Old Intel processors: vulnerable to rootkits New Intel processors: shipped with rootkits
@confrontation47412 жыл бұрын
🤣🤣🤣
@pwnedshift17 жыл бұрын
this blew me away. dude looks like Cypher from The Matrix, too.
@MrFujinko3 жыл бұрын
they really sent him back famous, not an actor though.
@LouSaydus7 жыл бұрын
I like the "oh btw I made a c compiler that only compiles to mov instructions". Jesus Christ......
@nathangek7 жыл бұрын
Yeah lol I feel like a total amateur right now
@EwanMarshall7 жыл бұрын
Yeah, that was last years presentations....
@useraccout16357 жыл бұрын
"oh and one more thing, I'm able to make IDA display selfies"
@NolePTR7 жыл бұрын
the movfuscator is awesome lol, but you should check out trapcc. 0 instructions.
@roax2067 жыл бұрын
the way I interpreted it was that he made a brainfuck to MOV only asm compiler then decided to make a C to brainfuck or C to MOV only asm compiler. either way the optimization would be terrible unless that was all you had to work with.
@AkashMishra237 жыл бұрын
This Guy is a Frickin God
@randomuser52376 жыл бұрын
That's funny because in Defcon 2018 he calls the particular MSR bit that enables him to unlock the processor as the "God mode bit".
@Reth_Hard6 жыл бұрын
Never give your IP address to this guy, under any circumstances! :P
@c.holliman18715 жыл бұрын
We all are . What do you think keeps our heart going. If you believe in separation you get it just those who lost in the 1929 crash with a heart attack. Enjoy.. I will debate no further. To each his own journey.
@sepg50845 жыл бұрын
@Sam Rocks the exploiters are all outta Russia, China, and NSA though.
@aladdin86233 жыл бұрын
He is not god but gifted by god. It seems, there are much more flaws in the x86 design, as we think.
@kyouhyung6 жыл бұрын
This guy essentially started the whole Intel CPU security fiasco nowadays... Before this day, no one thought the CPU could be this vulnerable.
@Degenerate764 жыл бұрын
Indeed. Check his Linkedin... Started working for Intel as senior security researcher in 2018... I bet they made him quite an offer. This guy was too dangerous to them to remain on the outside.
@cortexauth40944 жыл бұрын
@@Degenerate76 Nah, he probably wanted to join too. He has access to lot of resources and a community of like minded people now
@TheMrKeksLp4 жыл бұрын
@@cortexauth4094 Sounds a lot like a win-win. He gets paid up the nose to work on interesting stuff and Intel get their shit patched
@w3w3w33 жыл бұрын
@@TheMrKeksLp yea this guy is awsome!
@fss17043 жыл бұрын
@@TheMrKeksLp yeah, it's not like they have a patent on a backdoor
@kentvandervelden7 жыл бұрын
Of course, change that last 3 to a 4 to root that system. Every presentation this guy gives is amazing!
@alexweej7 жыл бұрын
You need to get the root kit installed from ring 0 first...
@nindger42705 жыл бұрын
I've worked my way back from more recent talks to here, and every single talk by this guy is awesome, he's just amazing. Half the time I'm just sitting here in disbelief with a stupid grin on my face.
@douggale59627 жыл бұрын
27:35 validate the limit: `8026: test ax,ax; jz invalid_gdt`, validate the base: `802F: test eax,eax; jz invalid_gdt` - Can be mitigated with BIOS flash.
@svampebob0077 жыл бұрын
lol the talk was just amazing... the selfie was the cherry on top.
@svampebob0077 жыл бұрын
also unrelated I see that KZbin has bee messing around with their suggestion algorithm... most of the comments are no older then 2 days, most of them are less then 24h old, while the video is from 2016 (kinda) and originally only had three comments.
@metalim7 жыл бұрын
Lol! Perfect bug for sales. "All old processors are vulnerable and can't be fixed. Quick! Buy our new crap!"
@diotough6 жыл бұрын
Brilliant find but since it requires Ring 0 access to implement the rootkit you need to work along other exploits to get to that level - or secret services modifying whole shipments prior of delivery.
