There's Linux patches for ZombieLoad already but you need to disable SMT/Hyper-threading to be safe. Should you?
Here's a interesting piece of information: Apparently it only takes someone with access to a system - yes, you need to already have some kind of account - 3 minutes to get the root password using a Zombieland exploit.
We had Meltdown and Spectre and other security problems with Intel - but this one's clearly different in nature. This is not good.
Other urls found in this thread:
google.com
twitter.com
pcworld.com
linuxreviews.org
github.com
twitter.com
twitter.com
Post source code to sploit.
My PC doesn't even have a password.
>you need to already have some kind of account
sounds about as menacing as epic windows exploits that require the user to execute a suspicious file manually
>yes, you need to already have some kind of account
So this is a concern for hosting companies and public PCs and basically irrelevant to home/private use.
Here you go dude
remember to keep it a secret:
google.com
And if the root account doesn't have a password, as any secure system would be set up? What then?
You run javascript from every website you connect to idiot. You very well might be able to run it over the internet from a website.
Fuck
I'm pretty sure precision of timers has been intentionally reduced in browsers when Spectre hit in order to prevent exactly that, so no, I do not think you're correct. Show me this exploit running in an up-to-date web browser with mitigations active. If such a thing does not exist, then this is
>if you manually run malicious code on your system bad things happen!!
No shit
glad i never bought into the hyperthreading meme
I'll try to develop it to btfo you intel shills.
is this remote? if not why should I care
Except I don't, shit for brains. Gas yourself.
>sudo
So how long does it take when you aren't already running as root?
>no source
While you need an account for this one the implications aren't good.
>Post source code to sploit.
twitter.com
His story is that "maybe will release the PoC after Time to have a beer" 2 hours ago.
Yes, that tiny little detail does make the exploit kind of pointless. Still, it'll be interesting to see if he actually delivers a PoC
>Apparently it only takes someone with access to a system - yes, you need to already have some kind of account - 3 minutes to get the root password using a Zombieland exploit.
You didn't read the tweet properly and you don't know what you're looking at.
That is the first 30 bytes of the shadow file. The password is not present in there. What you can see is about the first 25 bytes of the 128 byte encrypted password.
So with this particular PoC, while you could harvest the encrypted password for root given enough time (perhaps, because he is making use of taskset which requires root to use the PoC), it'll take closer to 20 minutes at least and then you're still left with the encrypted password which you'll need to decrypt.
So, no. Not 3 minutes to root.
Yeah, latest Remote Desktop Service exploit is scarier since it doesn't require authentication, if you still have windows 7/2008 or lower
heh, you know something's up when Microsoft actually warns that a worm bigger than anything we've seen so far will surely sweep over the Internet if people don't patch or upgrade.
pcworld.com
That's the first Windows XP patch in like .. 4 years? I guess the most amazing thing is that nobody noticed until now
Anuddah shoah!
I'm sick and tired of these exploits, make it stop. I don't want reduced performance on all of my machines reeeeeeeee
>I don't want reduced performance
You don't have to have reduced performance. You can have performance. Or security. Just pick one,
linuxreviews.org
>3 minutes to get the root password using a Zombieland exploit.
Why would a CPU exploit allow you to reverse the encryption? Is this under the assumption that someone is typing in the root password?
>I'm pretty sure precision of timers has been intentionally reduced in browsers when Spectre hit
The timer API, yes, but you can still construct a high-precision timer by having a separate thread spinning at incrementing a counter.
>3 minutes to get the root password
Just for anyone who took that at face value, he's not getting the root password, he's getting the password hash.
It is an exploit since you wouldn't normally be able to do that as /etc/shadow is only readable by root, but that itself is just a precaution from an earlier era when passwords were weakly hashed. There isn't anything useful anyone can do with the password hashes.
>yet another hyper-threading bug
I'm surprised all current operating systems don't already disallow threads from different security domains from running on the same core. Seems like a really easy fix for 99% of all these bugs with minimum performance impact.
>he's getting the password hash.
heh
>sudo fancyexploit
>not just doing sudo cat /etc/passwd and be done in 0.01 seconds
very impressive
Your root exploit appears to require sudo. I too can make a root exploit that uses sudo to gain root.
sudo su -
passwd doesn't contain the passwords.
>while true; do passwd -S user > /dev/null; done
What did he mean by this?
When passwd runs it probably opens the shadow file in order to reference password info and set/change a user's password.
So for a short time contents of the shadow file will be cached on the CPU, which is necessary for the side-channel attack.
