Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rowhammer & Drammer


  • Please log in to reply
4 replies to this topic

#1 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:02:23 AM

Posted 24 October 2016 - 01:05 PM

Rowhammer is an exploit that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not originally addressed.

 

The row hammer effect has been used in some privilege escalation computer security exploits. Different hardware-based techniques exist to prevent the row hammer effect from occurring, including required support in some processors and types of DRAM memory modules. 

 

 

 

Essentially this exploit can gain root access to the kernel.

 

It is said that this exploit can spread from an x86-x64 architecture and android to an ARM architecture.

 

 

 

 

Opinions?


Edited by Viper_Security, 24 October 2016 - 01:32 PM.

    IT Auditor & Security Professional

hQBT2G3.png


BC AdBot (Login to Remove)

 


#2 Gorbulan

Gorbulan

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 24 October 2016 - 02:08 PM

I read the effect, but how are these exploits used?



#3 Viper_Security

Viper_Security
  • Topic Starter

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:02:23 AM

Posted 24 October 2016 - 02:10 PM

This is a snippet of the code.

 

mov (X), %eax // Read from address X
mov (Y), %ebx // Read from address Y
clflush (X) // Flush cache for address X
clflush (Y) // Flush cache for address Y
jmp code1a

 

This is from google's ProjectZero (0Day Exploit finder basically)

https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html


Edited by Viper_Security, 24 October 2016 - 02:11 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#4 cdbunch

cdbunch

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 03 November 2016 - 05:26 AM

This exploit is indeed being used on ARM devices. Since it is based on a failure mode in the memory used in the device it would not need to have any dependence on the processor in the device although the combination of processor and memory might be vulnerable in some cases and not so in others. The only "fix" possible without redesigning the hardware requires software patches that will probably only be partially successful. Google is supposed to provide some kind of patch in the November security bulletin but that has not been released yet. They normally come out toward the beginning of the month so it should be available soon. However, that does not mean that all the affected devices will get the patch in any kind of a timely way.

 

Since this vulnerability can be used to get root access and it does not require that the malicious app using it have any special privileges at all on the device it could become particularly pernicious. What defense do we have? Seems like the only things that will help are having very good malware detection and staying far away from any app that does not come from a very reliable source. But for many, many people neither of those factors will be there and I think we can expect to see possibly significant levels of exploitation coming from this.



#5 cdbunch

cdbunch

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 09 November 2016 - 05:38 AM

Looks like the Google patch for Drammer is out although the Dirty Cows are still wandering around:

 

http://www.pcworld.com/article/3137254/security/android-patches-fix-drammer-ram-attack-but-not-dirty-cow-exploit.html






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users