@altimmons4 жыл бұрын
I had sworn the introducer walked away and came back. But then I rewinded it and saw the beard differed
@kennyken76046 жыл бұрын
"really this is unpatchable" and i believe him. this guy was talking alien to me
@Altirix_3 жыл бұрын
i do miss this guy, hope hes done some amazing things while working at intel. rosenbridge was never released, I guess what he stumbled upon was so powerful and so close to getting the concept to work.
@travislee96187 жыл бұрын
This guy is of a special breed... not many left like him.. to get into ring -2 with 4 BYTES of code is God like.
@seremetvlad6 жыл бұрын
all of them
@morgulbrut6 жыл бұрын
that's not some stuff you learn in classes. but electronics engineering, processor architecture and embedded stuff may help you. and maybe some yoga and meditation to learn to handle the frustration of debugging stuff for hours and hours. and please, just keep in mind, that guy write a compiler which compiles C into a bunch of mov operation, or figured out a way to flip people the finger when they look at his code in IDA.
@seremetvlad6 жыл бұрын
@Reyes25111 6.004, 6.035, 6.828 on ocw is a good start
@ko-Daegu6 жыл бұрын
morgulbrut What does that men’s c complied to mov .. Like why is it so big deal
@morgulbrut6 жыл бұрын
@@ko-Daegu exactly what I wrote. If you look at the assembly, compiled with that compiler, you only gonna see tons of mov instructions. Which makes it super annoying to reverse engineer.
@sebastianelytron84505 жыл бұрын
On a scale of 1 - 10 how genius is this guy? Yes.
@TahreyUK6 жыл бұрын
OK, trying to get my head around how you go from Ring 3 to Ring -2, _via Ring 0 which you've ALREADY cracked_ (the granting of Root to a Ring 3 process essentially just being a nice side effect and probably possible with the rootkit alone)... is the crucial thing the installation of that Rootkit, as a system driver? Thus making this actually a two-stage vulnerability: the extremely edge-case CPU attack is the second layer, and just as important is the security hole in either the operating system proper, or the user's head, allowing installation of (and thus granting of ring 0 privileges to) unsigned drivers one way or the other?
@cbrpnk7 жыл бұрын
This is probably the 1337est presentation I've watched. If you know of a crazier (or even comparable) hack please please please, let me know.
@SpaghettiToaster7 жыл бұрын
cbrpnk Rowhammer.
@VenturiLife7 жыл бұрын
Very, very impressive stuff...
@CodeAsm7 жыл бұрын
Watch more of his presentations and other Blackhat/Defcon/CCC(media.ccc.de on youtube) videos. also there is www.phrack.org/ :D so many cool things, stop watching and just do some hacking yourself ;) I cant staph watching hours of these
@Mellowbaton7 жыл бұрын
Alt + F4
@dax3m7 жыл бұрын
Be aware of the exact time when to hit Delete/F2 only ONCE to access BIOS.
@DontEatFibre7 жыл бұрын
People like this are invaluable
@matthewkuhl795 жыл бұрын
How does this not have dozens of times the views???
@randomuser52376 жыл бұрын
There is an error at 3:25, when he typed the last `whoami` it should have said: # whoami God
@Roxor1287 жыл бұрын
I was grinning like a maniac while watching this. An incredible finding. Bloody brilliant!
@ming3706 Жыл бұрын
It takes a lot of dedication, intelligent, and craziness to test this out
@samiraperi4677 жыл бұрын
"We must go deeper." Ringception?
@dax3m7 жыл бұрын
Sounds like a hitech rim job.
@offmeds2nite9 жыл бұрын
This is a Beautiful thing.
@dairyqueen40537 жыл бұрын
the brother hood of nod selected
@fss17046 жыл бұрын
+ttfd little late to get friends with 88 doc.
@OskarNendes4 жыл бұрын
I wonder how is the discovery of this type of vulnerability. Such thing could be a much more valuable asset than 'here is another exploit'. How is the process of finding such labyrinth of forgotten backdoors?
@chomo54andbabyaisha973 жыл бұрын
If you're interested in the thought process of a pen tester, you need absolutely to watch channel LifeOverflow
@leahparsuidualc6666 жыл бұрын
If you can't punt the ball - move the field ...
