Intel security alert: Local APIC Elevation of Privilege

September 21, 2015 ~ hucktech ~ Leave a comment

[ I just noticed a new (September-era) announcement on the Intel Securty Center. I think this means that their mailing list of these announcements — or at least my subscription to it — does not work, as I did not receive any announcement for this, or the August ones. I emailed Intel about this last month, no reply. If you are waiting for announcements via the mailing list, do not trust it, manually check this web site every few days… 😦 ]

Excerpted summary of announcement:

Intel ID: INTEL-SA-00045
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Last revised: Sep 03, 2015
Impacts: Intel Server Board S5500HC Family, Intel Server Board S5500HCT Family, Intel Server Board S7000 Family, Intel Workstation Board S5520SC Family

An issue was disclosed to Intel which leverages architectural differences in processors prior to 2nd Generation Intel Core Processors to gain access to SMM. Administrator or root level privileges are required to execute the attack. Intel is releasing mitigations for a privilege escalation issue. This issue affects certain Intel processors based on older Intel micro-architectures. The issue identified is a method that enables malicious code to gain access to SMM. Intel highly recommends applying the mitigations. Intel would like to acknowledge Christopher Domas of Battelle for working with us on this coordinated disclosure.

Full announcement:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00045&languageid=en-fr

more research on Domas’ x86 memory sinkhole

August 13, 2015 ~ hucktech ~ Leave a comment

As reported earlier, Christopher Domas gave a talk at Black Hat Briefings with an interesting Intel vulnerability:

Domas’ x86 vulnerability

Post-Domas Intel BIOS update

Beyond the earlier presentation, there’s now more research on this, a whitepaper:

Memory sinkhole whitepaper added to github: https://t.co/D3Et9KGex2, AMD update to follow.

— domas (@xoreaxeaxeax) August 13, 2015

Click to access us-15-Domas-TheMemorySinkhole-wp.pdf

as well as sample code:
https://github.com/xoreaxeaxeax/sinkhole/blob/master/sinkhole.asm

Post-Domas Intel BIOS update

August 8, 2015 ~ hucktech ~ Leave a comment

Intel has released some BIOS updates after Domas’ recent vulnerability:

Domas’ x86 vulnerability

Title: Local APIC Elevation of Privilege
Intel ID: INTEL-SA-00045
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: Aug 04, 2015

Intel is releasing mitigations for a privilege escalation issue. This issue affects certain Intel processors based on older Intel micro-architectures. The issue identified is a method that enables malicious code to gain access to SMM. An issue was disclosed to Intel which leverages architectural differences in processors prior to 2nd Generation Intel Core Processors to gain access to SMM. Administrator or root level privileges are required to execute the attack.

Affected products: Intel Server Board S5500BC, Intel Server Board S5500HCV, Intel Server Board S5500HV, Intel Server Board S5500WB, Intel Server Board S5520HC, Intel Server Board S5520HCT, Intel Server Board S5520UR, Intel Workstation Board S5520SC

Intel highly recommends applying the mitigations.

Intel would like to acknowledge Christopher Domas of Battelle for working with us on this coordinated disclosure.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00045&languageid=en-fr

Domas’ x86 vulnerability

August 7, 2015August 8, 2015 ~ hucktech ~ Leave a comment

UDPATE:

https://github.com/xoreaxeaxeax/sinkhole

Memory Sinkhole slides and proof-of-concept attack now on github: https://t.co/u42Dv61RMq #BHUSA

— domas (@xoreaxeaxeax) August 6, 2015

Lucian Constantin has two articles (one in Computer World, one in PC World), on Christopher Domas’ Black Hat Briefings presentation.

Design flaw in Intel chips opens door to rootkits
http://www.computerworld.com/article/2962325/computer-processors/design-flaw-in-intel-chips-opens-door-to-rootkits.html
http://www.pcworld.com/article/2965872/components-processors/design-flaw-in-intel-processors-opens-door-to-rootkits-researcher-says.html

The Memory Sinkhole – Unleashing an x86 Design Flaw Allowing Universal Privilege Escalation
Christopher Domas
https://www.blackhat.com/us-15/briefings.html#the-memory-sinkhole-unleashing-an-x86-design-flaw-allowing-universal-privilege-escalation
“In x86, beyond ring 0 lie the more privileged realms of execution, where our code is invisible to AV, we have unfettered access to hardware, and can trivially preempt and modify the OS. The architecture has heaped layers upon layers of protections on these negative rings, but 40 years of x86 evolution have left a labyrinth of forgotten backdoors into the ultra-privileged modes. Lost in this byzantine maze of decades-old architecture improvements and patches, there lies a design flaw that’s gone unnoticed for 20 years. In one of the most bizarre and complex vulnerabilities we’ve ever seen, we’ll release proof-of-concept code exploiting the vast, unexplored wasteland of forgotten x86 features, to demonstrate how to jump malicious code from the paltry ring 0 into the deepest, darkest realms of the processor. Best of all, we’ll do it with an architectural 0-day built into the silicon itself, directed against a uniquely vulnerable string of code running on every single system.”

Christopher’s slides and paper are now available:

Click to access us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation-wp.pdf

Click to access us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation.pdf