Hacker Finds Hidden 'God Mode' on Old x86 CPUs

[Paul Wagenseil]

Old VIA C3 chipsets have an undocumented RISC coprocessor that gives you root access from userland if you simply type in four bytes.

Hacker Finds Hidden 'God Mode' on Old x86 CPUs : Read more

 

[andyz0976]

Yet another purpose-made loophole.

 

[bit_user]

he good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients.

Gee, kinda important detail to bury half-way down the article, eh?

 

[dudmont]

he good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients.

Gee, kinda important detail to bury half-way down the article, eh?

If he had mentioned it in the 2nd paragraph, would you have stayed for the rest?

 

[bit_user]

he good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients.

Gee, kinda important detail to bury half-way down the article, eh?

If he had mentioned it in the 2nd paragraph, would you have stayed for the rest?

Yes. I read the whole thing. It's not exactly War & Peace.

Now, had it been in the headline (where it belongs, IMO), I can believe the article would've gotten fewer clicks.

I definitely respect the amount of effort that went into finding this. That part was definitely worth the read.

 

[Karadjgne]

There's ppl who most definitely know where the back doors are, and how to access them, exploit them etc. They know, because they put them there in the first place. Some engineer who designed the 2003 Via C3 chips is cussing up a storm right about now. It's one secret that should have been buried and gone to the grave. And up til now, it did. But now some genius has advertised how to get at it, quite simply, so all those hackers worldwide, who tried and failed to find one, now have a serious clue as to how to get in. On other chips. Meltdown and Spectre are bad enough, but when is 'backdoor fever' gonna be allowed to die out. Stuff like this is just adding fuel to the fire.

 

[mapesdhs]

Karadjgne, that reads way too much like, there's a problem but we shouldn't talk about it. Better to expose and deal with loopholes now, then let one's enemies exploit them later.

 

[Karadjgne]

Whereas I see it as more like a bank robber posting for the world to see just what tools are needed and directions on just how to rob a bank and get away with it. There's multiple ppl who wouldn't know all that normally who'd go ahead and try/do it anyways. It's a Pandoras Box.

 

[shrapnel_indie]

Whereas I see it as more like a bank robber posting for the world to see just what tools are needed and directions on just how to rob a bank and get away with it. There's multiple ppl who wouldn't know all that normally who'd go ahead and try/do it anyways. It's a Pandora's Box.

Indeed, it is a Pandora's Box Yes, more people know how to access and exploit now... but that doesn't mean those who you really wish to never know didn't already know and were already taking advantage of it. Espionage, or plain spying on us by those in high levels know more than we'll ever know or want to know.

 

[jimmysmitty]

he good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients.

Gee, kinda important detail to bury half-way down the article, eh?

If he had mentioned it in the 2nd paragraph, would you have stayed for the rest?

No but it can push this article into the realm of "clickbait". It makes it seem like a CPU you or I might use or have used has it. No consumer used a VIA x86 CPU. The headline should mention that it is a Via CPU.

 

[matt91.mek]

Ah, VIA, the consumer tower chipset guys of 00's. It's a good thing Chen Ing-hau never found out about this.

 

[ermegerd]

This 'trail of breadcrumbs' is documented in the datasheet, Appendix A-10 (Alternate Instruction Execution)

"...For example, in the alternate instruction set, privileged functions can be used from any protection level, memory descriptor checking can be bypassed, and many x86 exceptions such as alignment check can be bypassed..."


http://datasheets.chipdb.org/VIA/Nehemiah/VIA C3 Nehemiah Datasheet R113.pdf

 

[matt91.mek]

No but it can push this article into the realm of "clickbait". It makes it seem like a CPU you or I might use or have used has it. No consumer used a VIA x86 CPU. The headline should mention that it is a Via CPU.

The VIA C3 was the northbridge and southbridge chip, dude. Not the CPU. This flaw was the result of the motherboard manufacturer and VIA thinking, "Hey. Let's add some cool features." Security was never the intention, and malware in the 00's was 1337 anarchist s***.

 

[ermegerd]

No but it can push this article into the realm of "clickbait". It makes it seem like a CPU you or I might use or have used has it. No consumer used a VIA x86 CPU. The headline should mention that it is a Via CPU.

The VIA C3 was the northbridge and southbridge chip, dude. Not the CPU. This flaw was the result of the motherboard manufacturer and VIA thinking, "Hey. Let's add some cool features." Security was never the intention, and malware in the 00's was 1337 anarchist s***.

The VIA C3 was most definitely a (family of) CPUs. I had one, back in the day.

https://en.wikipedia.org/wiki/VIA_C3

 

[bentremblay]

This is for sure more than just #Lateral, but ...
When asked by I was so insistent about refusing commission (to become an officer) I put it this way: as a grunt I would very happily help officers in fullfilling our mission. BUT ... as a grunt I was always / continuously in a state of "Don't know" i.e. "These are facts. Those are estimates. This here is a list of predictions. So maybe if we do X and Y arises, we'll get Z ... maybe." On the other hand officers were charged in defending whatever they concluded was true and right.

What I mean, and I'm drawing on my experience of the intelligence community (SigInt, thanks for asking!): the most misleading thing is what you're very sure is true.