@bencesarosi77186 жыл бұрын
Absolutely brilliant presentation. Stunning!
@TehJumpingJawa7 жыл бұрын
If Intel fixed the issue in Sandybridge, doesn't that imply that they were aware of the issue at some point prior to Sandybridge's release? Given the wide-reaching implications of this exploit (a Ring 0 breach elevating to Ring -2 potentially renders the system hardware itself untrustable from that point forwards), shouldn't Intel have immediately disclosed knowledge of this flaw so that security policies could be updated to account for the increased scope of vulnerability?
@mapesdhs5977 жыл бұрын
Maybe they did disclose it, but only to selected parties while they worked out a solution. If they didn't, maybe that was because it would make little sense making it public if at that time they were certain nobody else knew about it yet, or at least nobody about whom they need worry. Meanwhile, they work out a solution and plan a future arch fix. Reminds me a little of when Bletcheley Park discovered imminent attacks via broken Enigma messages (city bombings, sub attacks, etc.), but they could not act on the information because that would give away the fact that Enigma had been cracked (vaguely recall Coventry was one such target); people had to be allowed to die to keep the cracking of Enigma secret and thus useful. Sometimes it's better to stay quiet, and meanwhile work out very carefully who needs to know and when. I expect the first Intel would have told would be the NSA, etc. Good question to ask though! Obviously a very difficult area to define in terms of policy and actions/response. There are probably disclosure procedures in place that are not public; bit like there are parts of the UK's OSA which are secret. :D ie. I would be surprised if Intel did not have (already) relevant arrangements in place with security agencies, and then later the OEMs, etc., but if they do, it makes sense for any such procedures to not be in the public domain.
@MrJason0057 жыл бұрын
or really they should have kept it hush-hush so it wouldn't spread like wildfire to hackers who wanted to abuse it for bad, and only disclose it *after* it was "fixed"
@markpenrice62536 жыл бұрын
@@MrJason005 That's essentially the idea behind Responsible Disclosure, and likely what happened here. Unless you want to be an asshole to the entire world, you let the CPU makers know you've discovered a sploit like this quite some time before revealing it to all and sundry.
@brianx24052 жыл бұрын
ty chris domas - this & the hidden risc core in x85; such awesome research. lol so d0pe!
@chounoki7 жыл бұрын
Great talk. And also very lucky that the SMM code was written in a way that helped sinkhole.
@chounoki7 жыл бұрын
While on the other hand, self-modifying code is the foundation of all modern anti-tempering protection used on software and games.
@zaitarh2 жыл бұрын
HIs first attempt reminds me of Commodore 64 code, where you also sometimes make the processor execute code in IO registers... Not for the same purpose of course... just to save some cycles
@naltronix99046 жыл бұрын
a gestalt vulnerability, interesting amazing talk
@ashokmadridista26647 жыл бұрын
you are a beautiful creature domas!
@labrat2562 жыл бұрын
24:40 What is ropping? I don't understand the phrase "APIC-ropping"
@ruroruro Жыл бұрын
ROPping == Return-oriented programming
@dascandy7 жыл бұрын
Did you highlight the wrong entry in the GDTs? You have the null entry and then entry 0x8, and then 0x10 as the third entry. You have two between it...
@Valendian20097 жыл бұрын
dascandy I spotted that too. I ts an easy mistake to make though
@vink61637 жыл бұрын
I'm no expert, but at 28:15 he says the jump transitions from 16-bit protected mode to 32-bit protected mode. In 16-bit protected mode could the GDT entries be only half the size perhaps?
@Valendian20097 жыл бұрын
Vink no they are identical. The far jump selects the entry you want to jump to. The entry itself specifies whether the segment contains 16bit or 32bit code.
@markpenrice62536 жыл бұрын
Didn't he say Long Mode, which is 64-bit? Or am I mixing up videos?
