Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel CPU Privilege Escalation Exploit

Posted by timothy on from the they-never-offer-the-purple-pill dept.

Eukariote writes "A paper and exploit code detailing a privilege escalation attack on Intel CPUs has just been published. The vulnerability, uncovered by security researchers Joanna Rutkowska (of Blue Pill fame), Rafal Wojtczuk, and, independently, Loic Duflot, makes use of Intel's System Management Mode (SMM). Quote: "The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Rafal implemented a working exploit with code execution in SMM." The implications of this exploit are severe."

28 of 242 comments (clear)

  1. And thus does the dance continue... by downix · · Score: 4, Insightful

    The dance between malware writers and the security experts seeking to thwart them continues ever on.

    --
    Karma Whoring for Fun and Profit.
  2. Ouch by Big+Hairy+Ian · · Score: 5, Funny

    This could make the apple bricking patch look like a kindergarten party

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    1. Re:Ouch by Z00L00K · · Score: 4, Interesting

      Just consider a malware that replaces the PC BIOS with it's own code. Sure it may brick a few, but it may also be a new interesting level of malware.

      Write-protect your BIOS:es and you can be a bit safer.

      Another interesting thing is that this may be a way around the TPM chip and other copy-protection techniques too.

      And beware of special bioses from manufacturers that allows your employer to run keylogging!

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:Ouch by Molochi · · Score: 4, Informative

      I think this bypasses bios write protection unless you still have a motherboard that uses a jumper for this. None of mine do.

      Could be used as a force for good, true.

      --
      "The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
    3. Re:Ouch by Knara · · Score: 4, Funny

      A kindergarten party?

    4. Re:Ouch by machine321 · · Score: 5, Funny

      I was on the apple bricking patch for a while, it really helped me quit apple bricking.

  3. CD Boot by Baldrson · · Score: 4, Funny
    TFA: The malware code takes over a PC with little or no recourse to remove it.

    Haven't these guys ever booted from a CD?

    --
    Seastead this.
    1. Re:CD Boot by adonoman · · Score: 4, Informative

      You're assuming that the rootkit isn't loaded before the bios tries booting off the CD.

    2. Re:CD Boot by CannonballHead · · Score: 5, Funny

      No, really. It takes it over! You can't even come within 5 feet of the case, the malware pushes you back!

    3. Re:CD Boot by I.M.O.G. · · Score: 5, Informative

      Haven't these guys ever booted from a CD?

      While you succeed at being snarky, you fail at being correct. Assuming the article is credible and accurate, it explains why booting from a CD won't save you:

      By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy!

      Now with that said judging by the authors language at networkworld he likely doesn't fully understand whats going on - he uses words like "powned" and "the PC is living in the matrix", whatever the fuck that means! I'll reserve my judgement on this until I read more from someone that owns a clue.

      --
      Overclockers
    4. Re:CD Boot by vadim_t · · Score: 4, Interesting

      And you fail at understanding.

      The exploit talks about modifying SMRAM. It's done with root level access on the computer. And in my understanding, the effect is not permanent, since you're changing RAM. Reboot, and it'll be gone.

      Now, once it's there, the OS can't have an antivirus scan that memory area. But that's it. If this thing persists across reboots, something has to put it back into the SMRAM, and you could find that something by booting a scanner from a CD, or reformatting the computer.

      I don't see this as a particularly scary thing. Yes, it's nasty. But a virus could also disable antiviruses and patch the kernel to hide its presence for the same effect.

      This is the same scaremongering as with the virtualization virus. Yes, it's a new way a virus can use to hide. But it's absolutely nothing new. Under DOS, viruses would trap DOS calls, and remove themselves from opened files, so that an antivirus trying to scan the file would see an uninfected one. Boot from a floppy, and none of that trickery will be active.

    5. Re:CD Boot by antifoidulus · · Score: 5, Insightful

      While you succeed at being snarky, you fail at being correct.

      Dude, I think you came up with a new motto for slashdot!

      --
      Monstar L
    6. Re:CD Boot by dgatwood · · Score: 4, Informative

      Also, the virus could use a commonly available BIOS utility to flash malware into the cmos. Much, much more insidious than a traditional file-based root. Then it's there on every boot.

      AFAIK, it can do that from Ring 0, too. About all SM mode does is allow you to temporarily inject yourself under the kernel in an undetectable way for a single boot; if you don't delete yourself from disk, you can still be detected by virus scanners and deleted, at which point your code would go away on the next boot... unless you start sniffing disk block writes and try to hide your files from the virus scanner. Either way, AFAICT, a cold boot from a recovery disk can clean up anything you could do in SM mode that you couldn't do from ring 0.

      These attacks have been around for a while. Here's an article about an attack that obtains SMM access (from user space code in that case) from way back in 2006. The only thing that's new is that this is a new/different way to get into SM mode.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  4. But more importantly... by Anonymous Coward · · Score: 5, Funny

    ... Joanna Rutkowska is hot!

    1. Re:But more importantly... by Anonymous Coward · · Score: 5, Funny

      This is an even better picture. But it's not Joanna.

  5. Easy workaround by Anonymous Coward · · Score: 5, Funny

    Run all code on a 286 or below.

  6. Doesn't seem that scary by vadim_t · · Score: 4, Informative

    From the PDF:

    Below we describe how to exploit cache poisoning to get access to the SMRAM memory. We assume that the attacker has access to certain platform MSR registers. In practice this is equivalent to the attacker having administrator privileges on the target system, and on some systems, like e.g. Windows, also the ability to load and execute arbitrary kernel code.

    If they can do that, your box is rooted already. The only difference seems to be that in this way it can hide in a place where the OS can't get at it. But IMO, if you're compromised you can't count on the compromised OS being able to remove everything malicious anyway.

    1. Re:Doesn't seem that scary by sjames · · Score: 5, Insightful

      It's much worse, when combined with a firmware re-write, it will survive a complete re-install and cannot be detected by a security scan booted from CDROM.

  7. Ring of Fire by goombah99 · · Score: 5, Interesting

    So it says you can promote from ring0 to SMM. So I take it that's a lower level of hell?

    If you are running in ring zero doesn't that mean by definition you are completely trusted anyhow?

    Or is the vision something like you enter your root password to install the cheeze-whiz app and the mal ware not only installs the code but escalates itself above the operating system.

    I think I'm not getting it.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Ring of Fire by blueg3 · · Score: 5, Informative

      Actually, as I recall, the hypervisors run in ring 0 and generally push the kernel up to ring 1.

      Anyway, jumping to the hypervisor level is Blue Pill, by the same people. That was a few years ago. This is actually jumping to a lower level (below that of the hypervisor).

      If you're playing the rootkit versus rootkit detection / prevention game, attacking a lower level than your opponent is powerful. A rootkit detector in the hypervisor has an enormous advantage over a rootkit in a VM, and vice versa. A rootkit at the SMM level has an enormous advantage over rootkit detectors at the kernel or hypervisor levels -- which is the lowest easily-accessible level.

      Note that these guys did propose a solution in the same talk they presenting this problem.

  8. Inexcusable by sjames · · Score: 5, Interesting

    Considering that SMM exists solely to help proprietary vendors hide the "secret sauce", this is inexcusable. Every legitimate use of SMM could be accomplished by telling the OS that the memory area is reserved without hiding it away.

    The most frequent use is to have a proprietary chipset device emulate a standard one without revealing the details of its operation.

    Often enough, the "big secret" is that the hardware is crippled and the CPU is doing the real work. Kinda like those onboard "RAID controllers" that are just a plain old IDE interface and a poorly implemented softraid in the proprietary driver. The next step from that is to hide the softraid in SMM and have an SMI trigger whenever the OS writes to the fake registers in the PCI space.

    1. Re:Inexcusable by Animats · · Score: 5, Interesting

      Often enough, the "big secret" is that the hardware is crippled and the CPU is doing the real work.

      Yes. And board manufacturers get really angry when someone detects that.

      In the QNX community, where "real time" really means something, there's a common test of the operating system's real-time response. The tester wires up a square wave generator to an input that will cause an interrupt, programs the computer to wait for the interrupt and start a real-time user process, and has the user process turn on an output. You run some program in the background to keep the CPU busy. On a serious real-time OS, this shouldn't hurt real time response, and on QNX, it doesn't. There are no long interrupt lockouts in the QNX microkernel. Drivers are interruptable user processes.

      Input and output lines are then wired up to a storage oscilloscope, to display the interrupt response. On most machines, the scope shows a nice, boring, consistent interrupt response time of a few microseconds. But on some CPU boards, there's a spike way out there from the expected delay period. This shows clearly the occasional huge delay (by real time standards) of hundreds of microseconds, maybe even more than a millisecond. That's because something is going on in System Management Mode. QNX programmers have found USB serial emulation, flash disk IDE emulation, and other crap running at SMM level.

      When a vendor gets caught doing this, word gets around in the real-time community that their board is unacceptable for real-time use. Vendors selling embedded system boards have been caught this way.

      Hard real time is a world in which stuff is expected to actually work every time.

  9. more nonsense from the same people by YesIAmAScript · · Score: 4, Insightful

    These people (I refuse to type their names) employ hype incredibly effectively.

    The implications of these exploit are incredibly minimal. They might help a rootkit hide a little better, but they don't make it any easier to install one.

    If you have malicious code running in ring 0, you're already so boned, you really need to dust off and nuke the machine from orbit anyway. And if you have malicious code that modified your BIOS (as some people list as a nightmare scenario), you again already have problems so large a little bit of SMM trouble means little additional pain.

    --
    http://lkml.org/lkml/2005/8/20/95
    1. Re:more nonsense from the same people by jvkjvk · · Score: 4, Interesting

      So, never run any VMs, then? Or only allow "trusted users" to run VMs?

      Because if I'm a malicious user, I can gain root in my VM hosted on your box through a local privilege escalation attack. Then, I not only gain access to your hypervisor, but to every other VM instance on that machine.

      Sweet.

      Good thing that no one would ever use a VM, isn't it?

