The off-brand 'military-grade' x86 processors, in the library, with the root-granting 'backdoor'
Dive into a weird and wonderful 'feature' of Via's embedded hardware chips
Black Hat A forgotten family of x86-compatible processors still used in specialist hardware, and touted for "military-grade security features," has a backdoor that malware and rogue users can exploit to completely hijack systems.
The vulnerability is hardwired into the silicon of Via Technologies' C3 processors, which hit the market in the early to mid-2000s.
Specifically, the chip-level backdoor, when activated, allows software to feed instructions to a hidden coprocessor that has total control over the computer's hardware. This access can be exploited by normal programs and logged-in users to alter the operating system kernel's memory, gain root, or administrator-level, permissions, and cause other mischief.
This weird and wonderful piece of semiconductor history was uncovered by Christopher Domas, an adjunct instructor at Ohio State University in the US, who presented his findings on Thursday at the 2018 Black Hat USA security conference in Las Vegas. He offered further in-depth details in a companion GitHub repository that also contains code for detecting and closing the backdoor if found.
"The backdoor allows ring 3 (userland) code to circumvent processor protections to freely read and write ring 0 (kernel) data," according to Domas. "While the backdoor is typically disabled (requiring ring 0 execution to enable it), we have found that it is enabled by default on some systems."
Here's a demonstration of an exploit executing a special sequence of instructions to make the coprocessor alter kernel memory and escalate a program's privileges to root on a Linux-flavored vulnerable machine:
If the backdoor is enabled, when the x86 CPU encounters two particular bytes, it passes a payload of non-x86 instructions, pointed to in the
eax register, to the coprocessor to execute. This code reaches into kernel memory and upgrades the running program's access rights to superuser status.
Domas codenamed the backdoor "Rosenbridge," and described the coprocessor as a non-x86 RISC-like CPU core embedded alongside the x86 core in the processor package. He differentiates it from other coprocessors where vulnerabilities have been identified, such as Intel's Management Engine, by noting that it is more deeply embedded. It has access to not just the CPU's main memory, but also to the register file and execution pipeline, he said.
In theory, backdoor access should require kernel-level privileges, but according to Domas, it is available by default on some systems, which means userland code can use the feature to tamper with the operating system.
Intel left a fascinating security flaw in its chips for 16 years – here's how to exploit itREAD MORE
Not everyone agrees "backdoor" is the right term. Thilo Schumann, an electrical engineer based in Germany, in a tweet argued the exceptional access is a documented feature of the Via C3 in that it allows non-x86 software instructions to be executed alongside x86 code. In other words, it is used to extend the x86 core's instruction set with bonus instructions, which are executed by the coprocessor.
Bit 0 in the C3's Feature Control Register (FCR) can be set to enable an alternate instruction set, according to the C3 Nehemiah data sheet. The default setting uses the x86 instruction set; setting the bit to 1 enables the alternate instruction set (ALTINST).
"This alternate instruction set includes an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms over the x86 instruction architecture," the data sheet explained. "For example, in the alternate instruction set, privileged functions can be used from any protection level, memory descriptor checking can be bypassed, and many x86 exceptions such as alignment check can be bypassed."
The data sheet stated this is intended for testing, debugging, and special applications. It advises customers who need access to contact Via, because the coprocessor's instruction set appears not to be publicly documented. Therefore, while you can enable the hidden CPU yourself, you'll need help writing code for it. Enabling it also means programs can bypass the x86 core's security mechanisms, so it's not ideal for general-purpose systems.
The access technique described by Domas works with Via C3 Nehemiah chips, which were made in 2003. The C3 line was aimed at industrial hardware, healthcare equipment, ATMs, sales terminals, and the like, yet also powered some consumer desktop and mobile computers.
The data sheet, however, says special access is available in all C3 processors, not just the Nehemiah family.
"While all VIA C3 processor processors contain this alternate instruction feature, the invocation details (e.g., the 0x8D8400 'prefix') may be different between processors," the docs explain.
Domas downplayed the impact of his findings, noting that subsequent generations of the fifteen-year-old chip don't have the backdoor. He considers the work primarily of interest to researchers. But for those who happen to know where a cash machine running a 15-year-old C3 might be found, the flaw might merit more than academic interest.
Via Technologies, a Taiwan-based chip designer, did not respond to a request for comment. ®