Intel CPU Privilege Escalation Exploit

Eukariote writes "A paper and exploit code detailing a privilege escalation attack on Intel CPUs has just been published. The vulnerability, uncovered by security researchers Joanna Rutkowska (of Blue Pill fame), Rafal Wojtczuk, and, independently, Loic Duflot, makes use of Intel's System Management Mode (SMM). Quote: "The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Rafal implemented a working exploit with code execution in SMM." The implications of this exploit are severe."

And thus does the dance continue...

[downix]

The dance between malware writers and the security experts seeking to thwart them continues ever on.

Ouch

[Big+Hairy+Ian]

This could make the apple bricking patch look like a kindergarten party

Re:Ouch

[Z00L00K]

Just consider a malware that replaces the PC BIOS with it's own code. Sure it may brick a few, but it may also be a new interesting level of malware.

Write-protect your BIOS:es and you can be a bit safer.

Another interesting thing is that this may be a way around the TPM chip and other copy-protection techniques too.

And beware of special bioses from manufacturers that allows your employer to run keylogging!

Re:Ouch

[Molochi]

I think this bypasses bios write protection unless you still have a motherboard that uses a jumper for this. None of mine do.

Could be used as a force for good, true.

Re:Ouch

[Knara]

A kindergarten party?

Re:Ouch

[machine321]

I was on the apple bricking patch for a while, it really helped me quit apple bricking.

CD Boot

[Baldrson]

TFA: The malware code takes over a PC with little or no recourse to remove it.

Haven't these guys ever booted from a CD?

Re:CD Boot

[adonoman]

You're assuming that the rootkit isn't loaded before the bios tries booting off the CD.

Re:CD Boot

[CannonballHead]

No, really. It takes it over! You can't even come within 5 feet of the case, the malware pushes you back!

Re:CD Boot

[I.M.O.G.]

Haven't these guys ever booted from a CD?

While you succeed at being snarky, you fail at being correct. Assuming the article is credible and accurate, it explains why booting from a CD won't save you:

By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy!

Now with that said judging by the authors language at networkworld he likely doesn't fully understand whats going on - he uses words like "powned" and "the PC is living in the matrix", whatever the fuck that means! I'll reserve my judgement on this until I read more from someone that owns a clue.

Re:CD Boot

[vadim_t]

And you fail at understanding.

The exploit talks about modifying SMRAM. It's done with root level access on the computer. And in my understanding, the effect is not permanent, since you're changing RAM. Reboot, and it'll be gone.

Now, once it's there, the OS can't have an antivirus scan that memory area. But that's it. If this thing persists across reboots, something has to put it back into the SMRAM, and you could find that something by booting a scanner from a CD, or reformatting the computer.

I don't see this as a particularly scary thing. Yes, it's nasty. But a virus could also disable antiviruses and patch the kernel to hide its presence for the same effect.

This is the same scaremongering as with the virtualization virus. Yes, it's a new way a virus can use to hide. But it's absolutely nothing new. Under DOS, viruses would trap DOS calls, and remove themselves from opened files, so that an antivirus trying to scan the file would see an uninfected one. Boot from a floppy, and none of that trickery will be active.

Re:CD Boot

[vadim_t]

My understanding is that "SMM space" refers to an area of memory even the OS kernel can't access, but doesn't mean it's anything that persists across reboots.

If I got it correctly, an userspace app can't write to kernel memory, and the kernel can't write to SMM memory, but it's RAM all the same, and located on the RAM modules plugged into the motherboard and not any particularly special place.

Re:CD Boot

[antifoidulus]

While you succeed at being snarky, you fail at being correct.

Dude, I think you came up with a new motto for slashdot!

Re:CD Boot

[dgatwood]

Also, the virus could use a commonly available BIOS utility to flash malware into the cmos. Much, much more insidious than a traditional file-based root. Then it's there on every boot.

AFAIK, it can do that from Ring 0, too. About all SM mode does is allow you to temporarily inject yourself under the kernel in an undetectable way for a single boot; if you don't delete yourself from disk, you can still be detected by virus scanners and deleted, at which point your code would go away on the next boot... unless you start sniffing disk block writes and try to hide your files from the virus scanner. Either way, AFAICT, a cold boot from a recovery disk can clean up anything you could do in SM mode that you couldn't do from ring 0.

These attacks have been around for a while. Here's an article about an attack that obtains SMM access (from user space code in that case) from way back in 2006. The only thing that's new is that this is a new/different way to get into SM mode.

But more importantly...

... Joanna Rutkowska is hot!

Re:But more importantly...

This is an even better picture. But it's not Joanna.

Easy workaround

Run all code on a 286 or below.

Wait, what?

[girlintraining]

Wait... You have to get your code running in ring 0 and then you can do anything you could do with ring 0 access? Wow. Quite an exploit. -_- And a reboot removes the code.

