Meltdown, More Like Letdown

There is still a lot of hype around Meltdown and Spectre, rightly so, they are serious risks but I think as the days pass it’s most serious impact is financial. I have a number of benchmark tests that show the impact, for example Apache is now 8% slower at static file reads, so anyone with a big appetite for resources will need to fire up more resources to cope with the same load as before.

My main point about these issues is that if it’s any kind of real threat like an APT adversary - Meltdown or not - they are getting in and will get what they want, this changes nothing. For the sake of this post we assume we face a fairly unskilled adversary - what we want to know is, can Meltdown be abused by low-skilled attackers for maximum impact? Let’s find out.

With Meltdown I can copy sensitive files, steal passwords and access other sensitive data, sounds cool, let’s try…

First I check out some open-source POCs, first issue I see is cross platform compatibility, ok so this is to be expected but from an (unskilled) attackers point of view it’s not so nice since it’s not easily portable and we also assume they can’t code C...

So now I go looking for another POC, found one, this looks cool…but wait, we declare the secret values…why? Makes sense, we need to know WHERE the data resides that we want to leak.

Same for another POC, we have to declare the secret so we can use a pointer to get back the value from memory…

So now I am thinking, this is cool but I want to target a value I did not assign myself, like a Bitcoin wallet password…so I start playing around with a new POC…

Life is binary, or at least that’s what it feels like

Ok, so now it’s pedal to the metal…hey ma, look, I am reading…nothing? Sure looks like it, this was to be expected though since I gave a random address to start from.

How about the sys_call_table? That’s better…

Awesome, right?

Quick confession, I worked out the sys_call_table address and entered it manually! Still not fully dynamic and usable…so I wrote a new POC…

Look ma, I got some Bitcoins

Awesome! Now I read the values and reassembled into a password, was it easy? Well, not as easy as the media would have you believe, for this I had to use gdb to find the address it would write to, I turned off ASLR and it took a while to get the code right.

At least I can now extract passwords…well, here we get to my main point, an average attacker will always choose the path of least resistance…so while you could change this POC to target all architectures, get around modern defenses and write a lot of code, you could as easily just use this Microsoft 0day exploit…

Your clipboard is my clipboard

For any architecture one can simply log all keystrokes and constantly dump contents of the clipboard if you want to harvest credentials, no need to Meltdown.

So, I heard we also want to steal files? Well, this POC was painful and boring, you have to reassemble the bytes on the attacker end and rebuild/extract files. It was possible, but again, what address do you start from? Is the file even in memory? How about reading memory in single thread, will it be overwritten as you dump it?

Ok, so let’s multi-thread this..more complexity for the attacker and now it’s getting noisy…makes me think why bother, especially when I can drop a Python 0day in most situations…

I just took all the secret files

There are two ways to approach the same objective, the hard way and the easy way. There are literally hundreds of other easy ways to do the same thing…from default networking tools to transfer files like netcat or keyloggers in the form of post exploitation modules.

Finally, I really must get back to the point I have been stressing in the media since the news broke, if an attacker is able to run code, it’s a problem and it was a problem long before Meltdown and Spectre. The chances are some configuration issue will be used to elevate privileges, then it’s all over anyway…tcpdump/sslstrip/responder/corsa all the things, you don’t need anything else.

To conclude, don’t panic, business as usual. As always, security best practices are key and just know if you do feel the pain of this, it will most likely be in your wallet, that’s it.