There's Linux patches for ZombieLoad already but you need to disable SMT/Hyper-threading to be safe. Should you?
Here's a interesting piece of information: Apparently it only takes someone with access to a system - yes, you need to already have some kind of account - 3 minutes to get the root password using a Zombieland exploit.
We had Meltdown and Spectre and other security problems with Intel - but this one's clearly different in nature. This is not good.
>you need to already have some kind of account sounds about as menacing as epic windows exploits that require the user to execute a suspicious file manually
>yes, you need to already have some kind of account So this is a concern for hosting companies and public PCs and basically irrelevant to home/private use.
Robert King
Here you go dude remember to keep it a secret: google.com/
Grayson Lewis
And if the root account doesn't have a password, as any secure system would be set up? What then?
Landon Edwards
You run javascript from every website you connect to idiot. You very well might be able to run it over the internet from a website.
Eli Morris
Fuck
Bentley Morris
I'm pretty sure precision of timers has been intentionally reduced in browsers when Spectre hit in order to prevent exactly that, so no, I do not think you're correct. Show me this exploit running in an up-to-date web browser with mitigations active. If such a thing does not exist, then this is >if you manually run malicious code on your system bad things happen!! No shit
Caleb Miller
glad i never bought into the hyperthreading meme
David Morgan
I'll try to develop it to btfo you intel shills.
Gabriel Ross
is this remote? if not why should I care
Sebastian Smith
Except I don't, shit for brains. Gas yourself.
Owen Brown
>sudo So how long does it take when you aren't already running as root?
Joshua Stewart
>no source
Robert Ramirez
While you need an account for this one the implications aren't good.
>Post source code to sploit. twitter.com/borrello_pietro His story is that "maybe will release the PoC after Time to have a beer" 2 hours ago.
Yes, that tiny little detail does make the exploit kind of pointless. Still, it'll be interesting to see if he actually delivers a PoC
Ryan Campbell
>Apparently it only takes someone with access to a system - yes, you need to already have some kind of account - 3 minutes to get the root password using a Zombieland exploit. You didn't read the tweet properly and you don't know what you're looking at. That is the first 30 bytes of the shadow file. The password is not present in there. What you can see is about the first 25 bytes of the 128 byte encrypted password. So with this particular PoC, while you could harvest the encrypted password for root given enough time (perhaps, because he is making use of taskset which requires root to use the PoC), it'll take closer to 20 minutes at least and then you're still left with the encrypted password which you'll need to decrypt.
So, no. Not 3 minutes to root.
Camden Young
Yeah, latest Remote Desktop Service exploit is scarier since it doesn't require authentication, if you still have windows 7/2008 or lower
>3 minutes to get the root password using a Zombieland exploit. Why would a CPU exploit allow you to reverse the encryption? Is this under the assumption that someone is typing in the root password?
Wyatt Myers
>I'm pretty sure precision of timers has been intentionally reduced in browsers when Spectre hit The timer API, yes, but you can still construct a high-precision timer by having a separate thread spinning at incrementing a counter.
Jonathan Parker
>3 minutes to get the root password Just for anyone who took that at face value, he's not getting the root password, he's getting the password hash. It is an exploit since you wouldn't normally be able to do that as /etc/shadow is only readable by root, but that itself is just a precaution from an earlier era when passwords were weakly hashed. There isn't anything useful anyone can do with the password hashes.
Aaron Diaz
>yet another hyper-threading bug I'm surprised all current operating systems don't already disallow threads from different security domains from running on the same core. Seems like a really easy fix for 99% of all these bugs with minimum performance impact.
Jaxson Johnson
>he's getting the password hash. heh
>sudo fancyexploit >not just doing sudo cat /etc/passwd and be done in 0.01 seconds very impressive
Robert Perez
Your root exploit appears to require sudo. I too can make a root exploit that uses sudo to gain root. sudo su -
Carter Roberts
passwd doesn't contain the passwords.
Aiden Reed
>while true; do passwd -S user > /dev/null; done What did he mean by this?
Grayson Powell
When passwd runs it probably opens the shadow file in order to reference password info and set/change a user's password. So for a short time contents of the shadow file will be cached on the CPU, which is necessary for the side-channel attack.
John Nelson
RDP on the internet is dumb RDP on the internet with XP is weapons grade retarded and you deserve to get hacked.
Parker Gomez
Its still kind of a big deal, people don't care about vulnerabilities that target individual users. You are literally 100% safe if you just don't execute random files, basically nobody is going to run anything more than a basic metasploit script.
