lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 16 Mar 2015 23:34:18 +0000
From: halfdog <me@...fdog.net>
To: fulldisclosure@...lists.org
Subject: [FD] D-RamPage: POC for zero-risk row-hammer exploitation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello List,

Although I have no row-hammer affected hardware, I tried to build a POC that allows zero-risk exploitation of row-hammer affected DRAM setups, see [1].

The main idea of the POC is to

* reserve complete rows of physical pages (verified via pagemap)

* remove the cached page of a file suitable for privilege escalation, e.g. a SUID binary or ld-linux, from read page cache, so that it will be read again and probably mapped to a new location.

* trigger a timed read to get it mapped to the only free page position in a contiguous block of physical pages

* hammer the middle of the physical pages block with two buffer rows on each side, on containing the cached target file page

* when modification of target file page in cache is not suitable for privilege escalation, just flush it from cache and start anew.


Without suitable hardware, I've currently not included the hammer assembly code yet. But if someone with an appropriate test system would be willing to assist in testing, I would be glad to add that code also. (I will not put out code without testing).


hd



[1] http://www.halfdog.net/Security/2015/SafeRowhammerPrivilegeEscalation/

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlUHaLQACgkQxFmThv7tq+408gCdFe5W0mXuRfHdLmXR23eFINta
jA4AnjjEOEinnLScFB+w+Tw0H9h+MBqO
=6H0d
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