Tuesday, August 26, 2008

Intel patches the Q35 bug

Yesterday Intel has published an official advisory that addresses the Q35 bug and attack, that we used during Black Hat as one of the ways to subvert Xen 3.3 on a VT-d enabled system (the alternative way was to use the Xen-specific FLASK exploit, that worked even from an unprivileged domain).

One small clarification though: in the advisory they stated that: "Software running administrative (ring 0) privilege can under certain circumstances change code running in System Management Mode." But in fact an attacker might also use this bug to directly modify the hypervisor memory, without jumping into the SMM first, just as we did it with our exploit. Also, in case of e.g. Linux systems, the Ring0 access is not strictly required to perform the attack, as it's just enough for the attacker to get access to the PCI config space of the device 0:0:0, which e.g. on Linux can be granted to usermode applications via the iopl() system call.

You can download a new firmware for your motherboard from here.

Intel did a good job on handling this bug - not only they recognized the importance of the attack, but also released the patch promptly. Quite positively surprising as for such a big company.

So, now we're free to publish all the missing slides about how we exploit this vulnerability that we had to remove from our Black Hat presentation, as well as the exploit code. However, as I'm going to give 2 presentations at the upcoming ISF conference in Sweden early next week, I thought it would be logical to wait with disclosing this material and present it at this conference, during my technical speech (I will also deliver the keynote for this conference). Of course, as soon as I will get back home (Thursday next week), we will publish the full slides, exploit codes and all the demos, as promised earlier.

Speaking of speaking: also next month, Rafal will fly to Oregon, to Intel campus, for the Intel Virtualization Security Summit, where he will deliver a "compressed" version of our Xen 0wning Trilogy to the technical crowd of Intel employees. Rafal will provide some more details about the HyperGuard project that we do in cooperation with Phoenix Technologies. Also, in October, Alex will visit Kuala Lumpur and present an updated Bluepilling the Xen Hypervisor talk at the Hack In The Box conference.

No comments: