{"id":19161,"date":"2021-03-02T09:55:29","date_gmt":"2021-03-02T08:55:29","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=19161"},"modified":"2024-10-05T23:18:49","modified_gmt":"2024-10-05T21:18:49","slug":"spectre-exploits-for-linux-and-windows-found-on-virustotal","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/03\/02\/spectre-exploits-for-linux-and-windows-found-on-virustotal\/","title":{"rendered":"Spectre Exploits for Linux and Windows found on VirusTotal"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2021\/03\/02\/funktionierende-spectre-exploits-fr-linux-und-windows-gefunden\/\" target=\"_blank\" rel=\"noopener\">German<\/a>] A security researcher has found working exploits for Linux and Windows on VirusTotal that exploit the Spectre vulnerability discovered in CPUs in 2018. But the exploits only work against unpatched systems, are already detected by virus scanners, and have other weaknesses as well.<\/p>\n<p><!--more--><\/p>\n<h2>Some background information<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg09.met.vgwort.de\/na\/97667820f58a423b926576dce4c90ede\" width=\"1\" height=\"1\">Security researcher from Google Project Zero described in Spring 2018 a <a href=\"https:\/\/googleprojectzero.blogspot.de\/2018\/01\/reading-privileged-memory-with-side.html\" target=\"_blank\" rel=\"noopener\">design flaw in CPUs<\/a>, allowing \"speculative execution side-channel attacks\". Google' Jann Horn, from Project Zero, was able to write an exploit to attack systems using two methods called Meltdown and Spectre. All internal details may be found within the Google document linked above. The vulnerabilities are described within the following CVEs:  <\/p>\n<ul>\n<li>Variant 1: bounds check bypass (CVE-2017-5753)\n<li>Variant 2: branch target injection (CVE-2017-5715)\n<li>Variant 3: rogue data cache load (CVE-2017-5754)<\/li>\n<\/ul>\n<p>These methods are using theoretical basics, which has been published in various research documents (e. g. from the University of Graz) under the following names.  <\/p>\n<ul>\n<li><a href=\"https:\/\/spectreattack.com\/spectre.pdf\" target=\"_blank\" rel=\"noopener\">Spectre<\/a> (Variant 1 and 2): This breaks the isolation between different applications. It allows an attacker to read data from the memory, used by other programs.&nbsp;\n<li><a href=\"https:\/\/meltdownattack.com\/meltdown.pdf\" target=\"_blank\" rel=\"noopener\">Meltdown<\/a> (Variant 3): This breaks through the basic isolation between user applications and the operating system. This attack enables a program to access the kernel memory and the data of other programs and the operating system.<\/li>\n<\/ul>\n<p>More details may be found at <a href=\"https:\/\/meltdownattack.com\/\" target=\"_blank\" rel=\"noopener\">meltdownattack.com<\/a> (see also <a href=\"https:\/\/borncity.com\/win\/2018\/01\/12\/meltdown-and-spectre-what-windows-users-need-to-know\/\">Meltdown and Spectre: What Windows users need to know<\/a>).  <\/p>\n<p><a href=\"https:\/\/meltdownattack.com\/\"><img decoding=\"async\" title=\"Meltdown\/Spectre\" alt=\"Meltdown\/Spectre\" src=\"https:\/\/i.imgur.com\/EiTnfDa.jpg\"><\/a>  <\/p>\n<p>I had blogged about thas matter here on the blog in subsequent articles (see links at the article end). There were micro-patches for Intel CPUs for Windows and protections were also pulled into Linux that let these attacks go nowhere. And there were problems and performance issues with these security fixes. So far, my understanding has been that the Spectre vulnerability is not really exploited for practical reasons &#8211; there are more effective ways to attack.<\/p>\n<h2>Exploits discovered on VirusTotal<\/h2>\n<p>Security researcher Julien Voisin published the blog post <a href=\"https:\/\/dustri.org\/b\/spectre-exploits-in-the-wild.html\" target=\"_blank\" rel=\"noopener\">Spectre exploits in the \"wild\"<\/a> on March 1, 2021. There he wrote, that that someone was stupid enough to upload a working Spectre (CVE-2017-5753) exploit for <a href=\"https:\/\/www.virustotal.com\/gui\/file\/6461d0988c835e91eb534757a9fa3ab35afe010bec7d5406d4dfb30ea767a62c\">Linux<\/a> (there is also one for Windows) to VirusTotal in February 2021. In the post he published a quick short analysis of the exploit for Linux (the <a href=\"https:\/\/www.virustotal.com\/gui\/file\/ecc0f2aa29b102bf8d67b7d7173e8698c0341ddfdf9757be17595460fbf1791a\/detection\" target=\"_blank\" rel=\"noopener\">Windows<\/a> variant was not analyzed). <\/p>\n<p><a href=\"https:\/\/i.imgur.com\/GwLf00P.