@vladimirarnost80204 жыл бұрын
Since the SMM code can't be highjacked at run-time, how about changing the *actual* SMM code and injecting the rootkit there? 1. If the SMM code resides in ROM (EPROM, FLASH), the game would be over. 2. However the code shown in the presentation is self-modifying so SMM code resides in RAM and it must be writeable by the CPU. Let's explore what happens when the computer starts: The system memory contents in largely unpredictable (zeroes, FFs, garbage, operating system leftovers...) and thus no usable code may run from RAM until the computer loads something in it. Therefore if SMRAM resides in normal RAM (your trusty DIMMs), the system management code must be first copied there from BIOS memory (ROM/firmware) by the BIOS. That means that BIOS code needs to be able to override (disable) the MCH SMM memory protections so that it can copy the SMM code and data into RAM whilst *not* running in SM mode. If any SMI interrupt was triggered before the code is completely copied over, it would probably reset the machine so it's very likely the SMI interrupts need to be disabled by the BIOS until SMM is safe to execute. All the keys to this must lie in the computer firmware (the BIOS): the actual SMM code, the SMM initialization, MCH protection mechanism control, etc. It's quite possible that once MCH SMM memory protections are enabled by the BIOS, the protections can no longer be disabled by anything, i.e. it would be a one way hardware latch. However, this is just a conjecture. It would be worth the effort to disassemble (possibly after decrypting) the BIOS and SMM code and see how it's actually installed in RAM. Secondly, see if it's possible to modify the SMM code in the firmware image before flashing it. It is probably encrypted and digitally signed but the signature checks might be overridden by modifying the BIOS code checking them. Not easy but not impossible either. Since it took me just a while to come up with these ideas, I'm probably not the first to do so and these possible attacks have already been dealt with. 3. What happens if the computer has no DIMMs installed? Does the SMM code still run (perhaps from BIOS ROM)? Does power management, USB keyboard emulation and other SMM features work without DIMMs? If so, then it's very likely SMRAM resides in its own dedicated physical memory integrated into the chipset and not in DIMMs. Anyway, these are just my ideas after watching this jaw-dropping presentation at 2am. :)
@denysvlasenko49523 жыл бұрын
> It would be worth the effort to disassemble (possibly after decrypting) the BIOS and SMM code and see how it's actually installed in RAM. No need, just pull Coreboot source and read it...
@dufflepod7 жыл бұрын
Outstanding work
@ddvelzen7 жыл бұрын
Really good talk!
@sreeragm83665 жыл бұрын
Any suggestion for hardware/software tools for hack/reversing?
@tw75227 жыл бұрын
Great talk. Great speaker
@Spaztron645 жыл бұрын
Heh, unreal mode. 32-bit addressing without memory protection of any kind. Pretty much the backbone of XMS memory.
@BeHappyTo6 жыл бұрын
isn't ring 0 like the most root ring? negative rings for vm's and positive for normal apps?
@user-ge4uk9ui8y3 жыл бұрын
Rings are an illusion. It's a number that simply defines the IO privileges, 0, 1, 2 can do IO instructions, 3 can't.
@JohnSmith-ws7fq6 жыл бұрын
Amazing work. Also somewhat terrifying.
@TheNoodlyAppendage3 жыл бұрын
Does it affect my abacus?
@ThisShinigami7 жыл бұрын
And here we have Kane, before he gets involved with the Nod
@TahreyUK6 жыл бұрын
Who says he isn't?
@MrNubix5 жыл бұрын
This i by far the most insane exploit i've seen so far
@ThisShinigami7 жыл бұрын
How does one even go about making a mov instruction compiler...? Is there some sort of BNF notation on how it interprets stuff?
@FirstNameLastName-kd1yy7 жыл бұрын
i would assume that one begins with an instruction like mov ds zero mov ds[zero] zero kidding aside, you should check out his talks on how to make reverse engineers rage quit (he made a few; I love the one that makes Ida Pro windows a pixel buffer). Here's movfuscator, specifically: kzbin.info/www/bejne/iGiodqKNnJt4oc0
@JorgetePanete7 жыл бұрын
But can you do it in 0x A Presses?
@zwz.zdenek7 жыл бұрын
Wouldn't it help to add a few checks into the SMM interrupt routine? Are the numbers returned within a certain range? Maybe add some changing (as in stack protection) magic numbers where the APIC doesn't have its writable registers?
