Technical Discussion
>> Security Related Issues

These posts have been archived and can no longer be replied to or modified.
	Print Thread

Banger
(eat-sleep-adslguide) Wed 18-Mar-09 02:59:58

Rootkit code to exploit major Intel chip flaw.

[link to this post]

Apparently it's undetectable by software and works at machine firmware level which bypasses OS and can take control of an affected machine. Wonder how Intel can patch it, if its a hardware cache flaw, present since 386 days how will the fix it for current in use processors?

http://www.networkworld.com/community/node/39825

Tim
ZeN & freenetname
ST546v6 on 8 Meg Active
Check my bad boy speeds out on ZeN

Spud2003
(experienced) Wed 18-Mar-09 09:44:01

Re: Rootkit code to exploit major Intel chip flaw.

[re: Banger] [link to this post]

how will the fix it for current in use processors?

Is this solved by a microcode patch ? tongue

deleted
(deleted) Wed 18-Mar-09 13:27:43

Re: Rootkit code to exploit major Intel chip flaw.

[re: Banger] [link to this post]

The claims look overblown.

"No software you can run on your operating system would be able to detect this type of exploit once you are powned."

All you need to do is monitor your LAN traffic.

gomezz
(eat-sleep-adslguide) Wed 18-Mar-09 13:30:23

Re: Rootkit code to exploit major Intel chip flaw.

[re: deleted] [link to this post]

Indeed. I will wait until I see these claims peer reviewed.

Banger
(eat-sleep-adslguide) Thu 19-Mar-09 04:28:55

Re: Rootkit code to exploit major Intel chip flaw.

[re: deleted] [link to this post]

Another perspective here at PC World Mag (not the shop) from 9 May 2008.

This is the Original researchers blog who purports to have discovered the vulnerable vector in the cache from which SMM can be accessed. Some interesting comments on the original linked page.

Tim
ZeN & freenetname
ST546v6 on 8 Meg Active
Check my bad boy speeds out on ZeN

Edited by Banger (Thu 19-Mar-09 04:34:37)

deleted
(deleted) Thu 19-Mar-09 08:09:59

Re: Rootkit code to exploit major Intel chip flaw.

[re: Banger] [link to this post]

Don't get me wrong, I agree this is a serious problem, I just think the original linked to article over-hypes the difficulty of detecting the exploit.

Banger
(eat-sleep-adslguide) Thu 19-Mar-09 23:26:21

Re: Rootkit code to exploit major Intel chip flaw.

[re: deleted] [link to this post]

Here's the latest blog entry on the subject and here's (PDF) the Paper detailing the vulnerability, beware, heavy reading and code.

Tim
ZeN & freenetname
ST546v6 on 8 Meg Active
Check my bad boy speeds out on ZeN

deleted
(deleted) Fri 20-Mar-09 08:16:53

Re: Rootkit code to exploit major Intel chip flaw.

[re: Banger] [link to this post]

Thanks. I'll struggle through the text later on this morning to see if I can make head or tail of it. There's only four pages because I'm sure as hell not going to follow the references!

It makes me wonder how they certify chipsets in areas which are meant to be locked down.

deleted
(deleted) Fri 20-Mar-09 08:31:15

Re: Rootkit code to exploit major Intel chip flaw.

[re: deleted] [link to this post]

A further read devalues the exploit considerably.

3. Attack details
Below we describe how to exploit cache poisoning
to get access to the SMRAM memory. We assume
that the attacker has access to certain platform
MSR registers. In practice this is equivalent to the
attacker having administrator privileges on the
target system, and on some systems, like e.g.
Windows, also the ability to load and execute
arbitrary kernel code.

If a user has physical or root access he can do what he wants. I believe the really worrying security breaches are those which initially grant physical access or root privileges.

Banger
(eat-sleep-adslguide) Fri 20-Mar-09 20:43:18

Re: Rootkit code to exploit major Intel chip flaw.

[re: deleted] [link to this post]

Yes I spotted that so delivery could be spotted by normal means, ie. virus scanner. This exploit seems to rely on the delivery of said rootkit.

Tim
ZeN & freenetname
ST546v6 on 8 Meg Active
Check my bad boy speeds out on ZeN

Print Thread

Jump to