Heads up: Total Meltdown exploit code now available on GitHub

Credit to Author: Woody Leonhard| Date: Tue, 24 Apr 2018 13:33:00 -0700

Remember the Total Meltdown security hole? Microsoft spread the vulnerability in every 64-bit Win7 and Server 2008 R2 patch released this year, prior to March 29. Specifically, if you installed any of these patches:

… your machine was left in an exposed state. Microsoft made changes to your PC that makes it easy for a running to program to look at, or modify, any data on your computer.

Security researcher Ulf Frisk posted details on March 27, giving the security hole the “Total Meltdown” moniker. That’s in reference to the well-publicized Meltdown and Spectre security holes, which initially started this year’s patching frenzy. All of these patches and repatches existed primarily to circumvent Meltdown and Spectre — two security vulnerabilities that, to this day, have never been spotted in the wild.

Keep in mind that Total Meltdown only applies to 64-bit versions of Win7 and Server 2008 R2 — and that it doesn’t allow malicious programs to run on your machine, it “only” allows them to read or write data anywhere.

Microsoft responded on March 29 with a patch, KB 4100480, which plugs the Total Meltdown security hole but introduces all sorts of additional problems. See threads started by MrBrian and Susan Bradley on AskWoody. According to the KB article, that patch has been superceded by the two April Win7 security patches, released on April 10:

Both of those, in turn, were riddled with bugs. The Monthly Rollup, in particular, was so bad that Microsoft re-released it on April 12. But the new version kept installing and re-installing itself, even though Windows flagged it as already installed. If you get hit with that bug, the only solution at this point is to hide the update.

In the past couple of days, self-described “Hacker and Infosec Researcher” XPN has posted details of a working exploit that takes advantage of Microsoft’s Total Meltdown security hole. The exploit code, updated yesterday, is available on GitHub. XPN also has a YouTube video showing how quickly it all goes by. Remember: This is code that can retrieve or change any data in memory from a running program. Before it kicks in, a would-be attacker has to get the program running on your machine. But once it’s running, any program can get to any data on your machine.

On AskWoody, GoneToPlaid lays it out:

I looked at the proof of concept code posted on GitHub by XPN. No malware techniques whatsoever were required, except simply replacing tokens for EPROCESS with SYSTEM. Yet this is done after the code has already located all computer memory to read in less than a second. The code doesn’t go through the process of actually reading the memory since XPN was merely showing everyone how quickly the code was able to gain access to all computer memory, and then to change the access rights to all computer memory.

As of this moment, I haven’t heard of any active exploits that take advantage of the Total Meltdown security hole, but with working code so easily available, it’s only a matter of time. A short amount of time, at that.

How to tell if you’re exposed?

Step 1. Look at your Update History and see if you have any patches installed this year. (See the list at the beginning of this article.) No patches from 2018? You’re off the hook for Total Meltdown, although you’re exposed for the (few) other real security holes plugged this year.

Step 2. If you have any of the Windows patches listed above, look to see if you have KB 4100480, 4093108 or 4093118 installed. If any of those three are installed, you’re fine.

Step 3. If you have one of the Total Meltdown-infected patches installed, and you haven’t yet installed KB 4100480, 4093108 or 4093118, you’re in for some interesting times. As best I can tell, you have three options:

Be aware of the bugs in KB 4093108 and 4093118 (possible blue screen Session_has_valid_pool_on_Exit). In particular, note that Microsoft has removed the old requirement that your antivirus software give the go-ahead by modifying the QualityCompat registry key. It isn’t clear if that’s a move of desperation — designed to get this month’s security patches pushed onto every machine — or if antivirus manufacturers have cleaned up their products so the old restriction no longer applies (as is the case with Windows 10).

By the way, there’s a silver lining to this dreck-drenched cloud. You Win7 folks won’t have any patches at all after Jan. 14, 2020 — a scant 21 months from now. Something to look forward to, amirite?

Questions? Hit us on AskWoody.

http://www.computerworld.com/category/security/index.rss