[ISN] Cyberattackers can exploit Pentium self-defense

[InfoSec News]

http://www.fcw.com/article94004-04-07-06-Web

By Michael Arnone
Apr. 7, 2006 

VANCOUVER, British Columbia - Your computer could hand itself over to
cyberattackers when it's trying to cool off.

That warning galvanized the information technology security experts
gathered this week at the CanSecWest/core06 conference here.

Computers with Intel Pentium processors can be hijacked through a
built-in mode designed to protect the processor's motherboard, said
Loïc Duflot, a security engineer and researcher for the scientific
division of France's Central Directorate for Information Systems
Security.

"Unused, legacy or routinely used functionalities can be used to
circumvent operating system security functions," Duflot said.

The vulnerability affects every computer that runs on x86
architecture, including the millions that the U.S. government and
industry use, said Dragos Ruiu, the conference's organizer. He is a
Canadian computer security consultant for businesses, governments and
the U.S. military.

Pentium computers usually run in Protected Mode, the 32-bit
environment where the operating system and applications reside, Duflot
said. But when conditions that could threaten the motherboard occur,
such as the processor getting too hot, the computer interrupts
Protected Mode and freezes and stores its activity.

The computer then switches to System Management Mode, a 16-bit
environment that loads code stored in System Management RAM (SMRAM) to
handle the particular emergency, Duflot said. Once the code runs, the
System Management Mode then tells the computer to return to Protected
Mode and normal operations.

Cyberattackers can take over a computer by causing it to interrupt
operations and enter System Management Mode, Duflot said. They can
enter the SMRAM and replace the default software with custom software
that gives them full administrative privileges, he said.

To gain access, all they have to do is close the SMRAM and trigger the
new software, Duflot said.

Such attacks are insidious because they happen out of sight of
security measures at the operating system or application level, Duflot
said. The computer has no way of interrupting the System Management
Mode code and is defenseless against whatever the assailant wants to
do, including keeping the operating system frozen and inaccessible.

Some chipsets map the SMRAM in the same location as video RAM, making
it vulnerable to exploits used on video RAM, Duflot said. Those same
chipsets allow access to SMRAM in Protected Mode if attackers have the
right code to modify the computer's settings, he said.

For the past seven years, CanSecWest has been a conference of, by and
for hard-core code gurus who create the software that businesses and
governments use. More than 300 cybersecurity experts and computer
hackers from 40 countries gathered to swap cutting-edge information,
tips and tricks.

CanSecWest attracts managers of technical groups within companies and
government agencies, Ruiu said. It also attracts hackers who come to
learn new techniques to exploit computer networks.

The conference presents the latest in what helpful and malicious
hackers are doing, said Eric Byres, a member of the research faculty
at the British Columbia Institute of Technology.

"What's shown here will be on the Web next year and script kiddie
material in three," Byres said.