Re: Pentium Computers Vulnerable to Attack?

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Valdis.Kletnieks () vt edu wrote:
> On Tue, 11 Apr 2006 22:53:41 -0000, Fergie said:
> > Interesting -- Anyone else see this?
>
> Summarized for the cynical among you:
>
> "If you hijack the SMM code, and then use a blowtorch, you can hijack
> the Pentium".
>
> If you can use a blowtorch, you got physical access and it's game over anyhow.
>
> If you can scribble on the SMM code, you 0wn the box already.
>
> I'm not at all sure what the point is here, unless they've found a new way
> to get into the SMM code and then force a *spurious* SMM trap *without* already
> r00ting the machine....

I was at CanSecWest.  Duflot's talk discussed the attack in the concept
of X11.  Specifically, /dev/xf86, a user-mode device object, which
encompasses the system's video memory, and, within it, the system memory
used by SMM.

If one can write to /dev/xf86, it's possible to corrupt the SMM state in
such a way that a future SMI will execute code specified by the
attacker.  SMIs are triggered as the machine runs -- the example Duflot
uses is when fans are turned on to cool the board.

SMM is a super-privileged mode of the OS that operates below the OS
kernel (and any defensive measures therein) allowing direct alteration
of physical memory.  The attack is sophisticated, rare and non-trivial,
but the idea is that you can gain root privileges and then write to
/dev/xf86.

If you're sufficiently skilled, you can use that device to overwrite SMM
state in such a way that you will eventually gain control with the
processor in System Management Mode.  From there, you can alter the
physical memory used by the kernel with impunity, enabling you to
eliminate root-limiting measures like MAC, securelevels, etc.

The way I understand it is, it's not a concern for most PCs, where the
user 'root' is essentially omnipotent.  However, if you have measures in
place that purport to limit the 'root' user, the combination of X and
SMM is a way to break out of them.  Frankly, if you're running X and MAC
on the same box, that's a bit of a messed up security posture to me.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFEPEbGfp4vUrVETTgRA4icAJ95kMFtWSxTLxHmK9Dec7B1j7eJZwCfR5NX
9ZMP6GvrGDzq+UG7ORj6FhI=
=6Wn0
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.