@TahreyUK6 жыл бұрын
Well, that's essentially what Intel have implemented, at the hardware level. The two memory ranges can no longer be set as overlapping, as of hardware coming out of its factories from about five years ago onwards. Implementing similar on older systems would require a firmware update to the EFI BIOS, and, well ... when was the last time _you_ bothered checking for one of those and installing it? Even though you're probably a fairly computer savvy person with security in mind? Even back in the bad old days when a motherboard's supplied firmware could be ropey as hell and require an update just to make certain built in features work correctly, you needed an internet connection to do that, to know that it was likely the cause of your trouble, and to go looking for it on the manufacturer's website. Then undergo a rather messy and risky process to reflash it. It's a little easier and more reliable these days, but I'd expect the knowledge of the need or even ability to do that amongst the general computer-using public to be effectively nil. Like, maybe a couple of percent, and the proportion of _those_ who actually bother to be about as small. Thus even if everyone who knew about the vuln and could be bothered to apply it did so, you'd be fishing in a pretty big pool of unpatched systems. Add to that the fact that the people who are more likely to patch their firmware are also amongst the earlier-adopter crowd and will have replaced their CPU by now anyway, and you have the only remaining potentially-vulnerable systems being almost universally wide-open to the hack.
@aaronr.96445 жыл бұрын
fantastic talk
@unfa006 жыл бұрын
Mind boggling. And terrifying.
@stutavagrippa86902 жыл бұрын
For a malicious virus, you could make a fake driver that installs the Ring -2 rootkit. Drivers run in Ring 0 (or ring 1 or ring 2 on really old OSes).
@DjVortex-w6 жыл бұрын
So you can install a rootkit that's quite literally _impossible_ to detect, because the processor architecture has been designed for that code to be impossible to access by anything, no matter what you do. And this isn't supposed to sound scary?
@chomo54andbabyaisha973 жыл бұрын
Not to the three letter agency which installs the root kit before the computer is shipped to you
@PamirTea7 жыл бұрын
3:01 magic
@slap_my_hand7 жыл бұрын
This really reminds me of arbitrary code execution in console games.
@KuraIthys7 жыл бұрын
Mmh. Well, console games don't tend to have much in the way of security. At least, not the older ones. Granted things changed when you got operating systems and menus and stuff... But on an old school game console the game has absolute control over the system at the lowest level. Literally everything the game does is executing at the lowest privilege level possible. (not that those old processors even had any such security, but if they did this akin to getting everything running in ring 0) So naturally, since there is no innate security, any security that DOES exist is in the game code itself. And... Well, when every cpu cycle counts, why would you put security into a game that has exclusive control over the entire system anyway? The only thing you'd maybe try and secure is stuff that you know would be directly exploitable, such as a password save scheme. But even then it's not like you'd put serious security in it. Still... The kinds of arbitrary code execution that can be possible in some games, as well as the methods used to initiate it can be quite hilarious. XD
@moth.monster5 жыл бұрын
@@KuraIthys It's the "making code do what it shouldn't by sending small amounts of data into a specific part of memory" that's similar
@deckard5pegasus6733 жыл бұрын
soon there will be Ring -9999
@watcher88195 жыл бұрын
"design flaw" is a funny way of saying backdoor .-.
@Architector_45 жыл бұрын
Backdoor to ring -2? Who and why would ever want to implement that? Like, if NSA or whoever can make Intel do things, why wouldn't they just make them include NSA code in SMM straight up?
@shukterhousejive7 жыл бұрын
Going beyond the 68k instruction set was a mistake
@markpenrice62536 жыл бұрын
The 68000 and 8086 came out pretty much at the same time as each other, so I'm not sure what your point is.
@mikafoxx271711 ай бұрын
Risc, save us.
@Vsor7 жыл бұрын
What is ropping?
@MrPindi057 жыл бұрын
Prometheus Return Orientated Programming, it's useful when you can't modify what's in the memory but you can control the pointer. It's actually how some of the first e-Voting machines in the US were pwned.
@fss17046 жыл бұрын
+MrPindi05 interesting, do u have more info on that?
