“Some x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU,” Tom’s Hardware reports, citing a presentation by security researcher Christopher Domas at the Black Hat Briefings conference in Las Vegas.
The command — “.byte 0x0f, 0x3f” in Linux — “isn’t supposed to exist, doesn’t have a name, and gives you root right away,” Domas said, adding that he calls it “God Mode.” The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces (“userland”) run in ring 3, furthest from the kernel and with the least privileges. To put it simply, Domas’ God Mode takes you from the outermost to the innermost ring in four bytes. “We have direct ring 3 to ring 0 hardware privilege escalation,” Domas said. “This has never been done…. It’s a secret, co-located core buried alongside the x86 chip. It has unrestricted access to the x86.”
The good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. The bad news is that it’s entirely possible that such hidden backdoors exist on many other chipsets. “These black boxes that we’re trusting are things that we have no way to look into,” he said. “These backdoors probably exist elsewhere.” Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents.
“Some of the VIA C3 x86 processors have God Mode enabled by default,” Domas adds. “You can reach it from userland. Antivirus software, ASLR and all the other security mitigations are useless.”
of this story at Slashdot.
Source:: Slashdot