What matters is enterprise and businesses, where often its relatively easy to get an account. Or VMs on larger cloud platforms where you're letting it be "public" under the assumption that its secure.
Julian Rogers
i dont get it, the shadow file has the hash so how is pw on cpu since hes not brute forcing it
Sebastian Mitchell
>Refuses to release the source code >Has to be run with sudo
lol
John Ramirez
tfw comfy Core 2 is not affected.
Adrian Martin
This is what you dumbass roody-poos get for port forwarding risk of rain.
Jonathan Sanchez
does this need local access?
Owen Sanders
Any access will do
Xavier Wood
bit worrying but the most they could do wi0th me is fuck up my install i do all my banking and such on my phone
>i dont get it, the shadow file has the hash so how is pw on cpu since hes not brute forcing it It isn't. OP is a faggot. The guy is reading the contents of the shadow file. If he read enough of it he would have the password hash for root but he would still need to brute force that hash to get the final password.
Jackson Reed
having user permissions doesn't make a single user system more secure
>So for a short time contents of the shadow file will be cached on the CPU, which is necessary for the side-channel attack. Which is why he's running an infinite loop of "passwd -S user" on the host, something that would never happen in real life
Samuel Bennett
>something that would never happen in real life Unless you're trying to exploit the vulnerability...
Alexander Bennett
>not just doing sudo grep root /etc/shadow instead of using root to get it some meme way. Even then, you only have the hash not the password.
Which means you've already got access to the host, so no need for the vulnerability
Grayson Barnes
not sure if you're just shitposting, but: left terminal window is a guest VM, right terminal window is the host. guest VM is getting the root pw hash from the host, not itself
Jose Russell
Yeah except it can leak data from VMs as well, and that's pretty bad
Ayden Thompson
>that's pretty bad true, but how many people are running VMs with "passwd -S user" in an infinite loop?
Evan Cruz
That's just an example. It could be anything. Imagine a process running in the VM that makes use of crypto keys for example. You could retrieve them this way.
Austin Jackson
>You could retrieve them this way. So long as someone is running >while true; do cat mysecret.key; done in their VM, which no one would do
>So long as someone is running No. You don't need to do that. See
Ayden Garcia
>it even works for retrieving URLs by constantly refreshing the page and making sure the URL doesn't get evicted from CPU cache
William Clark
>No. You don't need to do that. Yes, you do. The PoCs require constantly refreshing the data to keep it from being evicted from CPU cache
Grayson Hernandez
Do you have any idea how many programs use CPU cache to store data for as long as they are running?
Cameron Wilson
Do you have any idea what cache eviction is?
Juan Roberts
Intel pls. In any case it can always be weaponized, and that's bad. These are just simple PoCs.
Adam Russell
in this day and age of social media it will be a business suicide to host a 'hack' of any kind for your visitor to load
Camden Hall
I agree. Soon enough we'll see something more realistic than spamming the CPU cache repeatedly with "look-at-my-secwet-stwing-uwu:DD" and extracting it over the course of 3 minutes.
Jayden Bailey
>extracting it over the course of 3 minutes. It's already happening with the current PoCs so yeah. Brace yourself, Jow Forums
Liam Young
I posted this like 3 days ago
Henry Ward
AMD shill. Kill yourself.
Nathaniel Bennett
Yeah there's NO way that you'd EVER be able to run software on someone's computer without them opening an exe file. Brb going to Youtube, where a video player with an HTML5 and Javascript based video player and indexer that requires me to run third party code in the userspace on my computer. Nope, the only way to run malicious code is to run an exe. Security researchers are retarded. Stuxnet was a hoax.
>You are literally 100% safe if you just don't execute random files sound really simple until you realize your browser is executing dozens of random files for every web page
Bentley Moore
t. intel shill
Dylan Murphy
Reported for antisemitism.
Lucas Morgan
OP here, I can assure you that you are somewhat confused. Nobody's paying me to post stuff on the Internets. And personally, I have a Intel based notebook and a Intel based laptop and a AMD desktop. My laptop's i7 is now a dual-core not a four-thread CPU thanks to this. That's pretty annoying.
Truth of the matter is that if some AMD problem turns my 12 thread Ryzen into a 6 thread then I'll be just as annoyed with them as I am with Intel right now. I don't have any brand loyalty.
Kevin Bennett
You're right, it looks like he's just dumping the hash from /etc/passwd.
Carter Reed
Fuck I'm an idiot, meant /etc/shadow
Isaac Martinez
You don't need an account, you need to be able to run code, which is easier.