Re:Wait, what?

[Molochi]

The exploit allows access from Ring to SMM? Summary is confusing but I think we're talking about an exploit that can write to bios even with flashing disabled at the bios level.

Re:Wait, what?

[girlintraining]

It might be more accurate to say the OS does not manage or provide services for the SMM. Any code executing in the OS with sufficient access rights can make "unsafe" calls to trigger SMM events, or to any other hardware device in the system. The OS only recognizes the SMM to the point of saying "If you don't finish what you're doing within N clock ticks, I'll crash", and then it syncs with the clock upon the SMM releasing control back to the OSS. If it exceeded that timeframe, the OS simply throws its hands in the air and says "Frack you." Anything loaded into the SMM would have to be very compact, and would be incidentally detectable much the same way software can detect when it is running in a VM -- by looking for delays.

Doesn't seem that scary

[vadim_t]

From the PDF:

Below we describe how to exploit cache poisoning to get access to the SMRAM memory. We assume that the attacker has access to certain platform MSR registers. In practice this is equivalent to the attacker having administrator privileges on the target system, and on some systems, like e.g. Windows, also the ability to load and execute arbitrary kernel code.

If they can do that, your box is rooted already. The only difference seems to be that in this way it can hide in a place where the OS can't get at it. But IMO, if you're compromised you can't count on the compromised OS being able to remove everything malicious anyway.

Re:Doesn't seem that scary

[sjames]

It's much worse, when combined with a firmware re-write, it will survive a complete re-install and cannot be detected by a security scan booted from CDROM.

Re:Doesn't seem that scary

[sjames]

Well, and why would the firmware allow a rewrite?

My motherboard seems to be on the right track -- it's possible to flash the BIOS from the BIOS. So there's no need to allow write access at any other moment.

Motherboards seem to come configured to forbid flashing by default, too.

In many cases, the BIOS manages that trick because trying to set the write enable bit in the chipset triggers an SMI. If the exploit has replaced the code that the SMI calls...

In other cases, it's just that an undocumented GPIO line is anded with the write line on the flash. The flasher program knows which line to set or the SMI routine sets the line in response to a write to a fake register location. Often, that trick can be brute forced using the CFI ID command to the flash to determine when you've found it.

The one and only real way to protect the flash is to have a jumper that actually disconnects the write enable line in hardware. Practically no motherboards seem to take that approach.

Keep in mind that some network cards and disk interface cards (especially SCSI adapters) also have a flash in them. They have a boot signature so that the BIOS executes their POST routines before even considering loading a bootloader. Most of those can be re-flashed while running as well if you frob their config registers the right way.

Ring of Fire

[goombah99]

So it says you can promote from ring0 to SMM. So I take it that's a lower level of hell?

If you are running in ring zero doesn't that mean by definition you are completely trusted anyhow?

Or is the vision something like you enter your root password to install the cheeze-whiz app and the mal ware not only installs the code but escalates itself above the operating system.

I think I'm not getting it.

Re:Ring of Fire

[blueg3]

Actually, as I recall, the hypervisors run in ring 0 and generally push the kernel up to ring 1.

Anyway, jumping to the hypervisor level is Blue Pill, by the same people. That was a few years ago. This is actually jumping to a lower level (below that of the hypervisor).

If you're playing the rootkit versus rootkit detection / prevention game, attacking a lower level than your opponent is powerful. A rootkit detector in the hypervisor has an enormous advantage over a rootkit in a VM, and vice versa. A rootkit at the SMM level has an enormous advantage over rootkit detectors at the kernel or hypervisor levels -- which is the lowest easily-accessible level.

Note that these guys did propose a solution in the same talk they presenting this problem.

Inexcusable

[sjames]

Considering that SMM exists solely to help proprietary vendors hide the "secret sauce", this is inexcusable. Every legitimate use of SMM could be accomplished by telling the OS that the memory area is reserved without hiding it away.

The most frequent use is to have a proprietary chipset device emulate a standard one without revealing the details of its operation.

Often enough, the "big secret" is that the hardware is crippled and the CPU is doing the real work. Kinda like those onboard "RAID controllers" that are just a plain old IDE interface and a poorly implemented softraid in the proprietary driver. The next step from that is to hide the softraid in SMM and have an SMI trigger whenever the OS writes to the fake registers in the PCI space.

Re:Inexcusable

[Animats]

Often enough, the "big secret" is that the hardware is crippled and the CPU is doing the real work.

Yes. And board manufacturers get really angry when someone detects that.

In the QNX community, where "real time" really means something, there's a common test of the operating system's real-time response. The tester wires up a square wave generator to an input that will cause an interrupt, programs the computer to wait for the interrupt and start a real-time user process, and has the user process turn on an output. You run some program in the background to keep the CPU busy. On a serious real-time OS, this shouldn't hurt real time response, and on QNX, it doesn't. There are no long interrupt lockouts in the QNX microkernel. Drivers are interruptable user processes.

