funsec mailing list archives
Re: Pentium Computers Vulnerable to Attack?
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Tue, 11 Apr 2006 19:16:06 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Valdis.Kletnieks () vt edu wrote:
On Tue, 11 Apr 2006 22:53:41 -0000, Fergie said:Interesting -- Anyone else see this?Summarized for the cynical among you: "If you hijack the SMM code, and then use a blowtorch, you can hijack the Pentium". If you can use a blowtorch, you got physical access and it's game over anyhow. If you can scribble on the SMM code, you 0wn the box already. I'm not at all sure what the point is here, unless they've found a new way to get into the SMM code and then force a *spurious* SMM trap *without* already r00ting the machine....
I was at CanSecWest. Duflot's talk discussed the attack in the concept of X11. Specifically, /dev/xf86, a user-mode device object, which encompasses the system's video memory, and, within it, the system memory used by SMM. If one can write to /dev/xf86, it's possible to corrupt the SMM state in such a way that a future SMI will execute code specified by the attacker. SMIs are triggered as the machine runs -- the example Duflot uses is when fans are turned on to cool the board. SMM is a super-privileged mode of the OS that operates below the OS kernel (and any defensive measures therein) allowing direct alteration of physical memory. The attack is sophisticated, rare and non-trivial, but the idea is that you can gain root privileges and then write to /dev/xf86. If you're sufficiently skilled, you can use that device to overwrite SMM state in such a way that you will eventually gain control with the processor in System Management Mode. From there, you can alter the physical memory used by the kernel with impunity, enabling you to eliminate root-limiting measures like MAC, securelevels, etc. The way I understand it is, it's not a concern for most PCs, where the user 'root' is essentially omnipotent. However, if you have measures in place that purport to limit the 'root' user, the combination of X and SMM is a way to break out of them. Frankly, if you're running X and MAC on the same box, that's a bit of a messed up security posture to me. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38 iD8DBQFEPEbGfp4vUrVETTgRA4icAJ95kMFtWSxTLxHmK9Dec7B1j7eJZwCfR5NX 9ZMP6GvrGDzq+UG7ORj6FhI= =6Wn0 -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Pentium Computers Vulnerable to Attack? Fergie (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Bryan Bradsby (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Valdis . Kletnieks (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Stephen J. Smoogen (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Matthew Murphy (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Valdis . Kletnieks (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Dude VanWinkle (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Dude VanWinkle (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Dude VanWinkle (Apr 12)
- Re: Pentium Computers Vulnerable to Attack? Matthew Murphy (Apr 12)
- Re: Pentium Computers Vulnerable to Attack? Matthew Murphy (Apr 12)
- Re: Pentium Computers Vulnerable to Attack? Dude VanWinkle (Apr 12)
- Re: Pentium Computers Vulnerable to Attack? der Mouse (Apr 12)
- Re: Pentium Computers Vulnerable to Attack? Florian Weimer (Apr 12)