@Vsor5 жыл бұрын
@@MrPindi05 bump
@tuxlector5 жыл бұрын
At a time of writing this comment, there were 30 high-positioned intel employees watched this video.
@jamcdonald1206 жыл бұрын
awe :( I was hoping to get ring -2 access to my pc
@TahreyUK6 жыл бұрын
You can, if you follow these instructions, and it's an older Intel system or probably a current AMD one. Quite what you're going to do with it when you get there, though? This exploit is mainly useful for fucking up other people's machines, stealing their data, etc. You're not going to unlock some kind of secret 2x execution speed mode or a hidden 32GB of RAM or whatever. It's kind of like breaking into an exceptionally well-locked janitor's closet and finding a mop and some large bottles of industrial strength bleach, and that's about it.
@sent4dc7 жыл бұрын
Wow, that was beautiful. But seriously, Lord of the Rings, i.e. Intel, how many rings do we need? In 10 years there'll be ring -10.
@VestinVestin7 жыл бұрын
Lord of the Rings, eh? You mean that story about Frodo dumping ring -2 into the zeroes of Mount APIC?
@morgulbrut6 жыл бұрын
One ring to rule them all... So wait since the One Ring doesn't get found but founds itself, maybe Domas didn't found a a way to reach Ring -2, but Ring -2 founds a way to reach Domas...
@iMPRE7ed7 жыл бұрын
This guy...
@rj4885 жыл бұрын
why do all the speakers at black hat conferences use windows? when clearly a lot of their work in done on linux / in unix environments?
@chomo54andbabyaisha973 жыл бұрын
He also used Ubuntu, which is a GNU/Linux distro
@kazkz53314 ай бұрын
AMD's backdoor is finally coming into the spotlight.
@losttownstreet34097 жыл бұрын
I thought it was fixed back in the 90'th, the flaw was well documented in a 3x86-architecture guide book to be check by the basic operarating system (build386 this time). There where even an special interrupt and jump gate for this type of security problem.
@vink61637 жыл бұрын
How could it be fixed on the 386 when the APIC wasn't introduced until after the Pentium?
@eternalillusion7 жыл бұрын
Beastmode.
@Stallnig3 жыл бұрын
pure sorcery.
@dlwatib5 жыл бұрын
My computer just became a doorstop.
@metaforest5 жыл бұрын
He kinda slides by the fact that you must have Ring 0 before you can Take over Ring -2. His first demo shows what you can do AFTER you have compromised the system. Overall scary great talk, but the misdirection in the first 10 minutes was a cheap coin trick.
@stutavagrippa86902 жыл бұрын
It's not hard to get a user to install a driver that runs this rootkit.
@deedeewallllll0014 ай бұрын
Impressive !!
@S3thc0n7 жыл бұрын
I must've missed how he wrote to address 0 from Ring 3? Anyone catch that?
@kasperholmhansen88127 жыл бұрын
He doesn't. The talk is about privilege escalation from ring 0 to ring -2 In his demo he isn't escalating to ring -2, but instead escalating from ring 3 to ring 0 with the smm rootkit that he (partly) made.
@vink61637 жыл бұрын
He did it from ring 0. You have to be in ring 0 to install the rootkit. Once it's running you can signal it from ring 3.
@btwbrand6 жыл бұрын
Now it's possible to access ring 0 from ring 3 have a look at youtube vid v=_eSAF_qT_FY
@markpenrice62536 жыл бұрын
Yeah, that threw me as well. The opening of the talk is about reaching ring 0, ie OS kernel / root account from ring 3, plain old non-admin user space. Then suddenly we're starting from ring 0 and jumping up to ring -2 instead? How do those two things gel together? Oh hey I've got a way you can break you out of prison to roam free within the boundaries of your home country... _oh, cool, how do I do that then?_ Well, it's simple. You start from outside the prison, then you use this trick to cross the border and head out into international waters on a boat. ...uhhhh OK. If we've _already_ got ring 0 access, in order to install the kit, what's the point of being able to break into ring 0 from ring 3?
