First Fully Weaponized Spectre Exploit Discovered Online (therecord.media) 35
Catalin Cimpanu, reporting for The Record: A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain. The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018. [...] The vulnerability, which won a Pwnie Award in 2018 for one of the best security bug discoveries of the year, was considered a milestone moment in the evolution and history of the modern CPU. Its discovery, along with the Meltdown bug, effectively forced CPU vendors to rethink their approach to designing processors, making it clear that they cannot focus on performance alone, to the detriment of data security. Software patches were released at the time, but the Meltdown and Spectre disclosures forced Intel to rethink its entire approach to CPU designs going forward.
At the time, the teams behind the Meltdown and Spectre bugs published their work in the form of research papers and some trivial proof-of-concept code to prove their attacks. Shortly after the Meltdown and Spectre publications, experts at AV-TEST, Fortinet, and Minerva Labs spotted a spike in VirusTotal uploads for both CPU bugs. While initially there was a fear that malware authors might be experimenting with the two bugs as a way to steal data from targeted systems, the exploits were classified as harmless variations of the public PoC code published by the Meltdown and Spectre researchers and no evidence was found of in-the-wild attacks. But today, Voisin said he discovered new Spectre exploits -- one for Windows and one for Linux -- different from the ones before. In particular, Voisin said he found a Linux Spectre exploit capable of dumping the contents of /etc/shadow, a Linux file that stores details on OS user accounts.
At the time, the teams behind the Meltdown and Spectre bugs published their work in the form of research papers and some trivial proof-of-concept code to prove their attacks. Shortly after the Meltdown and Spectre publications, experts at AV-TEST, Fortinet, and Minerva Labs spotted a spike in VirusTotal uploads for both CPU bugs. While initially there was a fear that malware authors might be experimenting with the two bugs as a way to steal data from targeted systems, the exploits were classified as harmless variations of the public PoC code published by the Meltdown and Spectre researchers and no evidence was found of in-the-wild attacks. But today, Voisin said he discovered new Spectre exploits -- one for Windows and one for Linux -- different from the ones before. In particular, Voisin said he found a Linux Spectre exploit capable of dumping the contents of /etc/shadow, a Linux file that stores details on OS user accounts.
Re: Don't tell Sony Bono (Score:1)
You mean Waly Gisnep? (Come on, it says Waly Gisnep, with a reversed G, not Disney! ;)
Spanks Inside (Score:3, Insightful)
Intel should be punished for ignoring a known risk. Once you reach a certain size to have a significant impact on supply and prices of key components, you should be obligated to report and mitigate risks rather than stick your head in the sand and hope you don't get caught.
Performance Inside (Score:2)
Yes they should be punished for giving their customers what they wanted. For those who don't remember pre-Ryzen days, it was all about performance and how AMD didn't have it.
Re:Performance Inside (Score:5, Insightful)
Re:Performance Inside (Score:5, Interesting)
Well no it's NOT a false dichotomy because I'm not arguing against the pursuit of performance. I'm arguing against the rather myopic stance Intel customers took on focusing on performance like that was the only important thing. Throwing Intel under the bus because they gave customers what they wanted is why there's a saying about "those who forget history". Recent history in this case. One only has to look at the press and social media to see what was important pre-AMD comeback, and it WASN'T security.
Re: (Score:1, Interesting)
How would they know about the drawbacks? The sticker didn't say "Exploit Inside".
I suppose assemblers like Dell may have known, but they were probably thinking, "Since our competitors also use Intel, they'll be in the same boat if the chips are down, and businesses need PC's to function."
Re: (Score:2)
Security wasn't invented when the exploits were discovered. Security simply wasn't important to people (some might argue it still isn't but that's another discussion). Security didn't make people's games run faster. Security didn't make their videos run smoother. Pre-AMD press and media was all about single-core performance and how Intel beat AMD on that score. Just look through all the internet archives pre-Ryzen and AMDs comeback and that's what you will see. The buying public was clear what they wanted f
Re: (Score:1)
When did consumers and small businesses actually intentionally and actively trade security for chip performance? It appears you are merely guessing their preferences.
Further, including a clear disclaimer would still be possible even if most consumers ignored it. That would also give Intel some legal protection.
Re: (Score:2)
You're assuming Intel didn't warn the US Government. Given who was actually in power, you could
Re: (Score:2)
You're assuming Intel didn't warn the US Government.
I am not assuming. This is fact.
And really until it was discovered, no one really believed it could be an issue where the cache was an issue.
Aren't you assuming that? There was a paper a decade before warning about the security issue. So "no one" is not true.
But given 2018 was spent with Microsoft and Linux developers fixing the issues, and 2019 was the public notice.
