Beveiliging PC in orde?

Wed Mar 18 23:18:25 CET 2009

REPLY TO: D66 at nic.surfnet.nl

Een waarschuwing voor eigenaars van nieuwere PC's met Intel processor, die
ik tegenkom.
Zelf heb ik een oude PC met non-Intel (het is te laat op de avond om mijn
geheugen verder te pijnigen ;)

Groet / Cees

http://www.networkworld.com/community/node/39825?netht=rn_031809&nladname=031809
Security Researchers Joanna Rutkowska and Loic Duflot are planning to
release a research paper + exploit code for a new SMM (System Management
Mode) exploit that installs via an Intel® CPU caching vulnerability.
Joanna, of blue pill fame, reported this on her blog

Joanna cleared it up for me that they are not releasing a SMM rootkit but
rather a exploit. It will be up to some other folks to tie this in with a
SMM rootkit like this one perhaps
(http://www.pcworld.com/businesscenter/article/145703/hackers_find_a_new_place_to_hide_rootkits.html).

"Thursday, March 19th, 1600 UTC, we will publish a paper (+ exploits) on
exploiting Intel® CPU cache mechanisms. The attack allows for privilege
escalation from Ring 0 to the SMM on many recent motherboards with Intel
CPUs. Rafal implemented a working exploit with code execution in SMM in a
matter of just a few hours."

The heart-stopping thing about this particular exploit is that it hides
itself in the SMM space. To put that into perspective, SMM is more
privileged than a hypervisor is and it's not controllable by any Operating
System. By design, the operating system cannot override or disable System
Management Interupt (SMI) calls. In practice, the only way for you to know
what is running in SMM space is to physically disassemble the firmware of
your computer. So, given that an SMI takes precedence over any OS call,
the OS cannot control or read SMM, and the only way to read SMM is to
disassemble the system makes an SMM rootkit incredibly stealthy! It is
very much like the blue pill attack (the PC is living in the matrix which
is under your complete control) except that SMM attacks are at an even
deeper hardware level of abstraction than a hypervisor exploit! SMM has
been around in Intel chips since 386 processors so if you'd like further
education or history lesson here is a good article.

Now remember that what Joanna and Loic will be releasing is a brand new,
never before disclosed Intel caching hack that allows them to gain access
to SMM space and run their new exploit. If you then use this exploit to
run a SMM rootkit that has the ability to call home to its creator to get
new code or deposit its findings your really gonna have a powerful hack.
No software you can run on your operating system would be able to detect
this type of exploit once you are powned.

So why would they release the exploit code to the public you ask. Aren't
security researchers supposed to play by the rules and refrain from
disclosure? Well here's the thing, both the CPU caching vulnerabilities
and the SMM vulnerabilities already have been reported to intel. In fact,
according to Joanna "the first mention of the possible attack using
caching for compromising SMM has been discussed in certain documents
authored as early as the end of 2005 (!) by nobody else than... Intel's
own employees." Both Joanna and Loic also officially reported this and
other related bugs to Intel. Loic did so back in October 2008. (correction
: the previous tracking number I just deleted in the article is for a
different bug that Joanna also discovered and is currently not patched by
Intel yet.) Bottom line is that Intel has known about this vulnerability
and others for years and it can be argued they haven't done due diligence
to fix them yet. When this happens, security researchers have little
choice but to release their finding publicly, the assumption being that if
they have known about it for years then for sure someone with less than
legal intentions is already exploiting it. Here is how Joanna puts it,
************************
"If there is a bug somewhere and if it stays unpatched for enough time, it
is almost guaranteed that various people will (re)discover and exploit it,
sooner or later. So, don't blame researchers that they find and publish
information about bugs — they actually do a favor to our society."
************************
Is your PC currently powned by some hacker ninja using a SMM rootkit? How
would you tell? You can't tell!!!!! MUWHAHA!

I just hope Intel fixes these vulnerabilities fast.

Keep checking this site on Thursday, the paper and code will be published
here. Good article on previous theoretical SMM exploits can be found here.

**********
Dit bericht is verzonden via de informele D66 discussielijst (D66 at nic.surfnet.nl).
Aanmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SUBSCRIBE D66 uwvoornaam uwachternaam
Afmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SIGNOFF D66
Het on-line archief is te vinden op: http://listserv.surfnet.nl/archives/d66.html
**********