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" title=\"Spectre-Exploit auf Virustotal\" alt=\"Spectre-Exploit auf Virustotal\" src=\"https:\/\/i.imgur.com\/GwLf00P.png\" width=\"683\" height=\"531\"><\/a><br \/>Spectre Exploit at Virustotal, <a href=\"https:\/\/www.virustotal.com\/gui\/file\/6461d0988c835e91eb534757a9fa3ab35afe010bec7d5406d4dfb30ea767a62c\/detection\" target=\"_blank\" rel=\"noopener\">Click to size<\/a> <\/p>\n<p>The colleagues at Bleeping Computer have also looked into the matter and <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/working-windows-and-linux-spectre-exploits-found-on-virustotal\/\" target=\"_blank\" rel=\"noopener\">write<\/a> that the exploits can be used under an unprivileged user to dump LM\/NT hashes on Windows systems and the Linux \/etc\/shadow file from the kernel memory of the targeted devices. The exploit also allows the dumping of Kerberos tickets that can be used with PsExec for local privilege escalation and lateral movement on Windows systems. <\/p>\n<p>The exploits linked above on VirusTotal were uploaded in February 2021 as part of an <a href=\"https:\/\/www.virustotal.com\/gui\/file\/ecc0f2aa29b102bf8d67b7d7173e8698c0341ddfdf9757be17595460fbf1791a\/relations\">Immunity Canvas 7.26 installer<\/a> for Windows and Linux. CANVAS is actually a penetration testing tool from Immunity Inc. that contains hundreds of exploits and is an automated exploit system, which also allows you to create your own exploits via framework. <\/p>\n<p>Before the publication of Julien Voisin, no virus scanner knew about the exploits, now the installers are reported as malicious by at least some antivirus tools on VirusTotal. In addition, security fixes for operating systems and CPUs microcode updates have been released since Spectre became known. Julien Voisin states that the exploits do not work on patched Linux and Windows systems.<\/p>\n<p>However, systems with Haswell and older CPUs that did not receive security fixes are causing problems. In addition, some patches have been withdrawn due to performance issues. However, the exploits must be invoked with the correct parameters to read values from protected areas. The practical impact seems to be limited yet &#8211; according to Voisin, individual detections are hard-coded on Linux (Fedora, ArchLinux and Ubuntu are currently supported, and there are functions for Debian and CentOS to check).  <\/p>\n<p><strong>Similar articles:<\/strong><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/01\/12\/meltdown-and-spectre-what-windows-users-need-to-know\/\">Meltdown and Spectre: What Windows users need to know<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/01\/11\/test-is-my-browser-vulnerable-for-spectre-attacks\/\">Test: Is my browser vulnerable for Spectre attacks?<a href=\"https:\/\/borncity.com\/win\/2018\/02\/05\/meltdown-spectre-test-tools-overview\/\">Meltdown\/Spectre Test Tools Overview<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/12\/08\/new-splitspectre-attack-windows-retpoline-spectre-mitigation\/\">New SplitSpectre-Attack; Windows Retpoline Spectre Mitigation<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/01\/10\/tool-tip-ashampo-spectre-meltdown-cpu-checker\/\">Tool tip: Ashampo Spectre Meltdown CPU-Checker<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/03\/08\/windows-10-v1809-enable-retpoline-spectre-v2-protection\/\">Windows 10 V1809: Enable Retpoline Spectre V2 protection<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/03\/22\/eth-lausanne-and-ibm-discovers-smotherspectre-hardware-vulnerability\/\">ETH Lausanne and IBM discovers SmoTherSpectre hardware vulnerability<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/10\/06\/intel-proposal-sapm-protection-meltdown-spectre\/\">Intel proposal SAPM protection (Meltdown, Spectre)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/11\/24\/usb-intel-microcode-boot-loader-for-spectre-mitigation\/\">USB