Exploit emerges for Microsoft's problematic Meltdown patch for Windows 7 and Server 2008
For Microsoft, the patches it produced for the Meltdown chip vulnerability proved to be just about as problematic as the original issue, further reducing the security of systems. Following the emergence of an exploit for the Windows-maker's first patch, users are advised to hurry up and install the patch-for-a-patch that was later released.
Last month, Ulf Frisk from Sweden revealed that Microsoft's Meltdown patches were making things worse for Windows 7 and Windows Server 2008, making it possible to read and write kernel memory and gain total control over the system. Now code has been posted online that can be used to exploit the "Total Meltdown" vulnerability.
- Intel: some processors will never receive Meltdown and Spectre patches
- Microsoft releases update that fixes problematic Meltdown patch
- Meltdown patches from Microsoft made Windows 7 and Windows Server 2008 less secure
Over on GitHub, someone using the handle XPN, has posted code that makes it possible to launch an administrator-level command line shell as a normal user. Over on his or her own site, the hacker and infosec researcher says: "This week I had some free time, so I decided to dig into the vulnerability and see just how the issue manifested itself. The aim was to create a quick exploit which could be used to elevate privileges during an assessment. I ended up delving into Windows memory management more than I had before, so this post was created to walk through just how an exploit can be crafted for this kind of vulnerability."
The exploit is a four-step process which XPN explains as follows:
- Create a new set of page tables which will allow access to any physical memory address.
- Create a set of signatures which can be used to hunt for _EPROCESS structures in kernel memory.
- Find the _EPROCESS memory address for our executing process, and for the System process.
- Replace the token of our executing process with that of System, elevating us to NT AUTHORITY\System.
A full explanation of the exploit can be found on XPN's own site. A video of the exploit in action has also been posted:
So what's the takeaway from this? Basically, if you have not installed the very latest Meltdown patches from Microsoft -- the ones that fix the problems with the first ones -- now is the time to do so. Find out more in our previous article.