macOS exploit?

[mehulmpt]

I'm trying to run the linux variant on macOS, but the make fails with error

main.c:26:95: error: use of undeclared identifier 'MAP_POPULATE'

as MAP_POPULATE is only available on linux. Does the code support this exploit on mac?

[taspeotis]

Asking for a friend

[RobQuistNL]

[misc0110]

Unfortunately, we don't have a macOS to test

[mehulmpt]

@misc0110 Doesn't compile on windows either:

C:\Users\Mehul>gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=c:/mingw/bin/../libexec/gcc/mingw32/6.3.0/lto-wrapper.exe
Target: mingw32
Configured with: ../src/gcc-6.3.0/configure --build=x86_64-pc-linux-gnu --host=mingw32 --target=mingw32 --with-gmp=/mingw --with-mpfr --with-mpc=/mingw --with-isl=/mingw --prefix=/mingw --disable-win32-registry --with-arch=i586 --with-tune=generic --enable-languages=c,c++,objc,obj-c++,fortran,ada --with-pkgversion='MinGW.org GCC-6.3.0-1' --enable-static --enable-shared --enable-threads --with-dwarf2 --disable-sjlj-exceptions --enable-version-specific-runtime-libs --with-libiconv-prefix=/mingw --with-libintl-prefix=/mingw --enable-libstdcxx-debug --enable-libgomp --disable-libvtv --enable-nls
Thread model: win32
gcc version 6.3.0 (MinGW.org GCC-6.3.0-1)

and on compiling:

C:\Users\Mehul\Desktop\ZombieLoad\attacker\variant2_windows>.\make.bat
In file included from main.c:10:0:
cacheutils_win.h: In function 'rdtsc':
cacheutils_win.h:30:3: error: inconsistent operand constraints in an 'asm'
   asm volatile("rdtscp" : "=a"(a), "=d"(d) :: "rcx");
   ^~~

[misc0110]

@mehulmpt You need the 64-bit version of MinGW (MinGW-w64), seems you are using the 32-bit version.

[mehulmpt]

Gotcha. It compiles now, however, I'm only getting random noise on the attacker side both on Windows and Linux builds. I'm trying a few tweaks.

[dear-yun]

I made the following error when compiling Win10. My GCC is 64-bit。 ===| F:\11\windowns\main.c|10|fatal error: cacheutils_win.h: No such file or directory ||=== : 1 error(s), 0 warning(s) () ===|

[mehulmpt]

@dear-yun well, your error clearly says it cannot find cacheutils_win.h file which is included in this repo. Do a clean clone of repo and try again (it is present with the main.c file itself, just run the make.bat from cmd)

[tomasger]

I'm only getting random noise on the attacker side both on Windows and Linux builds.

@mehulmpt have you disabled KASLR and KPTI on Linux?

[mehulmpt]

Yes I added option nopti nokaslr to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub and then did a sudo update-grub and then rebooted the system. I'm using Ubuntu 18.04.1 LTS 16 core system on Google Cloud. But it still echos random bars on every character.

[misc0110]

@mehulmpt I assume that the Google Cloud already has the fixes (microcode and OS/hypervisor updates) rolled out

[mehulmpt]

Okay I'll try out some other linux system. How about this windows system? I've disabled the spectre and meltdown defenses using InSpectre.exe file (which I presume disables the ASLR and KPTI) on Windows 10 build 1903 (Windows Insider member)

[mehulmpt]

Commands:

start /affinity 1 leak.exe

and

start /affinity 1 secret.exe C

[dear-yun]

The following error occurred during compilation \poc\cacheutils_win.h||In function 'rdtsc':| poc\cacheutils_win.h|30|error: inconsistent operand constraints in an 'asm'| ||=== : 1 error(s), 0 warning(s) (0 分, 0 秒) ===|

[mehulmpt]

@misc0110 Unfortunately I'm not even able to replicate this in my VM running Ubuntu. I'm sure KASLR and KPTI are disabled for this as my cat /proc/cmdline shows:

BOOT_IMAGE=/boot/vmlinuz-4.15.0-45-generic root=UUID=9a529c85-fe34-4670-a6ca-2a2048f6d240 ro find_preseed=/preseed.cfg auto noprompt priority=critical locale=en_US quiet nopti nokaslr

The histogram only increases for X no matter which letter I pass in the secret script. Can you see what I'm doing wrong?

[mehulmpt]

@misc0110 No success on kali either

[andreafioraldi]

macOS doesn't have taskset and you can't use macos as attacker. However my friend Pietro used macOS as host victim (https://twitter.com/defcon11396/status/1128733273109274625?s=19) spawning 4 process (if I remember well)

[misc0110]

Is your VM using two hyperthreads of the same physical core (you can taskset the VM)? And inside the VM, did you pin attacker and victim each on one hyperthread? It's easier to do it on a native Linux than in a VM.

[pietroborrello]

As far as I know there is no way to easily pin a process to a logical core in MacOS. Moreover I failed to disable kaslr and kpti natively. I tried to circumvent it in two ways:

1. rely on a virtual machine to try the attacker, you can run the victims both on the same/different vm, or natively. Here something magic happens, if I try to pin the victim to a specific core the attack fails, if I let the MacOS Kernel/Hypervisor to chose the core on which to put the process, the attack succeeds if running from 1 to 3 victim processes on a 2 cores (4 threads) Mac, no idea why
2. since you cannot disable kaslr and kpti, if you want to run the attack natively rely on a different variant of the MDS attack, for example dereferencing a null ptr under TSX, as described in the RIDL paper. I put a small PoC in my fork of the repo, didn't PR since it is a different variant. And so much slower

Also notice that depending on your kernel the attack could already mitigated, e.g. 4.15.0-50 mitigated is in 4.15 kernels, refer to the changelogs (e.g. https://launchpad.net/ubuntu/+source/linux/4.15.0-50.54)

[i336]

@andreafioraldi: Very curious how that particular attack worked. It looks like Linux is attacking the host from inside a VM? If that is indeed what is happening... ouch. Very effective demonstration of the impact of this attack.

[pietroborrello]

@i336: yes Andrea was referring to one of the first test I did on my Mac. It was not suitable to be used as an attacker for the reasons I mentioned, but it was a perfect victim. A Linux guest vm was able to sniff strings used by the Mac host, even when referring to browser activity, as they mentioned in the paper