Intel Microcode Boot Loader for Spectre mitigation<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/11\/19\/microsoft-has-updated-the-meltdown-spectre-information-page\/\">Microsoft has updated the Meltdown\/Spectre information page<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/10\/20\/windows-10-19h1-with-retpoline-spectre-v2-mitigation\/\">Windows 10 19H1 with Retpoline Spectre V2 Mitigation<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/07\/13\/chromes-67-site-isolation-as-spectre-mitigation\/\">Chrome's 67 Site Isolation as Spectre mitigation<\/a><br \/><a href=\"https:\/\/web.archive.org\/web\/20240102164349\/https:\/\/borncity.com\/win\/2018\/05\/22\/google-and-microsoft-unveil-spectre-v4-cpu-vulnerability\/\">Google and Microsoft unveil Spectre V4 CPU vulnerability<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/05\/03\/new-spectre-ng-vulnerabilities-in-intel-cpus\/\">New Spectre NG vulnerabilities in Intel CPUs<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/04\/12\/windows-10-spectre-v2-update-for-amd-cpus\/\">Windows 10 Spectre V2 Update for AMD-CPUs<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/03\/12\/intel-spectre-meltdown-microcode-updates-march-11-2018\/\">Intel Spectre\/Meltdown Microcode Updates (March 11, 2018)<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/02\/05\/meltdown-spectre-test-tools-overview\/\">Meltdown\/Spectre Test Tools Overview<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/01\/28\/windows-update-kb4078130-deaktiviert-spectre-2-patch\/\">Windows-Update KB4078130 deactivates Spectre 2-Patch<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/10\/new-lvi-lfb-vulnerability-discovered-in-intel-cpus\/\">New LVI LFB vulnerability discovered in Intel CPUs<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/09\/amd-zen-cpus-ab-2011-fr-side-channel-attacks-anfllig\/\">AMD CPUs (from 2011) vulnerable to side channel attacks<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/01\/28\/cacheout-cache-angriff-gegen-intel-cpus\/\">CacheOut: Cache attack agains Intel CPUs<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/02\/04\/malware-using-meltdown-and-spectre-attacks-under-develoment-windows-defender-quarantines-poc-tools\/\">Malware using Meltdown and Spectre attacks under develoment \u2013 Windows Defender quarantines PoC tools<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/01\/26\/google-chrome-64-security-fixes-spectre-mitigation-ad-blocker\/\">Google Chrome 64: Security Fixes, Spectre Mitigation, Ad-Blocker<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/01\/23\/apple-provides-fix-for-meltdown-spectre-for-macos\/\">Apple provides fix for Meltdown\/Spectre for macOS<\/a><br \/><a href=\"https:\/\/web.archive.org\/web\/20210422224433\/https:\/\/borncity.com\/win\/2018\/01\/17\/inspectre-test-your-machine-against-meltdown-spectre-flaw\/\">InSpectre: Test your machine against Meltdown\/Spectre flaw<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German] A security researcher has found working exploits for Linux and Windows on VirusTotal that exploit the Spectre vulnerability discovered in CPUs in 2018. But the exploits only work against unpatched systems, are already detected by virus scanners, and have &hellip; <a href=\"https:\/\/borncity.com\/win\/2021\/03\/02\/spectre-exploits-for-linux-and-windows-found-on-virustotal\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[921,580,2],"tags":[69],"class_list":["post-19161","post","type-post","status-publish","format-standard","hentry","category-linux","category-security","category-windows","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/19161","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=19161"}],"version-history":[{"count":3,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/19161\/revisions"}],"predecessor-version":[{"id":36014,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/19161\/revisions\/36014"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=19161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=19161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=19161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}