Linux Exploit for Spectre Flaw Discovered


A researcher has claimed to have found a working Spectre exploit on Linux systems.

Spectre has been in the public knowledge base since January 9, 2018, when Intel was forced to go public with the information that all of their CPUs (since 1995) can allow applications to be tricked into leaking information they hold in memory. Since then, there have been a number of Spectre exploits, across all operating systems on Intel hardware.

Recently a french researcher, Julien Voisin, announced he was able to view the contents of /etc/shadow on a vulnerable Fedora system, thereby verifying this new Spectre exploit.

This vulnerability works in four stages:

  • Finding the superblock of a file.
  • Finding the inode of the file to be dumped.
  • Finding the corresponding page address.
  • Dumping the contents of the file.

According to Voisin, this exploit had a 0 detection rate before he published his announcement.

Of this vulnerability, Andrew Cooper, senior software engineer, Citrix, had this to say, "SMAP prevents supervisor code from accessing user memory operands outside of explicitly permitted areas." Cooper continues, "This is enough to prevent the cacheline fill (of a userspace pointer) and break the covert channel. A more sophisticated attack could use a supervisor pointer, e.g. the directmap mapping, or one of a multitude of other covert channels to transmit the same data, which is a higher barrier, but definitely not impossible.

The new Spectre exploit looks to have been created and distributed by a company called Immunity Inc, and VirusTotal allows the downloading of the exploit for a fee.

comments powered by Disqus