Win 7, Server 2008 'Total Meltdown' exploit lands, pops admin shells
Plus: Xen admins – you need to get patching your patches, too
If you're not up-to-date with your Intel CPU Meltdown patches for Windows 7 or Server 2008 R2, get busy with that, because exploit code for Microsoft's own-goal flaw is available.
Microsoft issued an update in late March after Swedish researcher Ulf Frisk turned up what he dubbed “Total Meltdown.” The bug Frisk found was that in Microsoft's Windows 7 and Server 2008 R2 mitigations for the Meltdown design flaw in Intel chips, released in January and February, Microsoft made the situation even worse. Previously, malicious apps and logged-in users could exploit Meltdown to extract secrets from protected kernel memory.
With Microsoft's broken Meltdown mitigation in place, apps and users could now read and write kernel memory, granting total control over the system. This was due to Redmond's engineers accidentally marking the page tables, which describe the computer's memory layout, as readable-writable for usermode programs, allowing normal applications to rejig memory mappings as necessary to freely access kernel virtual memory.
Mad March Meltdown! Microsoft's patch for a patch for a patch may need another patchREAD MORE
If you're using Windows 7 and Server 2008 R2 on an Intel-powered machine, make sure you're using the very latest fixed mitigations for Meltdown.
Now, a researcher going by the handle XPN has posted code to exploit Microsoft's cockup to spawn an administrator-level command line shell as a normal user. XPN's contribution was to work out a four-step process for an attacker to manipulate the page tables:
- Create a new set of page tables which will allow access to any physical memory address;
- Create a set of signatures which can be used to hunt for _EPROCESS structures in kernel memory;
- Find the _EPROCESS memory address for our executing process, and for the System process; and
- Replace the token of our executing process with that of System, elevating us to NT AUTHORITY\System.
XPN demonstrated the privilege escalation in the video below...
Xen also fixes Meltdown fix
The team at Xen has turned up a bug in its January workaround for Meltdown, and is asking sysadmins to run in another patch.
If a paravirtualisation (PV) guest has no handler for INT 80 on one of its virtual CPUs, the system will try to write a zero “to an address near 2^64” – and hose the entire host. The remedy is to apply new patches. "Only x86 PV guests can exploit the vulnerability," the Xen project noted. ®