Input and output lines are then wired up to a storage oscilloscope, to display the interrupt response. On most machines, the scope shows a nice, boring, consistent interrupt response time of a few microseconds. But on some CPU boards, there's a spike way out there from the expected delay period. This shows clearly the occasional huge delay (by real time standards) of hundreds of microseconds, maybe even more than a millisecond. That's because something is going on in System Management Mode. QNX programmers have found USB serial emulation, flash disk IDE emulation, and other crap running at SMM level.

When a vendor gets caught doing this, word gets around in the real-time community that their board is unacceptable for real-time use. Vendors selling embedded system boards have been caught this way.

Hard real time is a world in which stuff is expected to actually work every time.

more nonsense from the same people

[YesIAmAScript]

These people (I refuse to type their names) employ hype incredibly effectively.

The implications of these exploit are incredibly minimal. They might help a rootkit hide a little better, but they don't make it any easier to install one.

If you have malicious code running in ring 0, you're already so boned, you really need to dust off and nuke the machine from orbit anyway. And if you have malicious code that modified your BIOS (as some people list as a nightmare scenario), you again already have problems so large a little bit of SMM trouble means little additional pain.

Re:more nonsense from the same people

[jvkjvk]

So, never run any VMs, then? Or only allow "trusted users" to run VMs?

Because if I'm a malicious user, I can gain root in my VM hosted on your box through a local privilege escalation attack. Then, I not only gain access to your hypervisor, but to every other VM instance on that machine.

Sweet.

Good thing that no one would ever use a VM, isn't it?

Wow

[quo_vadis]

Very interesting loophole. For those too lazy to read TFA, basically this attack allows someone running as root (or in some cases as a local user) to run code at a level that even hypervisors cant deal with. To put this into perspective, if you are running some big iron hardware with a dozen virtualized servers. With a local privilege escalation exploit on one VM, an attacker could use this attack to take over the whole system, even the secured VMs. Worst problem is that it would be undetectable. No VM, and no hypervisor would be able to see it. Any AV call can be intercepted as the SMM has the highest priority in the system.

The solution on the other hand seems pretty simple. Make the chipset block writes to the TSEG for the SMRAM in hardware (by disabling those lines) and use some extra hardware to prevent those lines from being loaded into cache. Finally, make every bios SMRAM update contain a parity and create tools that allow SMRAM parity check.

Ummm, about that

[Sycraft-fu]

How you going to make that work? I'm not talking in theory, I mean in practice. Reprogramming the BIOS is not a simple feat. There's all kind of problem you face that you don't with a program that runs on the OS:

1) Extremely limited space. BIOSes are small. You don't have gigabytes of space, you don't have many megabytes. Sometimes, you don't even have a megabyte. So whatever code is in there, it is going to be rather limited. More so because you can't simply displace the BIOS. The BIOS is necessary to the system's operation (and of course if the BIOS was gone and replaced with something new, people could know your malware was installed). So you have to preserve the BIOS's function AND add in what you want to do in a very small space.

2) Highly system specific. BIOSes are not general. You can't take one from a given board and load it on another board. Even within the same manufacturer and general product line BIOSes are not cross compatible. Flash the wrong BIOS on a system, and it isn't booting. So that means that your malware is going to have to be either extremely targeted, as in work on only one specific type of system, or carry around a massive pack of different versions to load the one with the correct BIOS.

3) Not made to run other programs. The BIOS isn't designed with the idea that you run other software with it. It is designed to set up the system and then load the bootloader. So this means that you don't just write a program and load it on, you have to actually redo the BIOS. Ok, but you don't have the source code for that. Motherboard makers don't open source their BIOSes.

4) Getting it on systems. Some boards, Intel notably, allow you to update the BIOS from an OS. Their updater actually preps the update to a section for that, and the update is then done on next reboot. However many boards don't have that feature. To update the BIOS, you need to boot to a DOS floppy/CD/flash drive and do it from there. Ya, not so easy to arrange as malware.

So while a BIOS malware that does things pre boot is a theoretical possibility, it is extremely unlikely in reality.

Re:Ummm, about that

[FrankSchwab]

As a firmware engineer who patches ROM code in embedded systems daily, I'll give a bit of insight.

The BIOS as a whole is specific to the board that it is running on. However, that doesn't mean that additions can't be made to the BIOS in a generic fashion. Imagine you searched the BIOS Flash for unused space (all of them will have it), and relocated code into that space (relocating a DOS .exe file is trivial). Writing a FLASH is not a difficult operation, though different motherboard manufacturers probably write protect it in different ways. Your code is now in the BIOS ROM.

