D-RamPage: POC for zero-risk row-hammer exploitation

2015.03.17
Credit: halfdog
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Hello List, Although I have no row-hammer affected hardware, I tried to build a POC that allows zero-risk exploitation of row-hammer affected DRAM setups, see [1]. The main idea of the POC is to * reserve complete rows of physical pages (verified via pagemap) * remove the cached page of a file suitable for privilege escalation, e.g. a SUID binary or ld-linux, from read page cache, so that it will be read again and probably mapped to a new location. * trigger a timed read to get it mapped to the only free page position in a contiguous block of physical pages * hammer the middle of the physical pages block with two buffer rows on each side, on containing the cached target file page * when modification of target file page in cache is not suitable for privilege escalation, just flush it from cache and start anew. Without suitable hardware, I've currently not included the hammer assembly code yet. But if someone with an appropriate test system would be willing to assist in testing, I would be glad to add that code also. (I will not put out code without testing). hd [1] http://www.halfdog.net/Security/2015/SafeRowhammerPrivilegeEscalation/ - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee

References:

http://www.halfdog.net/Security/2015/SafeRowhammerPrivilegeEscalation/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top