You seem not to be aware that it was Google that discovered the issue in 2017 and disclosed to others.
Re: Performance Inside (Score:1)
Right. We wanted hackability . . .
I think you've looked a bit too deep into the Kool-Aid man. ;)
Re: Performance Inside (Score:1)
I think you've looked a bit too deep into the Kool-Aid
Either you're mixing your metaphors or we've been using Kool-Aid wrong...
Re: (Score:2)
Right. We wanted hackability . . .
I think you've looked a bit too deep into the Kool-Aid man. ;)
Well... only looking byte deep won't cut it. :-)
Re: (Score:1)
Customers want performance and security. Customers just didn't know about the second issue. It's one of those short-term vs. long-term issues that capitalists often trip over, similar to pollution and worker safety. Greed tends to make owners short-sighted. Boeing, Wells Fargo, and VW are more examples of that.
CEO's tend to be gamblers because those at the top often get there by gambling heavily. Much of their competition lost out of c
Re: (Score:2)
In my book, this is even worse. Holding the performance crown, without the slightest sign of threat from AMD, should have given Intel a chance to pause a little, and check and fix their stuff.
Re: (Score:3)
they are being punished. AMD is taking considerable market share from them; probably Apple and some otherrs will be too in fairly short order here.
Re: (Score:2)
My next Mac will be ARM-based.
My next gaming PC upgrade will be AMD Ryzen.
Thinking about changing my less-than-a-year-old router because it uses a freakin' Intel CPU.
I dropped intel, now using AMD, because Spectre (Score:2)
My current machine is using an AMD CPU because of the Spectre and other security issues of Intel CPUs.
I voted with my dollars.
Shame on you, Intel.
--PeterM
Re: Spanks Inside (Score:1)
What would that do? Woud it make anything better?
I'd rather suggest instead of taking something from them like we are thugs too, we refuse to further let them take something from us. Namely our money. ... and die someplace else where they can be all dicks with blackjacks and hookers all alone by themselves. ... like in deep space. ;)
Almost the same, but with the key difference that if they do not like it, they still got the freedom to fuck off
The forever game. (Score:2)
A never-ending game of cat and mouse. So what have CPU designers done to prevent this from happening in the future?
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:3)
Intel has added hardware mitigations in 10th gen AMD simply designed secure from the start. ARM doesn't have hyperthreading/SMT.
You are thinking of metldown. Spectre affected Intel, AMD, and ARM.
Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected by Meltdown.
According to ARM, some of their processors are also affected.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
https://meltdownattack.com/ [meltdownattack.com]
Call James Bond (Score:3)
Re: Call James Bond (Score:1)
"Has entered the public domain" (Score:2)
Gee, why didn't they release it under the GPL?
Oh great (Score:2)
Well this is just lovely. A cool new exploit to worry about.
Hooray for the virus makers; they don't just talk about innovating, they do it.
Which Processors? (Score:2)
Meanwhile, HP... (Score:2)
... is marketing a range of laptops actually *called* "Spectre".
What genius.
Like more details.... (Score:5, Interesting)
Re:Like more details.... (Score:4, Informative)
Based on the article and linked sources:
Does the exploit use Javascript?
It's a module for CANVAS. The payload is native AMD64, based on a couple screenshots elsewhere.
Is it for OpenSSH or does it use any TCP service?
No, it's a local exploit. It runs as an unprivileged user and retrieves the contents of /etc/shadow (normally only readable by root).
Does the kernel version matter (there are Spectre mitigations) ?
System-wide mitigations for Spectre generally trade off security vs performance, mostly by preventing speculative execution at critical points. Full mitigation isn't provable as long as speculative execution is enabled.
This appears to be the wrapper code [ix.io] for the exploit. It will choose a payload targeted to specific unmitigated kernels, if available. Otherwise it can fall back on a very slow, but generic, version.
If it's browser based, does one have to be browsing as root or setuid root? Few do that...
No. As with all things Spectre, it's a local privilege escalation (specifically, reading things an unprivileged user shouldn't be able to). It never requires root. It can be exploited by anything which runs arbitrary code. There are proof-of-concept JS exploits, but this one appears to be AMD64 code.
From the little bit I've seen, this code doesn't do anything new. It's just conveniently packaged in a penetration testing suite.
Looks Scary - Not Mitigated by ASLR (Score:1)
The exploits came from a set of pen testing tools that were stolen or leaked from Immunity, who developed SW named Canvas v.7.26. How embarassing for a supposed blue team.
Just when I thought ASLR would prevent alot of attacks by avoiding predictable memory space, from a quick glance at the papers this looks like the type of data leaking reminiscient of how TOR leaks thru exit nodes. Predictive math smarty pants type stuff. The Ch