.

Uh Oh, rootkit code to exploit major Intel chip flaw to be posted 3/19/09

<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Tue Mar 17, 2009 7:09 pm

Uh Oh, rootkit code to exploit major Intel chip flaw to be posted 3/19/09

CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Tue Mar 17, 2009 7:25 pm

Re: Uh Oh, rootkit code to exploit major Intel chip flaw to be posted 3/19/09

Thanks for the heads up.  A little birdie told me last year that this was coming (in fact I heard that it would be out October of last year).  I can't wait to see the exploit code.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Mar 17, 2009 7:37 pm

Re: Uh Oh, rootkit code to exploit major Intel chip flaw to be posted 3/19/09

Wow, that's sweet!  Scary, but sweet indeed.  I can't wait to read the paper.  Thanks for posting this!
~~~~~~~~~~~~~~
Ketchup
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Thu Mar 19, 2009 6:25 pm

Re: Uh Oh, rootkit code to exploit major Intel chip flaw to be posted 3/19/09

<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Thu Mar 19, 2009 8:48 pm

Re: Uh Oh, rootkit code to exploit major Intel chip flaw to be posted 3/19/09

I read the article and noticed that they claim it could also be used to move from ring 3 to SMM.  Did anyone quite get how that was working?  I see how to move from ring 0 to SMM using this exploit.  Still a major feat, but I'm missing how an unprivileged user is able to exploit this as they need to alter one of the MSR's.  Even in Linux, only root has access to write to these.

I've read it twice and understand Intel architecture pretty well but I can't see how this exploit can be used (by itself) by a non-privileged user on any OS I'm familiar with to dump SMRAM.

Can anyone help with a clarification?
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Mar 23, 2009 10:23 am

Re: Uh Oh, rootkit code to exploit major Intel chip flaw to be posted 3/19/09

I finally made it through the article and the one referenced from Blackhat 2008.  While I do not fully understand Intel architecture, it seems like this is quite real, but not as scary as it sounded.  You would have to do quite a bit of recon and then write some simplistic drivers and interfaces for each function of your rootkit, such as keyboard trapping and network I/O.  Like the papers state, this makes it a very targeted attack at this point.  Looks like Intel is slowly but surely patching these vulnerabilities.  I am guessing that if they completely drop the ball here, you are going to see people writing some automated tools to exploit these.

Former33t, you would have to escalate privs from ring 3 in order to gain access to the SMM RAM areas.  There are a number of exploits in Windows and Nix that some can take advantage of for this purpose.
~~~~~~~~~~~~~~
Ketchup
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Mon Mar 23, 2009 12:06 pm

Re: Uh Oh, rootkit code to exploit major Intel chip flaw to be posted 3/19/09

That is really interesting. I wonder what the final fix will be.
Mike Conway
CISSP
CompTia Security +
C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Mar 23, 2009 3:58 pm

Re: Uh Oh, rootkit code to exploit major Intel chip flaw to be posted 3/19/09

As I understood it, BIOS and Chipset manufacturers have to get together and stop allowing access to the SMRAM area of RAM from the OS.  Although, if I understood it correctly, one of the exploits dealt with the area of RAM where VGA memory and SMRAM memory crossed over. 
~~~~~~~~~~~~~~
Ketchup

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software