@TahreyUK6 жыл бұрын
Having watched it a couple times and learned a little about rootkits on the side, I guess the crucial thing is that the main exploit installs as a driver? Thus the real vuln is in the OS driver installation functions not checking for signatures (or having weak and easily faked sigs), or in the end user installing random crap despite getting a UAC (or similar) popup out of nowhere warning them that something was trying to alter the system files. No unsigned driver installation, no hook for the rootkit to launch from. The userland program can do what it likes, without breaching security, because there's nothing sitting there waiting to receive the magic cookie and perform the necessary subterfuge within the processor, which then takes you from Ring 3 to Ring -2 _via_ an existing, smaller Ring 0 exploit. Thus if you're not really bothered with anything Ring -2 can do, you can just modify the interstitial rootkit and pwn the OS using that instead.
@MrFujinko2 жыл бұрын
Cipher himself.
@Stopinvadingmyhardware2 жыл бұрын
By design
@VeraTR9092 жыл бұрын
Def a wizard, the different hats, this magic it all makes sense now.
@tubaterry7 жыл бұрын
Around the 21 minute mark - I'd be curious to know if he got any inspiration from the Super Mario World speedrun glitch where they used game state to code an overflow. kzbin.info/www/bejne/fqmpmWR5f7Slirc edit nevermind this was 2 years ago
@o0julek0o7 жыл бұрын
Chris Terry let's be realistic, sethbling, and I assume what you linked is sethblings video, is nowhere near smart enough to do this himself. He's by no means dumb, but he isn't like the guy in this video.
@Esparzamx7 жыл бұрын
Hail Domas!
@samuraijack59194 жыл бұрын
I just found out what I want to do with my life.
@Super13373577 жыл бұрын
I'm not sure I understand the point of this. You start in Ring 0 which means you already control the system.
@pufero17 жыл бұрын
he did it on non root account and just gain root access whiteout the hardware secure platform trigger on hard and kernel/hypeadrvisor ever notice. The only lowest on newest machines will be infect the intel management engine/bios the cpu starts whit the shit inside and there is not way detect a shit like that, this ones is the same run code outside the system.
@chrisstackhouse77497 жыл бұрын
The point is if you get in once you're in forever.
@Architector_45 жыл бұрын
You are in partial control at ring 0 - a big one, but still not complete. He mentions that at 7:20 - "if you think you are in control at ring 0, you are aren't even close."
@Grobbekee7 жыл бұрын
Cool! This will make my crypto mining malware so much better!
@htomerif7 жыл бұрын
kind of nevermind reading the rest of this. The attack is based on the Intel template EFI code. Just mung that in some way that breaks the SMM exploit but is otherwise harmless. You know, the same way practically all ring0 code is obfuscated. Do that. It seems just mitigate it by just ensuring that the only place ring0 code can be executed by the SMM doesn't contain malicious code. Just make sure that that segment always contains a specific piece of non-malicious data, and if it ever doesn't contain that, reset the system. It would make it close to impossible time-wise to ever _not_ reset the system by trying this exploit. You'd also have to leave most of the SMM code intact if you wanted an invisible backdoor, so just alter other parts of the SMM code to integrity-check the SMM code.
@vink61637 жыл бұрын
As he says in the video, there are at least three places to exploit the problem in the SMM code. If you "mung" one of them, more will be found. I'm not sure how you propose to ensure the SMM doesn't contain malicious code, I think antivirus vendors have been working on that one for years but still haven't cracked it. When you suggest integrity checking the SMM code, I think you might have missed the part of the presentation where he points out that no code is being modified, so any integrity check would pass as the code is unchanged.
@htomerif7 жыл бұрын
I don't know, maybe I wasnt specific enough. SMM isn't code at all, its a processor state, but SM interrupts do _run_ code and that code lives in protected memory. The only way he presented to make use of this was to (eventually) jump to 0x00000000 and use ring0 to modify _that_ code. Push some kind of update to check and make sure that that only place you can force SMM to jump to contains something harmless. Yeah its bloat and polling won't catch everything, buts certainly better than nothing and in reality it would probably catch nearly all attacks. I mean keep in mind that the exploit is already assuming you have access to ring0 which you need to remap APIC memory. Also: he didn't mention 3 places the SMM could be exploited. He mentioned 3 things he tried and 2 of them don't work. One did. There's only one exploit presented in this video unless I missed something after 42:20, which is where I stopped. x86 assembly is not my wheelhouse. I have done some, but mostly just using SSE instructions to speed up math shit. There's a lot of people who know a lot more than me and a lot who know a lot less and I don't know where you fit in on that scale.
