Re: Pentium Computers Vulnerable to Attack?

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 4/11/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> On Tue, 11 Apr 2006 19:16:06 CDT, Matthew Murphy said:
>
> > of physical memory.  The attack is sophisticated, rare and non-trivial,
> > but the idea is that you can gain root privileges and then write to
> > /dev/xf86.
>
> Get root, and then use that to get root. What's wrong with this picture? :)
>
> As I said - unless he found a way to do it from user mode, it's not interesting.


Ja, it works on BSD and Linux, but not Windows. Apparently Xserver has
some nifty registers that windows is missing.

Still though, it sounds pretty bad because if you do use this exploit
after compromising a system, couldnt you could remain there even after
a re-image? Also, I think if you were slick enough to pull this off,
you could probably trigger SMM without the blow dryer requirement ;-)

 Here is what another guy at can-sec thought of the demo (from
http://blog.ncircle.com)

-JP
----------
cansecwest/core06: "security issues related to Pentium SMM"

Loic Duflot
Title: Security Issues Related to Pentium System Mgmt Mode

It is day 2 at Cansecwest and this talk wins for 'so frightening that
you want to hide under your desk in the fetal position'.

I'll go through the high level technical and then end with pointing
out a principal that is one of those universal truths I carry around
with me everywhere.

This entire exploit is based on documented x86 functions.

Your CPU runs in a few modes, one of those modes is known as Protected
mode, other known as System Mgmt Mode. When your OS is running, your
in Protected mode and this is how much of the security is performed
and you'll hear of ring0 and ring3. Just know that your in-world
universe is in protected mode.

System Management Mode (SMM) is used so that when there is something
external to your OS world like say a thermal condition that needs to
communicate some message, the CPU saves all its protected mode state
out, does all this SMM stuff and then return to its regular scheduled
program in protected mode.

There are details that evolve registry addresses and very low level
operations but for the most part, a system in a very secure state can
be circumvented via this SMM facility. I'm talking free access to all
memory and IO.

The song goes a little like this:
Enable SMI
Open SMRAM space
Replace default SMI Handler by custom one (do your duty)
Close SMRAM space
Trigger SMI
Gain access to restricted operations.

In the wider picture: works on most systems. Turns out that Linux and
the *BSD's will fall victim to this attack strategy, however, Windows
XP is not known to be exploitable because of a few system calls that
are not present and more importantly a certain memory range in
protected mode is not shared addresses to SMM.

So, for the demo, they did not pick some shabby OS to exploit. How
about OpenBSD at level2 (high security) with allowaperture=1
Ummm…it worked. Theo, microphone please?

Theo spoke to this OPENBSD issue and said he and the team have known
about it for a year. They are between a rock and a hard-place because
Xserver is really the core of the problem. It has too much damn access
to regesters and is in the most unfortunate address space in protected
mode because when in SMM, what is in that address range can be used to
exploit.
Solution is for Xserver people to abstract sufficiently so that the
kernel can have more governance on the Xservers logic.

Closing TK comments:
A system or a world that has a policy governed by in-world mechanisms
cannot be effective when a process in-world can reach to the out-world
to cause in-world change. You could also say that since a problem
cannot be resolved at the same logical realm it has been created, then
it is also the case that the most effective governance of a world can
only come from outside that world. Think about all the crazy things we
do in the physical world. As soon as we could get to the strong and
weak forces at the atomic level, we created a incredibly destructive
device. I just hope that if string theory is right and there really
are energy strings at the lowest level of the universe, that no one in
our world get control of them. The negative outcome caused by the
power hungry is too high a risk to even consider the positive
benefits.

Its late and I have been blogging way too much today I am certain that
my mental packet loss is abnormally high. I'll return to this in-game
out-game concepts later in another blog entry, when I am less sleep
deprived.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.