Spectre Exploits for Linux and Windows found on VirusTotal

[German] A security researcher has found working exploits for Linux and Windows on VirusTotal that exploit the Spectre vulnerability discovered in CPUs in 2018. But the exploits only work against unpatched systems, are already detected by virus scanners, and have other weaknesses as well.


Some background information

Security researcher from Google Project Zero described in Spring 2018 a design flaw in CPUs, allowing "speculative execution side-channel attacks". Google' Jann Horn, from Project Zero, was able to write an exploit to attack systems using two methods called Meltdown and Spectre. All internal details may be found within the Google document linked above. The vulnerabilities are described within the following CVEs:

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

These methods are using theoretical basics, which has been published in various research documents (e. g. from the University of Graz) under the following names.

  • Spectre (Variant 1 and 2): This breaks the isolation between different applications. It allows an attacker to read data from the memory, used by other programs. 
  • Meltdown (Variant 3): This breaks through the basic isolation between user applications and the operating system. This attack enables a program to access the kernel memory and the data of other programs and the operating system.

More details may be found at meltdownattack.com (see also Meltdown and Spectre: What Windows users need to know).


I had blogged about thas matter here on the blog in subsequent articles (see links at the article end). There were micro-patches for Intel CPUs for Windows and protections were also pulled into Linux that let these attacks go nowhere. And there were problems and performance issues with these security fixes. So far, my understanding has been that the Spectre vulnerability is not really exploited for practical reasons – there are more effective ways to attack.


Exploits discovered on VirusTotal

Security researcher Julien Voisin published the blog post Spectre exploits in the "wild" on March 1, 2021. There he wrote, that that someone was stupid enough to upload a working Spectre (CVE-2017-5753) exploit for Linux (there is also one for Windows) to VirusTotal in February 2021. In the post he published a quick short analysis of the exploit for Linux (the Windows variant was not analyzed).

Spectre-Exploit auf Virustotal
Spectre Exploit at Virustotal, Click to size

The colleagues at Bleeping Computer have also looked into the matter and write that the exploits can be used under an unprivileged user to dump LM/NT hashes on Windows systems and the Linux /etc/shadow file from the kernel memory of the targeted devices. The exploit also allows the dumping of Kerberos tickets that can be used with PsExec for local privilege escalation and lateral movement on Windows systems.

The exploits linked above on VirusTotal were uploaded in February 2021 as part of an Immunity Canvas 7.26 installer for Windows and Linux. CANVAS is actually a penetration testing tool from Immunity Inc. that contains hundreds of exploits and is an automated exploit system, which also allows you to create your own exploits via framework.

Before the publication of Julien Voisin, no virus scanner knew about the exploits, now the installers are reported as malicious by at least some antivirus tools on VirusTotal. In addition, security fixes for operating systems and CPUs microcode updates have been released since Spectre became known. Julien Voisin states that the exploits do not work on patched Linux and Windows systems.

However, systems with Haswell and older CPUs that did not receive security fixes are causing problems. In addition, some patches have been withdrawn due to performance issues. However, the exploits must be invoked with the correct parameters to read values from protected areas. The practical impact seems to be limited yet – according to Voisin, individual detections are hard-coded on Linux (Fedora, ArchLinux and Ubuntu are currently supported, and there are functions for Debian and CentOS to check).

Similar articles:
Meltdown and Spectre: What Windows users need to know
Test: Is my browser vulnerable for Spectre attacks?Meltdown/Spectre Test Tools Overview
New SplitSpectre-Attack; Windows Retpoline Spectre Mitigation
Tool tip: Ashampo Spectre Meltdown CPU-Checker
Windows 10 V1809: Enable Retpoline Spectre V2 protection
ETH Lausanne and IBM discovers SmoTherSpectre hardware vulnerability
Intel proposal SAPM protection (Meltdown, Spectre)
USB Intel Microcode Boot Loader for Spectre mitigation
Microsoft has updated the Meltdown/Spectre information page
Windows 10 19H1 with Retpoline Spectre V2 Mitigation
Chrome's 67 Site Isolation as Spectre mitigation
Google and Microsoft unveil Spectre V4 CPU vulnerability
New Spectre NG vulnerabilities in Intel CPUs
Windows 10 Spectre V2 Update for AMD-CPUs
Intel Spectre/Meltdown Microcode Updates (March 11, 2018)
Meltdown/Spectre Test Tools Overview
Windows-Update KB4078130 deactivates Spectre 2-Patch
New LVI LFB vulnerability discovered in Intel CPUs
AMD CPUs (from 2011) vulnerable to side channel attacks
CacheOut: Cache attack agains Intel CPUs
Malware using Meltdown and Spectre attacks under develoment – Windows Defender quarantines PoC tools
Google Chrome 64: Security Fixes, Spectre Mitigation, Ad-Blocker
Apple provides fix for Meltdown/Spectre for macOS
InSpectre: Test your machine against Meltdown/Spectre flaw

Cookies helps to fund this blog: Cookie settings

This entry was posted in Linux, Security, Windows and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *