Researcher Finds A Hidden 'God Mode' on Some Old x86 CPUs

"Some x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU," Tom's Hardware reports, citing a presentation by security researcher Christopher Domas at the Black Hat Briefings conference in Las Vegas. The command -- ".byte 0x0f, 0x3f" in Linux -- "isn't supposed to exist, doesn't have a name, and gives you root right away," Domas said, adding that he calls it "God Mode." The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces ("userland") run in ring 3, furthest from the kernel and with the least privileges. To put it simply, Domas' God Mode takes you from the outermost to the innermost ring in four bytes. "We have direct ring 3 to ring 0 hardware privilege escalation," Domas said. "This has never been done.... It's a secret, co-located core buried alongside the x86 chip. It has unrestricted access to the x86."

The good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. The bad news is that it's entirely possible that such hidden backdoors exist on many other chipsets. "These black boxes that we're trusting are things that we have no way to look into," he said. "These backdoors probably exist elsewhere." Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents.
"Some of the VIA C3 x86 processors have God Mode enabled by default," Domas adds. "You can reach it from userland. Antivirus software, ASLR and all the other security mitigations are useless."

Re:Not always a bad thing

[mmmVenison]

I would be surprised if there wasn't a backdoor in any complex system, hardware or software.

Re:Should the government require audit of designs?

[iggymanz]

riiiight, last I checked the USA government wanted a backdoor in everything because citizens are to be treated like criminals by default.

Re:Is it on the die?

[Megol]

Lot of work to find something (partially) documented. Sandpile lists the instruction as ALTINST, the code is documented by VIA as used for testing with an MSR (Machine Specific Register) bit to enable it. If not enabled I assume it would be treated as an illegal instruction.

That some machine with a C3 processor didn't set the correct machine configuration is bad but not the end of the world - just set it correctly in the OS instead.

Worse than they let on.

[Gravis+Zero]

It is thought that only VIA C3 CPUs are affected by this issue. The C-series processors are marketed towards industrial automation, point-of-sale, ATM, and healthcare hardware, as well as a variety of consumer desktop and laptop computers.

Forget thin clients, if this shit is (still) controlling SCADA stuff then this is worse than the meltdown vulnerability.

Re:did VIA ever do anything right?

[Megol]

First this chip was designed at Centaur Technology in the US, a subsidiary of the main VIA. They design x86 processors, don't blame other crap on them.
Second this isn't a problem with the chip - it's a problem in software not configuring the chip correctly according to the documentation.

Third their x86 processors were designed for a specific market for which they are/were a good fit.