Re: Pentium Computers Vulnerable to Attack?

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Dude VanWinkle wrote:
> On 4/11/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> > On Tue, 11 Apr 2006 19:16:06 CDT, Matthew Murphy said:
> >
> > > of physical memory.  The attack is sophisticated, rare and non-trivial,
> > > but the idea is that you can gain root privileges and then write to
> > > /dev/xf86.
> > Get root, and then use that to get root. What's wrong with this picture? :)
> >
> > As I said - unless he found a way to do it from user mode, it's not interesting.
>
>
> Ja, it works on BSD and Linux, but not Windows. Apparently Xserver has
> some nifty registers that windows is missing.

That's not it at all.  Windows simply doesn't do its GUI work in
user-mode.  Microsoft gets vilified all the time for putting the GUI
into the kernel, but it's significantly faster and also means that you
don't have to risk allowing userland to write directly to video memory
(which is stupid).

The problem with X's way of handling video is that X runs in user-mode,
even though it runs as user 'root'.  /dev/xf86 is writable to anyone
that can gain root privileges and allows the direct alteration of the
onboard memory.  It's designed to allow alteration of the video frame
buffer, but also allows an application (if running as root) to write to
the memory used by SMM, altering its behavior.

Most cases, if you have root, it's game over, but there are some systems
which are tamper-resistant (MAC, securelevels) to 'root' to varying
degrees.  Duflot demonstrated that these systems, if used in combination
with X, could be compromised.

> Still though, it sounds pretty bad because if you do use this exploit
> after compromising a system, couldnt you could remain there even after
> a re-image? 

I didn't actually see Duflot's presentation, so I'm not sure if there's
any NVRAM that would be accessible to SMM.  I doubt it, because there'd
be some real potential for a malware breeding-ground in that.

> Also, I think if you were slick enough to pull this off,
> you could probably trigger SMM without the blow dryer requirement ;-)

SMM doesn't require a trigger.  System Management Interrupts (SMIs)
which put the system in SMM are fired *regularly* during standard
operation.  There's no "blowdryer requirement".  All you have to do is
heat up the box enough to cause it to turn on a fan.  When you hear that
motor rev up, the box just fired an SMI.

You don't have to *do* anything to get the box to fire an SMI,
necessarily.  My laptop, for instance, triggers one every few minutes to
cool itself off when I'm using it heavily.  Think of this particular SMI
as the box saying:

   "It's getting warm in here.  Time out, I need to turn on my fan."

Reaching back, flipping the switch, and going back to work.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFEPKYffp4vUrVETTgRAxqHAJwK04tTCIWn7FA4xMcLWeB1uAJyQACeP6Ba
Iak5j9WkCB5i3Xztdc54+/g=
=uaAI
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.