@markpenrice62536 жыл бұрын
Probably be enough to patch the memory hub microcode so that location 0 (which is usually used for booting and maybe some interrupt vectors, rarely much in the way of even kernel let alone user code) is protected other than in certain very specific conditions that completely exclude user code, and maybe even OS code beyond the very earliest stages of booting? Or even keeping it off limits to anything in ring 0 or above, so only the hypervisor and SMM can touch it at all? Then if you force a jump to it, it just acts as if either you've performed a warm reset, or have triggered off an NMI and it ends up running some fairly innocuous driver or other system housekeeping code, dropping harmlessly back out of SMM afterwards without ever coming close to executing arbitrarily dropped-in instructions.
@TahreyUK6 жыл бұрын
@@markpenrice6253 you mean the first 64K... something of a larger chunk to mess with. And as it needs to be writeable by the ring 0 OS anyway (unless we absolutely reserve it for Ring -1 and -2 functions, and force the OS to load higher), it'd still be vulnerable to a malicious rootkit driver.
@denysvlasenko49523 жыл бұрын
@@markpenrice6253 > Or even keeping it off limits to anything in ring 0 or above Also known as "let's just break all x86 compatibility". Before you try to design a fix, you need to know what you are talking about.
@StevenKger7 жыл бұрын
Mind = blown
@mapesdhs5977 жыл бұрын
Rewrite that using only mov instructions. :D
@thesimulacre6 жыл бұрын
Next level
@pxxxxp9113 Жыл бұрын
I saw this guy eating steak with Agent Smith in the Matrix.
@jamespilcher52877 жыл бұрын
this is some fascinating shit
@jimmielittle44144 жыл бұрын
"Now, attempt to imagine the limitlessness of God's knowledge code"
@moth.monster5 жыл бұрын
Lets just start all over and make ring 4 and everything goes there
@mariarahelvarnhagen2729 Жыл бұрын
How Does The Ve Keep The Hat Going On Industrial Encroachment Of The Growth Sector ?
@igorgiuseppe18627 жыл бұрын
0:16 they are siblings?
@dax3m7 жыл бұрын
Exactly my thoughts. Presenter: "Welcome a clone of myself" *audience clap*
@spidermcgavenport87677 жыл бұрын
What keeps me working is nes roms and their memory locs.
@spidermcgavenport87677 жыл бұрын
My most favorite is Ems memory with page frame addressing cc00-efff. But that's my level in Windows. My level in ubuntu you can walk through encryption you can create iso's you can sudo level UMA for ram giving your laptop graphics shared more mb.
@Walter_5 жыл бұрын
Holy damn. Actually finding an exploit when there isn't even an exploit.
@HikikomoriDev7 жыл бұрын
Where the similar exploits in RISC chips ?
@mapesdhs5977 жыл бұрын
Ye gods, I hope not...
@GeekyGizmo0075 жыл бұрын
my mind is blown
@NoxernPL Жыл бұрын
How the hell does he know all of this stuff?
@dedkeny4 ай бұрын
he is a regular on Black Hat. Check out his x86 Instruction Set fuzzing. kzbin.info/www/bejne/gaPOpHWajMiNnbM
@TomasSab3D7 жыл бұрын
what a god.
@Chexsum5 жыл бұрын
i miss coding as much as finding stuff like this out. never got right into x86+ but i respect this guys thought processes
@matthewkuiash2087 жыл бұрын
Every time I see code or tool tips in videos I try to highlight/copy/click off tool tips. ARGH! Too much time at the coal face... (nah - no such thing!)
@fyodor80083 жыл бұрын
I'm scared to like this. Hello CIA. I am not using this for any evil, it's for research purposes ONLY. Quit stalking me