. :P
    --

    Karma: Chameleon (mostly due to the fact that you come and go).

  13. A few more details by Mr+44 · · Score: 5, Informative

    I can't find the actual paper anywhere, but this blog posting has way more details than the article originally linked ... Very interestingly, Windows XP is not vulnerable, but OpenBSD is.

    1. Re:A few more details by Cleveland+Steamer · · Score: 5, Informative
      Yes, this blog posting is interesting, but it still leaves some important details out.

      Linux and *BSD have a /dev/mem device interface for accessing physical memory from user space. Usually, this device only allows access from a priviledged user:

      crw-r----- 1 root root 1, 1 Dec 6 12:34 /dev/mem

      Using /dev/mem, it should be possible to access the address range assigned to system management RAM. However, the CPU has a Model-Specific Register (MSR) for enabling and disabling accesses to SM RAM. The instructions that are used to read and write MSRs (RDMSR and WRMSR) must be executed from ring-0 (kernel level) or else a GPF occurs. However, the Linux kernel can be configured to provide a user level interface to MSRs via:

      crw-rw---- 1 root root 202, 0 Feb 24 09:18 /dev/cpu/0/msr

      Again, you'll probably need root priviledges to access the device.

  14. UNIVAC had similar vulnerability in checkpoint by dbc · · Score: 4, Interesting

    This reminds me of the vulnerability in the operating system that shipped with the Univac 1100/10. The checkpoint/restart facility allowed you to write a checkpoint image to tape. Part of the checkpoint image was the system status register.

    The crack:
    1. Checkpoint your job to tape.
    2. remount tape.
    3. fiddle the executive-mode bit in the dumped status register.
    4. remount tape.
    5. restart job -- mainframe p0wn3d.

    Of course, in those days, a student that could do that was quickly hired into the system programming staff so that they could keep a closer eye on him and also get some productive work from him.

    Ohh... BTW... if you can find an 1100/10 these days, it won't work any more. They fixed that about the same time they quit making CPU's out of vacuum tubes.

    I wish Intel would create new bugs, instead of just repeating old ones. Copycats.

    Just think, the script kiddies that pulled this off are now drawing Social Security.

  15. All Pentiums also vulnerable to DoS by throx · · Score: 4, Funny

    ALERT!

    Pentium based machines are also vulnerable to a denial of service attack from a hacker with physical access to the machine and in the possession of a large axe. Should the attacker be wielding a pair of axes (one in each hand) then the attack would constitute a distributed denial of service.

    --

    Fear: When you see B8 00 4C CD 21 and know what it means

  16. Think like an evil hax0r, then be afraid. by jmorris42 · · Score: 4, Interesting

    > The exploit requires escalated privileges to begin with. The only thing it can currently
    > be used for is bypassing secure levels inside of OpenBSD, where you already have root.

    People, think this through a bit and some more dangers appear. If root can replace System Management Mode there are some interesting possibilities for evil. SMM runs at permission levels beyond ring0, think of it as ring-1. From there you can escape any virtualization, any chroot jail, probably even escape from inside an emulator like VMWare if you can manage to execute the exploit without the emulation catching it and simulating it. Until this is completely understood and fixed, Xen, usermode linux, chroot and possibly VMWare/VirtualPC should be suspect.

    Now imagine just how many people have root access to their virtual server at a hosting company and how many other users are running on the same physical hardware secure in the belief that their customer information is safe. But is it?

    --
    Democrat delenda est
  17. Better article: no FUD-OpenBSD demo-Theo comment by droopycom · · Score: 4, Informative

    From : http://blog.ncircle.com/ (scroll down)

    cansecwest/core06: "security issues related to Pentium SMM"

    Loic Duflot
    Title: Security Issues Related to Pentium System Mgmt Mode

    It is day 2 at Cansecwest and this talk wins for 'so frightening that you want to hide under your desk in the fetal position'.

    I'll go through the high level technical and then end with pointing out a principal that is one of those universal truths I carry around with me everywhere.

    This entire exploit is based on documented x86 functions.

    Your CPU runs in a few modes, one of those modes is known as Protected mode, other known as System Mgmt Mode. When your OS is running, your in Protected mode and this is how much of the security is performed and you'll hear of ring0 and ring3. Just know that your in-world universe is in protected mode.

    System Management Mode (SMM) is used so that when there is something external to your OS world like say a thermal condition that needs to communicate some message, the CPU saves all its protected mode state out, does all this SMM stuff and then return to its regular scheduled program in protected mode.

    There are details that evolve registry addresses and very low level operations but for the most part, a system in a very secure state can be circumvented via this SMM facility. I'm talking free access to all memory and IO.

    The song goes a little like this:
    Enable SMI
    Open SMRAM space
    Replace default SMI Handler by custom one (do your duty)
    Close SMRAM space
    Trigger SMI
    Gain access to restricted operations.

    In the wider picture: works on most systems. Turns out that Linux and the *BSD's will fall victim to this attack strategy, however, Windows XP is not known to be exploitable because of a few system calls that are not present and more importantly a certain memory range in protected mode is not shared addresses to SMM.

    So, for the demo, they did not pick some shabby OS to exploit. How about OpenBSD at level2 (high security) with allowaperture=1
    Ummm...it worked. Theo, microphone please?

    Theo spoke to this OPENBSD issue and said he and the team have known about it for a year. They are between a rock and a hard-place because Xserver is really the core of the problem. It has too much damn access to regesters and is in the most unfortunate address space in protected mode because when in SMM, what is in that address range can be used to exploit.
    Solution is for Xserver people to abstract sufficiently so that the kernel can have more governance on the Xservers logic.

    Closing TK comments:
    A system or a world that has a policy governed by in-world mechanisms cannot be effective when a process in-world can reach to the out-world to cause in-world change. You could also say that since a problem cannot be resolved at the same logical realm it has been created, then it is also the case that the most effective governance of a world can only come from outside that world. Think about all the crazy things we do in the physical world. As soon as we could get to the strong and weak forces at the atomic level, we created a incredibly destructive device. I just hope that if string theory is right and there really are energy strings at the lowest level of the universe, that no one in our world get control of them. The negative outcome caused by the power hungry is too high a risk to even consider the positive benefits.

    Its late and I have been blogging way too much today I am certain that my mental packet loss is abnormally high. I'll return to this in-game out-game concepts later in another blog entry, when I am less sleep deprived.

    --tk

  18. It's a frustrating article by Beryllium+Sphere(tm) · · Score: 3, Interesting

    But it looks like there may be something real here.

    The presentation lists events that will trigger a System Management Interrupt (SMI) and enter System Management Mode (SMM). Overheating is only one of them. Another is "century rollover". Taken literally, that would mean that anyone who could set the clock to 11:59 December 31 1999 [I'd say 2000 but I doubt the chip is mathematically correct] can enter SMM without needing physical access to the machine or to the circuit breaker for the air conditioning. Or to use the presentation's example, outl(0xB2, 0x0000000F);.

    If I read this problem report correctly, then a process outside of SMM can write to the memory for SMM. (Controlled by the D_OPEN bit in the SMM control register).

    So it looks like you can do it without physical access, where "it" is a privilege escalation that *starts* from root. That's getting less absurd all the time as virtualization and technologies like SELinux become more common. Also allows planting a deeper-than-root rootkit. You could escalate to God of Hardware or in the CanSecWest example to "root at securelevel -1".

    Maybe I should email Duflot for details and write up something for my nerdish security blog