Kinda like how Putin's mafia does 10 tonnes of sloppy work ... which yuppie-types follow like dogs follow puke.
Then 1 tonne of pretty clever hacking.
And way down deep? 2 or maybe 3 exploits that are like uber-important.

Like how magicians use indirection. Some is obvious. Some is clever. Throw in a double-dash of "clever" and you can get away with almost anything.

"Perfect answer becomes donkey's hitching post." --old Japanes saying

We caught this one. After we had for so long missed it.
Soooo ... what have we not caught? heh

^5

 

[danwat1234]

But doesn't exist for any Intel or AMD chips?

 

[Karadjgne]

Who knows. Only the engineers who designed the chips do. And they are in hiding.

 

[aries1470]

he good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients.

Gee, kinda important detail to bury half-way down the article, eh?

If he had mentioned it in the 2nd paragraph, would you have stayed for the rest?

No but it can push this article into the realm of "clickbait". It makes it seem like a CPU you or I might use or have used has it. No consumer used a VIA x86 CPU. The headline should mention that it is a Via CPU.

I would say that a huge amount of consumers used it, and still do.
Let's see, ATM's, cars, info kiosks... should I go on?

Just because YOU haven't used it, doesn't mean other people haven't used it

It was a good enough chip/ cpu for embedded systems and cheap enough too, just not good enough for most people that loved gaming, but for big corporations, it was rolled out for web-browser based and thin clients, think call centres. So, this did have the potential to be a huge problem, now for today, it is limited by the banking sector that still uses it.

Also, it was used in some laptops of the era, cheap and low powered / low end, aka perfect for bean counters that just needed to do spreadsheets, word documents and some number crunching.

Ok, rant mode off, but I hope you get a better understanding that you and many other people may have used this processor without even knowing that they did, and how even today, it can still be an issue.
Just saying.

 

[BorgOvermind]

Intel has remote self-destruct capabilities in all i-series CPUs.
Seagate was caught with backdoors in the firmware.
And the list goes on...

 

[tauseefriaz]

What if that code is just updating the username handle in the memory?

 

[Karadjgne]

There's back doors in just about all software/firmware, there has to be. It's how engineers bypass all the bs and restrictions to fix/tweak/update stuff while still in alpha/beta testing. What sucks is when that backdoor becomes part of the software/firmware and requires a major overhaul to remove it. So it gets left there and buried until some enterprising jerk with too much time on his hands decides to go find it. Then it becomes a matter of damage control.

What Microsoft should do is hire all these ppl, give them a beta copy of Windows 12 and tell them to do their worst.

 

[bit_user]

What if that code is just updating the username handle in the memory?

The whoami command would ask the kernel for the user's credentials. So, there should be nothing they can spoof in userspace that can have that effect.

Of course, the video could be forged. But, they supposedly released all of the details. So, if this is a fake that should quickly surface when others aren't able to reproduce the exploit.

 

[bit_user]

What Microsoft should do is hire all these ppl, give them a beta copy of Windows 12 and tell them to do their worst.

A lot of companies (including MS, I'm sure) already have bug bounties. There are also competitions where hackers are given a limited amount of time to find exploits, and given quite substantial monetary rewards.

 

[jimmysmitty]

he good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients.

Gee, kinda important detail to bury half-way down the article, eh?

If he had mentioned it in the 2nd paragraph, would you have stayed for the rest?

No but it can push this article into the realm of "clickbait". It makes it seem like a CPU you or I might use or have used has it. No consumer used a VIA x86 CPU. The headline should mention that it is a Via CPU.

I would say that a huge amount of consumers used it, and still do.
Let's see, ATM's, cars, info kiosks... should I go on?

Just because YOU haven't used it, doesn't mean other people haven't used it

It was a good enough chip/ cpu for embedded systems and cheap enough too, just not good enough for most people that loved gaming, but for big corporations, it was rolled out for web-browser based and thin clients, think call centres. So, this did have the potential to be a huge problem, now for today, it is limited by the banking sector that still uses it.

Also, it was used in some laptops of the era, cheap and low powered / low end, aka perfect for bean counters that just needed to do spreadsheets, word documents and some number crunching.

Ok, rant mode off, but I hope you get a better understanding that you and many other people may have used this processor without even knowing that they did, and how even today, it can still be an issue.
Just saying.

Or take it as a no consumer ever used this processor knowingly. No one did. Very very few except niche people actually bought this for anything.

It is still a very click bait title. It should have specified it was a VIA C3 Nehemiah and not x86 specific as it is not an x86 specific issues, its a VIA C3 Nehemiah specific issue.

 

[brunerd]

From the VIA PDF linked in the comments: "f you have a justified need for access to these instructions, contact your VIA representative."

Did they mean "CIA representative" XD or should I say NSA?
It reminds me of the 2014 Snowden leaks where the operations involved using employees of tech companies to knowingly degrade technologies for the purpose of backdooring it... but probably the easier answer is someone effed up, the PDF states that: "While setting this FCR bit is a privileged operation, executing the alternate instructions can be done from any protection level."

So it was meant to be root enabled, to allow the jump from 3 to 0 but looks like someone messed up... or did they?!?! <shrug> Give up now on "total freedom" already folks.