  10. Wow by quo_vadis · · Score: 4, Insightful

    Very interesting loophole. For those too lazy to read TFA, basically this attack allows someone running as root (or in some cases as a local user) to run code at a level that even hypervisors cant deal with. To put this into perspective, if you are running some big iron hardware with a dozen virtualized servers. With a local privilege escalation exploit on one VM, an attacker could use this attack to take over the whole system, even the secured VMs. Worst problem is that it would be undetectable. No VM, and no hypervisor would be able to see it. Any AV call can be intercepted as the SMM has the highest priority in the system.

    The solution on the other hand seems pretty simple. Make the chipset block writes to the TSEG for the SMRAM in hardware (by disabling those lines) and use some extra hardware to prevent those lines from being loaded into cache. Finally, make every bios SMRAM update contain a parity and create tools that allow SMRAM parity check.

    --
    Legally obligatory sig : My opinions are my own... etc etc
  11. Ummm, about that by Sycraft-fu · · Score: 4, Informative

    How you going to make that work? I'm not talking in theory, I mean in practice. Reprogramming the BIOS is not a simple feat. There's all kind of problem you face that you don't with a program that runs on the OS:

    1) Extremely limited space. BIOSes are small. You don't have gigabytes of space, you don't have many megabytes. Sometimes, you don't even have a megabyte. So whatever code is in there, it is going to be rather limited. More so because you can't simply displace the BIOS. The BIOS is necessary to the system's operation (and of course if the BIOS was gone and replaced with something new, people could know your malware was installed). So you have to preserve the BIOS's function AND add in what you want to do in a very small space.

    2) Highly system specific. BIOSes are not general. You can't take one from a given board and load it on another board. Even within the same manufacturer and general product line BIOSes are not cross compatible. Flash the wrong BIOS on a system, and it isn't booting. So that means that your malware is going to have to be either extremely targeted, as in work on only one specific type of system, or carry around a massive pack of different versions to load the one with the correct BIOS.

    3) Not made to run other programs. The BIOS isn't designed with the idea that you run other software with it. It is designed to set up the system and then load the bootloader. So this means that you don't just write a program and load it on, you have to actually redo the BIOS. Ok, but you don't have the source code for that. Motherboard makers don't open source their BIOSes.

    4) Getting it on systems. Some boards, Intel notably, allow you to update the BIOS from an OS. Their updater actually preps the update to a section for that, and the update is then done on next reboot. However many boards don't have that feature. To update the BIOS, you need to boot to a DOS floppy/CD/flash drive and do it from there. Ya, not so easy to arrange as malware.

    So while a BIOS malware that does things pre boot is a theoretical possibility, it is extremely unlikely in reality.

    1. Re:Ummm, about that by FrankSchwab · · Score: 5, Informative

      As a firmware engineer who patches ROM code in embedded systems daily, I'll give a bit of insight.

      The BIOS as a whole is specific to the board that it is running on. However, that doesn't mean that additions can't be made to the BIOS in a generic fashion. Imagine you searched the BIOS Flash for unused space (all of them will have it), and relocated code into that space (relocating a DOS .exe file is trivial). Writing a FLASH is not a difficult operation, though different motherboard manufacturers probably write protect it in different ways. Your code is now in the BIOS ROM.

      You then modify the code in the flash that handles e.g. INT 14 (Serial communications, pretty much a dead function on modern PCs). This is nothing more than overwriting the first couple of bytes of the address pointed to by the INT14 vector in the flash - you store them in your patch area, and JMP to your routine. Once again, it's a Flash write.

      Now, certainly, at some point in time (BIOS, probably) someone will attempt to enumerate/initialize the serial ports. Your code is now running - the world is your oyster. With this exploit, you can now probably hoist the BIOS code into a VM PRIOR to loading Windows. And you're still there.

      There are different families of BIOS that you would have to support - Phoenix, AMI (do they still exist?), HP, Intel, etc. There are different schemes for protecting Flash, etc. These differences are probably smaller than they sound.

      --
      And the worms ate into his brain.
  12. Hiding in RAM - not BIOS flashing by nicuramar · · Score: 4, Informative

    It seems there is a lot of confusion about what this actually does. We're talking about RAM, albeit an area not normally accessible outside the BIOS, so it's not more resilient than anything else hiding in RAM. The BIOS writes code into the SMRAM at reboot, so even if the RAM isn't cleared, it's overwritten.

    This is unrelated to flashing the BIOS, unless there is some special protection that allows this only to happen in SMM, and normal exploits that manage to flash the BIOS would leave you pretty screwed, SMRAM-exploit or not.

    Also, it needs to trigger a SMI to execute the code, so it would need to insert a vector somewhere at a lower level if the exploit code were ever to get executed. I don't see the big deal.

    What does surprise me though is that Intel has made such an obvious mistake in their design. It compares to allowing a user mode app to poison the cache on some kernel memory address. The difference is, of course, that user mode is under MMU and access protection, while ring 0 (from where this attack would normally be launched) is not.

    At any rate, at least root access (on Linux; more on Windows) is needed, at which point, as several people have pointed out, you're screwed to begin with. Only the ability to hide a bit better in memory (but not on disk) seems to be an advantage.