RDP on the internet is dumb
RDP on the internet with XP is weapons grade retarded and you deserve to get hacked.
Its still kind of a big deal, people don't care about vulnerabilities that target individual users. You are literally 100% safe if you just don't execute random files, basically nobody is going to run anything more than a basic metasploit script.
What matters is enterprise and businesses, where often its relatively easy to get an account. Or VMs on larger cloud platforms where you're letting it be "public" under the assumption that its secure.
i dont get it, the shadow file has the hash so how is pw on cpu since hes not brute forcing it
>Refuses to release the source code
>Has to be run with sudo
lol
tfw comfy Core 2 is not affected.
This is what you dumbass roody-poos get for port forwarding risk of rain.
does this need local access?
Any access will do
bit worrying but the most they could do wi0th me is fuck up my install i do all my banking and such on my phone
Intel shill problems
>i dont get it, the shadow file has the hash so how is pw on cpu since hes not brute forcing it
It isn't. OP is a faggot.
The guy is reading the contents of the shadow file. If he read enough of it he would have the password hash for root but he would still need to brute force that hash to get the final password.
having user permissions doesn't make a single user system more secure
>github.com
shit....
it can be
It's not the same
Privilege escalation is a very real threat.
>So for a short time contents of the shadow file will be cached on the CPU, which is necessary for the side-channel attack.
Which is why he's running an infinite loop of "passwd -S user" on the host, something that would never happen in real life
>something that would never happen in real life
Unless you're trying to exploit the vulnerability...
>not just doing
sudo grep root /etc/shadow
instead of using root to get it some meme way.
Even then, you only have the hash not the password.
Which means you've already got access to the host, so no need for the vulnerability
not sure if you're just shitposting, but: left terminal window is a guest VM, right terminal window is the host. guest VM is getting the root pw hash from the host, not itself
Yeah except it can leak data from VMs as well, and that's pretty bad
>that's pretty bad
true, but how many people are running VMs with "passwd -S user" in an infinite loop?
That's just an example. It could be anything. Imagine a process running in the VM that makes use of crypto keys for example. You could retrieve them this way.
>You could retrieve them this way.
So long as someone is running
>while true; do cat mysecret.key; done
in their VM, which no one would do
twitter.com
See, another example: it even works for retrieving URLs from a browser from guest VM
>So long as someone is running
No. You don't need to do that. See
>it even works for retrieving URLs
by constantly refreshing the page and making sure the URL doesn't get evicted from CPU cache
>No. You don't need to do that.
Yes, you do. The PoCs require constantly refreshing the data to keep it from being evicted from CPU cache
Do you have any idea how many programs use CPU cache to store data for as long as they are running?
Do you have any idea what cache eviction is?
Intel pls.
In any case it can always be weaponized, and that's bad. These are just simple PoCs.
in this day and age of social media it will be a business suicide to host a 'hack' of any kind for your visitor to load
I agree. Soon enough we'll see something more realistic than spamming the CPU cache repeatedly with "look-at-my-secwet-stwing-uwu:DD" and extracting it over the course of 3 minutes.
>extracting it over the course of 3 minutes.
It's already happening with the current PoCs so yeah. Brace yourself, Jow Forums
I posted this like 3 days ago
AMD shill. Kill yourself.
Yeah there's NO way that you'd EVER be able to run software on someone's computer without them opening an exe file.
Brb going to Youtube, where a video player with an HTML5 and Javascript based video player and indexer that requires me to run third party code in the userspace on my computer.
Nope, the only way to run malicious code is to run an exe. Security researchers are retarded. Stuxnet was a hoax.
>You are literally 100% safe if you just don't execute random files
sound really simple until you realize your browser is executing dozens of random files for every web page
t. intel shill
Reported for antisemitism.
OP here, I can assure you that you are somewhat confused. Nobody's paying me to post stuff on the Internets. And personally, I have a Intel based notebook and a Intel based laptop and a AMD desktop. My laptop's i7 is now a dual-core not a four-thread CPU thanks to this. That's pretty annoying.
Truth of the matter is that if some AMD problem turns my 12 thread Ryzen into a 6 thread then I'll be just as annoyed with them as I am with Intel right now. I don't have any brand loyalty.
You're right, it looks like he's just dumping the hash from /etc/passwd.
Fuck I'm an idiot, meant /etc/shadow
You don't need an account, you need to be able to run code, which is easier.
>security doesnt matter
Wrong