Massive Pre 2011 Intel CPU Exploit

[BTRY B 529th FA BN]

http://sdtimes.com/sd-times-blog-x86-exploit-released/

http://www.bit-tech.net/news/hardware/2015/08/07/x86-security-flaw/1

https://www.blackhat.com/docs/us-15...llowing-Universal-Privilege-Escalation-wp.pdf

http://www.engadget.com/2015/08/08/...site&utm_source=sendgrid.com&utm_medium=email

 

[ShintaiDK]

They say ANY x86 CPU.

I dont really see a big issue in pre 2011.

Also this part means your system is already compromised:

Thankfully, exploitation of the vulnerability requires low-level access to the host system - meaning that an attacker wishing to make use of the flaw to implant malicious code in ring -2 would already need to have ring 0 access, the highest level of access typically available to user-level code.

 

[BTRY B 529th FA BN]

Sorry, forgot to include this link/article, too

http://www.engadget.com/2015/08/08/...site&utm_source=sendgrid.com&utm_medium=email

 

[as9hW]

Also this part means your system is already compromised

Like a virtual machine? AFAIK hardware accelerators (KVM) run in ring-0

 

[ShintaiDK]

A VM shouldnt run in ring0. They run in ring1.

It may be different between certain VM hypervisors tho.

 

[Schmide]

Firmware mode would be akin Real Mode and is initiated before Protected Mode. There are no pages nor masked interrupts. Basically you can hook any request before the operating system gets it.

 

[zir_blazer]

A VM shouldnt run in ring0. They run in ring1.

It may be different between certain VM hypervisors tho.

Intel VT-d and AMD-V were considered Ring -1 in some papers, so that's where the Hypervisor runs. And as far that I recall, Ring 1 and 2 are barely used in the x86 world since for portability reasons with other architectures which have more simple Ring designs, they use only Ring 0 and 3.

I recall having suggested a year or so ago that SMM was related to how Intel programs Processors to enable/disable feature bits and such, when a Core i5 that magically had Hyper Threading turned on appeared on overclock.net.

 

[VirtualLarry]

Looks like fun. Crazy exploit idea. I like it. Pretty freaking brilliant.

I've done some programming back in the day in "flat real mode" on 386's, which is somewhat similar to SMM mode (I think), in that you have essentially full physical access to a machine's hardware. (TBH, my memory is pretty fuzzy, I don't remember if the 386 even had SMM.)
SMM is supposed to exist in a special protected memory space. (It used to use the same aliased system memory used for the VGA memory address space.)

Edit: It will be interesting to see if AMD CPUs are vulnerable to this.

 

[ShintaiDK]

Intel VT-d and AMD-V were considered Ring -1 in some papers, so that's where the Hypervisor runs. And as far that I recall, Ring 1 and 2 are barely used in the x86 world since for portability reasons with other architectures which have more simple Ring designs, they use only Ring 0 and 3.

I recall having suggested a year or so ago that SMM was related to how Intel programs Processors to enable/disable feature bits and such, when a Core i5 that magically had Hyper Threading turned on appeared on overclock.net.

VT-D/AMD-Vi is very rarely used.

 

[Burpo]

Worry for nothing..
"These things have not happened yet, and the level of expertise needed to exploit this bug to do these things is certainly high. And, to top it off, you do need access to Ring 0 memory to get to SMM, so using this for privilege escalation is questionable right now."

 

[zir_blazer]

VT-D/AMD-Vi is very rarely used.

I mean, VT-x and AMD-V. I think you should figure it out that I made a typo there.

And VT-d itself isn't "very rarely used". I used it daily since I use a VM for my gaming needs and VT-d is a must to get the GPU in there.

 

[DrMrLordX]

Edit: It will be interesting to see if AMD CPUs are vulnerable to this.

I concur. AMD's market share may have dropped to the point of non-existence in today's market, but 5-7 years ago, they were still selling a fair number of chips. There are a lot of K10.5 Stars chips still in use/circulation. The used market for those things is still alive and kicking.

 

[jhu]

That's why all my machines are Itanium (although my Itanium "laptop" does get a little heavy).

 

[MrTeal]

That's why all my machines are Itanium (although my Itanium "laptop" does get a little heavy).

Great battery life with the generator and 5 gallon jerry can accessories though.

 

[jhu]

Great battery life with the generator and 5 gallon jerry can accessories though.

I get a good 3 hours out of that, just enough time to stave off leg ischemic damage due to poor circulation.

 

[ninaholic37]

(TBH, my memory is pretty fuzzy, I don't remember if the 386 even had SMM.)

This is what I found on Wikipedia (do you remember now? :biggrin: ):

It was first released with the Intel 386SL.[1] While initially special SL versions were required for SMM, Intel incorporated SMM in its mainline 486 and Pentium processors in 1993. AMD copied Intel's SMM with the Enhanced Am486 processors in 1994. It is available in all later microprocessors in the x86 architecture.

 

[Smoblikat]

Make a program that will unlock hyperthreading on older intel processors

 

[BigDaveX]

Make a program that will unlock hyperthreading on older intel processors

Nah, make a program that will unlock that "reverse-hyperthreading" mode that everyone was talking about before Conroe arrived, but never showed up for some strange reason!

 

[sm625]

The NSA must have found a better way to get into everyone's machines.

 

[zir_blazer]

Nah, make a program that will unlock that "reverse-hyperthreading" mode that everyone was talking about before Conroe arrived, but never showed up for some strange reason!

The guy that talked a lot about that was Charlie from The Inquirer (Now he is on SemiAccurate).

There is a point in SMM. It is pretty much undocumented and can be used for a lot of nasty tricks. Since Intel uses just a handful of physical dies for a thousand different SKUs, there should be an easy way to program their specs to them AFTER the binning process. It may even be by using a special Socket that make contact with pins that aren't used on the standard version and enables the model specific registers write mode. However, when Intel launched their "CPU upgrade" pilot programs some years ago that could unlock features on some specific CPUs, I got obsessed that there is a pure Software way to deal with this.

 

[MrTeal]

The guy that talked a lot about that was Charlie from The Inquirer (Now he is on SemiAccurate).

There is a point in SMM. It is pretty much undocumented and can be used for a lot of nasty tricks. Since Intel uses just a handful of physical dies for a thousand different SKUs, there should be an easy way to program their specs to them AFTER the binning process. It may even be by using a special Socket that make contact with pins that aren't used on the standard version and enables the model specific registers write mode. However, when Intel launched their "CPU upgrade" pilot programs some years ago that could unlock features on some specific CPUs, I got obsessed that there is a pure Software way to deal with this.

That would be an incredible unlock, if it were possible. If you could buy a hex core 2603v3 for $200 and software mod it to an unlocked 8(16), it would be an ridiculous value at least until Intel shut it down in future generations.

 

[thetuna]

I was under the impression that Intel physically fuses off the extra cores and hyperthreading.
Although, I've never seen any actual proof of that, so maybe it is possible.

 

[ShintaiDK]

Its fused off yes. People just dream of unlocks.

Intel have sold a couple of products that could be "updated". But not in this way.