Intel CPU Privilege Escalation Exploit

← Back to Stories (view on slashdot.org)

Intel CPU Privilege Escalation Exploit

Posted by timothy on Thursday March 19, 2009 @05:18AM from the they-never-offer-the-purple-pill dept.

Eukariote writes "A paper and exploit code detailing a privilege escalation attack on Intel CPUs has just been published. The vulnerability, uncovered by security researchers Joanna Rutkowska (of Blue Pill fame), Rafal Wojtczuk, and, independently, Loic Duflot, makes use of Intel's System Management Mode (SMM). Quote: "The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Rafal implemented a working exploit with code execution in SMM." The implications of this exploit are severe."

5 of 242 comments (clear)

Min score:

Reason:

Sort:

And thus does the dance continue... by downix · 2009-03-19 05:22 · Score: 4, Insightful

The dance between malware writers and the security experts seeking to thwart them continues ever on.

--
Karma Whoring for Fun and Profit.
more nonsense from the same people by YesIAmAScript · 2009-03-19 05:49 · Score: 4, Insightful

These people (I refuse to type their names) employ hype incredibly effectively.
The implications of these exploit are incredibly minimal. They might help a rootkit hide a little better, but they don't make it any easier to install one.
If you have malicious code running in ring 0, you're already so boned, you really need to dust off and nuke the machine from orbit anyway. And if you have malicious code that modified your BIOS (as some people list as a nightmare scenario), you again already have problems so large a little bit of SMM trouble means little additional pain.

--
http://lkml.org/lkml/2005/8/20/95
Re:Doesn't seem that scary by sjames · 2009-03-19 05:50 · Score: 5, Insightful

It's much worse, when combined with a firmware re-write, it will survive a complete re-install and cannot be detected by a security scan booted from CDROM.
Re:CD Boot by antifoidulus · 2009-03-19 06:13 · Score: 5, Insightful

While you succeed at being snarky, you fail at being correct.

Dude, I think you came up with a new motto for slashdot!

--
Monstar L
Wow by quo_vadis · 2009-03-19 06:22 · Score: 4, Insightful

Very interesting loophole. For those too lazy to read TFA, basically this attack allows someone running as root (or in some cases as a local user) to run code at a level that even hypervisors cant deal with. To put this into perspective, if you are running some big iron hardware with a dozen virtualized servers. With a local privilege escalation exploit on one VM, an attacker could use this attack to take over the whole system, even the secured VMs. Worst problem is that it would be undetectable. No VM, and no hypervisor would be able to see it. Any AV call can be intercepted as the SMM has the highest priority in the system.

The solution on the other hand seems pretty simple. Make the chipset block writes to the TSEG for the SMRAM in hardware (by disabling those lines) and use some extra hardware to prevent those lines from being loaded into cache. Finally, make every bios SMRAM update contain a parity and create tools that allow SMRAM parity check.

--
Legally obligatory sig : My opinions are my own... etc etc