• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Intel Owners with Linux(and possibly linux) warrning!!

Mar 15, 2009
132 (0.04/day)
"A researcher recently released proof-of-concept code for an exploit that allows a hacker to overrun an Intel CPU cache and plant a rootkit. A second, independent researcher has examined the exploit and noted that it is so simple and so stealthy that it is likely out in the wild now, unbeknownst to its victims. The attack works best on a Linux system with an Intel DQ35 motherboard with 2GB of memory. It turns out that Linux allows the root user to access MTR registers incredibly easily. With Windows this exploit can be used, but requires much more work and skill and so while the Linux exploit code is readily available now, no Windows exploit code has, so far, been released or seen. This attack is hardware specific, but unfortunately, it is specific to Intel's popular DQ35 motherboards."
thats the slashdot artical the source is quoted and linked below.

Attacking SMM Memory via Intel® CPU Cache Poisoning
As promised, the paper and the proof of concept code has just been posted on the ITL website here.

A quote from the paper:
In this paper we have described practical exploitation of the CPU cache poisoning in order to read or write into (otherwise protected) SMRAM memory. We have implemented two working exploits: one for dumping the content of SMRAM and the other one for arbitrary code execution in SMRAM. This is the third attack on SMM memory our team has found within the last 10 months, affecting Intel-based systems. It seems that current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying.

The potential consequence of attacks on SMM might include SMM rootkits [9], hypervisor compromises [8], or OS kernel protection bypassing [2].
Don't worry, the shellcode we use in the exploit is totally harmless (have really no idea how some people concluded we were going to release an SMM rootkit today?) — it only increases an internal counter on every SMI and jumps back to the original handler. If you want something more fancy, AKA SMM rootkits, you might want to re-read Sherri's and Shawn's last year's Black Hat paper and try writing something they describe there.

The attack presented in the paper has been fixed on some systems according to Intel. We have however found out that even the relatively new boards, like e.g. Intel DQ35 are still vulnerable (the very recent Intel DQ45 doesn't seem to be vulnerable though). The exploit attached is for DQ35 board — the offsets would have to be changed to work on other boards (please do not ask how to do this).

Keep in mind this is a different SMM attack than the one we mentioned during our last month's Black Hat presentation on TXT bypassing (the VU#127284). We are planning to present that other attack at the upcoming Black Hat Vegas. Hopefully this will not be the only one thing that ITL will entertain you with in Vegas — Alex and Rafal are already working now on something even cooler (and even lower level) for the show, so cross your fingers!

And good luck to Loic with his presentation that is about to start just now...
all i can say is, this is yet another reasion im happy im an amd user, tho i dont use linux(much) this can effect windows and will likely be exploited soon since its now widely known.
Sep 14, 2005
1,041 (0.23/day)
I was actually reading about the idea of this a month ago. To my knowledge, ALL Intel processors since the 386 are vulnerable to this attack
Apr 23, 2009
3 (0.00/day)
somebody should fix the thred title, It says linux 2x, think its ment to say windows or mac since that would make sence after reading the articals....damn....whats intel gonna do?

im gonna lulz if its another bios with microcode update that slows systems down :p
Nov 8, 2006
5,052 (1.23/day)
Manchester, United Kingdom
Processor AMD FX 8320 @ 4GHz
Motherboard Gigabyte GA-990FXA-UD5 rev1
Cooling Corsair H70
Memory 4 x 4GB DDR3 Ripjawz 1600Mhz
Video Card(s) Sapphire Vapor-X AMD R9 280X
Storage 1 x 500GB Samsung Evo 850, 1 x 500GB Vrap Data Drive, 3 x 2TB Seagate, 1 x 1TB Samsung F1
Display(s) 3 x DGM IPS-2402WDH
Case Coolermaster HAF X
Audio Device(s) Onboard
Power Supply Coolermaster 1000W Silent Pro M
Mouse Logitech G502
Keyboard Logitech G510
Software Windows 10 Pro x64
I was reading about this as well, the exploit could potentially affect any device running an Intel x86 chip. So Macs, or even portable devices, could be at risk.

It's a pretty big security risk considering how widely used Intel chips are...