You then modify the code in the flash that handles e.g. INT 14 (Serial communications, pretty much a dead function on modern PCs). This is nothing more than overwriting the first couple of bytes of the address pointed to by the INT14 vector in the flash - you store them in your patch area, and JMP to your routine. Once again, it's a Flash write.

Now, certainly, at some point in time (BIOS, probably) someone will attempt to enumerate/initialize the serial ports. Your code is now running - the world is your oyster. With this exploit, you can now probably hoist the BIOS code into a VM PRIOR to loading Windows. And you're still there.

There are different families of BIOS that you would have to support - Phoenix, AMI (do they still exist?), HP, Intel, etc. There are different schemes for protecting Flash, etc. These differences are probably smaller than they sound.

Re:Ummm, about that

[wiredlogic]

In PC land most modern BIOSes are designed to be modular and the tools to manpulate them are readily available for free. They usually have enough left over space in flash for a malicious extension to be added. A malicious extension doesn't have to be a complete exploit. It just has to provide the hooks for a compromised OS to call into and execute a small bit of code that would otherwise be impossible to execute.

I wouldn't be surprised if Macs had similar BIOS vulnerabilities. They're potentially even more vulnerable since, because of the Apple monoculture, all Intel Macs likely have similar BIOS code and a single exploit could easily attack the entire population. This is a growing threat with Apple's increasing market share. The days when nobody bothered to write viruses for Macs are long gone.

Re:Ummm, about that

[AndrewNeo]

I wouldn't be surprised if Macs had similar BIOS vulnerabilities.

Except Macs don't use a BIOS at all (well, a traditional one, at least), they all use EFI. I'm certain that they'd have their own brand of vulnerabilities, though.

Fight it with the same weapon?

[sysstemlord]

TFA: >>"No software you can run on your operating system would be able to detect this type of exploit once you are powned"

Ok this might be a stupid suggestion, but if it's possible for the malware to use this vulnerability to elevate, why wouldn't the "software", say Antivirus, use the same vulnerability to detect it, or remove it?

Also, like the virtualization scare

[Sycraft-fu]

Strikes me as "Neat in theory, doesn't work in practice." I mean after all the talk about blue pill, you'll notice that attacks of that type are not, in fact, happening all over the place. Why? Well while it is easy to say "Oh you just hide as a hyper visor," it is much harder, I'd say impossible, to actually make a program to do that and not be noticed.

For example one thing you have to do is properly virtualize ALL hardware. I'm not talking about doing a network card or a graphics card, I'm talking all of them. If you want to be undetectable, it has to look just like the stuff in the system. You can't be having a system with a real Intel Pro 1000 showing up as an AMD PCNet adapter (this is what happens in VMWare, all net cards are AMD PCNet). This includes things like 3D cards. You want to fool me, you have to virtualize my GTX 280. It has to run at speeds consummate with the real thing, and with the same features. If not, I'm going to notice something is wrong and go looking for the reason.

Rutkowska strikes me as an "ivory tower academic" in that she seems to be real good at coming up with theoretical stuff, with no consideration of how it applies to the real world. Now that's fine, nothing wrong with investigating theoritical means of attack, however she's also a scare monger/over seller. These things are getting promoted as The Next Big Thing(tm) even though there's no consideration for how realistic they are to implement.

Hiding in RAM - not BIOS flashing

[nicuramar]

It seems there is a lot of confusion about what this actually does. We're talking about RAM, albeit an area not normally accessible outside the BIOS, so it's not more resilient than anything else hiding in RAM. The BIOS writes code into the SMRAM at reboot, so even if the RAM isn't cleared, it's overwritten.

This is unrelated to flashing the BIOS, unless there is some special protection that allows this only to happen in SMM, and normal exploits that manage to flash the BIOS would leave you pretty screwed, SMRAM-exploit or not.

Also, it needs to trigger a SMI to execute the code, so it would need to insert a vector somewhere at a lower level if the exploit code were ever to get executed. I don't see the big deal.

What does surprise me though is that Intel has made such an obvious mistake in their design. It compares to allowing a user mode app to poison the cache on some kernel memory address. The difference is, of course, that user mode is under MMU and access protection, while ring 0 (from where this attack would normally be launched) is not.

At any rate, at least root access (on Linux; more on Windows) is needed, at which point, as several people have pointed out, you're screwed to begin with. Only the ability to hide a bit better in memory (but not on disk) seems to be an advantage.

Re:Wow

[1s44c]

To put this into perspective, if you are running some big iron hardware with a dozen virtualized servers. With a local privilege escalation exploit on one VM, an attacker could use this attack to take over the whole system, even the secured VMs.

Are you sure that's what it means? It looks like it needs ring 0 not kernel. Kernel mode would be less than ring 0 where a hypervisor was used. Or does KVM run all kernels at ring 0?

Re:Bring back burning at the stake!

[ijakings]

I for one would like to welcome our new flaming devil overlords