funsec mailing list archives
Re: Pentium Computers Vulnerable to Attack?
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Wed, 12 Apr 2006 02:02:55 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Dude VanWinkle wrote:
On 4/11/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:On Tue, 11 Apr 2006 19:16:06 CDT, Matthew Murphy said:of physical memory. The attack is sophisticated, rare and non-trivial, but the idea is that you can gain root privileges and then write to /dev/xf86.Get root, and then use that to get root. What's wrong with this picture? :) As I said - unless he found a way to do it from user mode, it's not interesting.Ja, it works on BSD and Linux, but not Windows. Apparently Xserver has some nifty registers that windows is missing.
That's not it at all. Windows simply doesn't do its GUI work in user-mode. Microsoft gets vilified all the time for putting the GUI into the kernel, but it's significantly faster and also means that you don't have to risk allowing userland to write directly to video memory (which is stupid). The problem with X's way of handling video is that X runs in user-mode, even though it runs as user 'root'. /dev/xf86 is writable to anyone that can gain root privileges and allows the direct alteration of the onboard memory. It's designed to allow alteration of the video frame buffer, but also allows an application (if running as root) to write to the memory used by SMM, altering its behavior. Most cases, if you have root, it's game over, but there are some systems which are tamper-resistant (MAC, securelevels) to 'root' to varying degrees. Duflot demonstrated that these systems, if used in combination with X, could be compromised.
Still though, it sounds pretty bad because if you do use this exploit after compromising a system, couldnt you could remain there even after a re-image?
I didn't actually see Duflot's presentation, so I'm not sure if there's any NVRAM that would be accessible to SMM. I doubt it, because there'd be some real potential for a malware breeding-ground in that.
Also, I think if you were slick enough to pull this off, you could probably trigger SMM without the blow dryer requirement ;-)
SMM doesn't require a trigger. System Management Interrupts (SMIs) which put the system in SMM are fired *regularly* during standard operation. There's no "blowdryer requirement". All you have to do is heat up the box enough to cause it to turn on a fan. When you hear that motor rev up, the box just fired an SMI. You don't have to *do* anything to get the box to fire an SMI, necessarily. My laptop, for instance, triggers one every few minutes to cool itself off when I'm using it heavily. Think of this particular SMI as the box saying: "It's getting warm in here. Time out, I need to turn on my fan." Reaching back, flipping the switch, and going back to work. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38 iD8DBQFEPKYffp4vUrVETTgRAxqHAJwK04tTCIWn7FA4xMcLWeB1uAJyQACeP6Ba Iak5j9WkCB5i3Xztdc54+/g= =uaAI -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Pentium Computers Vulnerable to Attack? Fergie (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Bryan Bradsby (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Valdis . Kletnieks (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Stephen J. Smoogen (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Matthew Murphy (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Valdis . Kletnieks (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Dude VanWinkle (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Dude VanWinkle (Apr 11)
- Re: Pentium Computers Vulnerable to Attack? Dude VanWinkle (Apr 12)
- Re: Pentium Computers Vulnerable to Attack? Matthew Murphy (Apr 12)
- Re: Pentium Computers Vulnerable to Attack? Matthew Murphy (Apr 12)
- Re: Pentium Computers Vulnerable to Attack? Dude VanWinkle (Apr 12)
- Re: Pentium Computers Vulnerable to Attack? der Mouse (Apr 12)
- Re: Pentium Computers Vulnerable to Attack? Florian Weimer (Apr 12)