+- AiOwares (https://www.aiowares.com)
+-- Forum: The Daily News (https://www.aiowares.com/forumdisplay.php?fid=5)
+--- Forum: Information Technology (https://www.aiowares.com/forumdisplay.php?fid=11)
+--- Thread: Backdoor Mechanism Discovered in VIA C3 x86 Processors (/showthread.php?tid=786)
Backdoor Mechanism Discovered in VIA C3 x86 Processors - WALLONN7 - 08-13-2018
Backdoor Mechanism Discovered in VIA C3 x86 Processors
![[Image: VIA_C3.jpg]](https://www.bleepstatic.com/content/posts/2018/08/13/VIA_C3.jpg)
At the Black Hat 2018 and DEF CON 26 security conferences held in Las Vegas last week, a security researcher detailed a backdoor mechanism in x86-based VIA C3 processors, a CPU family produced and sold between 2001 and 2003 by Taiwan-based VIA Technologies Inc.
The affected CPU family was designed with PC use in mind but was more widely known for being deployed with point-of-sale units, smart kiosks, ATMs, gaming rigs, healthcare devices, and industrial automation equipment.
The Rosenbridge backdoor mechanism
Christopher Domas, a well-known hardware security expert, says that VIA C3 x86-based CPUs contain what he referred to as a "hidden God mode" that lets an attacker elevate the execution level of malicious code from kernel ring 3 (user mode) to kernel ring 0 (OS kernel). See here about CPU protection rings.
Domas says that this backdoor mechanism —which he named Rosenbridge— is a RISC (Reduced Instruction Set Computer) co-processor that sits alongside the main C3 processor.
The researcher says that by using a launch-instruction (.byte 0x0f, 0x3f) he can flip a register control bit that enables this additional coprocessor, which he argues doesn't benefit from the same security protections the main C3 chipset.
Any instructions sent to this additional coprocessor are all run under ring 0, and not under the normal ring 3 level.
![[Image: rosenbridge.gif]](https://www.bleepstatic.com/images/news/u/986406/attacks/Vulnerabilities/rosenbridge.gif)
Domas says he identified this "hidden God mode" feature in VIA C3 Nehemiah chips, but he says all other C3 chipsets are bound to feature a similar mechanism.
The expert says he discovered the Rosenbridge backdoor system while sifting through patents. In his DEF CON slides, the researcher lists US8341419, US8880851, US9292470, US9317301, US9043580, US9141389, and US9146742.
But is it really a "backdoor?"
But on social media sites such as Twitter and Reddit, several other hardware experts have disputed Domas' findings, saying that Rosenbridge may not be an actual backdoor, as it's been first referenced in official VIA documentation since September 2004.
According to this document (page 82), the hidden RISC coprocessor's purpose is to provide an "alternate instruction set" that offers hardware vendors (OEMs) more control over the CPU.
"This alternate instruction set includes an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms over the x86 instruction architecture," the document reads.
The VIA document also mentions that the additional instruction set is specifically meant for testing, debugging, or other special conditions, hence the reason it is not "documented for general usage."
Rosenbridge difficult to exploit, but is sometimes enabled by default
The good news is that this controversial "backdoor" —as Domas explains himself— "should require kernel level access to activate."
Nevertheless, Domas also points out that the Rosenbridge backdoor mechanism "has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel" without any prior exploitation. In these scenarios, the attacker only needs to send the specially-crafted instructions to the additional RISC processors, which will be ready to read and execute them.
The expert released a GitHub repository containing tools to identify if VIA C3 x86 CPUs contain the Rosenbridge "backdoor" mechanism, and close it to prevent any possible intentional or accidental exploitation. More details about the Rosenbbridge research can be found in Domas' DEF CON presentation.
The VIA C3 research is not Domas' first brush with x86 chipset security. Three years ago, at the Black Hat 2015 security conference, Domas also detailed a similar method of elevating the execution level of malicious code inside x86 CPUs via the System Management Mode (SMM) feature. He said Intel and AMD x86-based processors were affected.
At the Black Hat 2018 and DEF CON 26 security conferences held in Las Vegas last week, a security researcher detailed a backdoor mechanism in x86-based VIA C3 processors, a CPU family produced and sold between 2001 and 2003 by Taiwan-based VIA Technologies Inc.
The affected CPU family was designed with PC use in mind but was more widely known for being deployed with point-of-sale units, smart kiosks, ATMs, gaming rigs, healthcare devices, and industrial automation equipment.
The Rosenbridge backdoor mechanism
Christopher Domas, a well-known hardware security expert, says that VIA C3 x86-based CPUs contain what he referred to as a "hidden God mode" that lets an attacker elevate the execution level of malicious code from kernel ring 3 (user mode) to kernel ring 0 (OS kernel). See here about CPU protection rings.
Domas says that this backdoor mechanism —which he named Rosenbridge— is a RISC (Reduced Instruction Set Computer) co-processor that sits alongside the main C3 processor.
The researcher says that by using a launch-instruction (.byte 0x0f, 0x3f) he can flip a register control bit that enables this additional coprocessor, which he argues doesn't benefit from the same security protections the main C3 chipset.
Any instructions sent to this additional coprocessor are all run under ring 0, and not under the normal ring 3 level.
Domas says he identified this "hidden God mode" feature in VIA C3 Nehemiah chips, but he says all other C3 chipsets are bound to feature a similar mechanism.
The expert says he discovered the Rosenbridge backdoor system while sifting through patents. In his DEF CON slides, the researcher lists US8341419, US8880851, US9292470, US9317301, US9043580, US9141389, and US9146742.
But is it really a "backdoor?"
But on social media sites such as Twitter and Reddit, several other hardware experts have disputed Domas' findings, saying that Rosenbridge may not be an actual backdoor, as it's been first referenced in official VIA documentation since September 2004.
According to this document (page 82), the hidden RISC coprocessor's purpose is to provide an "alternate instruction set" that offers hardware vendors (OEMs) more control over the CPU.
"This alternate instruction set includes an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms over the x86 instruction architecture," the document reads.
The VIA document also mentions that the additional instruction set is specifically meant for testing, debugging, or other special conditions, hence the reason it is not "documented for general usage."
Rosenbridge difficult to exploit, but is sometimes enabled by default
The good news is that this controversial "backdoor" —as Domas explains himself— "should require kernel level access to activate."
Nevertheless, Domas also points out that the Rosenbridge backdoor mechanism "has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel" without any prior exploitation. In these scenarios, the attacker only needs to send the specially-crafted instructions to the additional RISC processors, which will be ready to read and execute them.
The expert released a GitHub repository containing tools to identify if VIA C3 x86 CPUs contain the Rosenbridge "backdoor" mechanism, and close it to prevent any possible intentional or accidental exploitation. More details about the Rosenbbridge research can be found in Domas' DEF CON presentation.
The VIA C3 research is not Domas' first brush with x86 chipset security. Three years ago, at the Black Hat 2015 security conference, Domas also detailed a similar method of elevating the execution level of malicious code inside x86 CPUs via the System Management Mode (SMM) feature. He said Intel and AMD x86-based processors were affected.
Source
Code:
https://www.bleepingcomputer.com/news/security/backdoor-mechanism-discovered-in-via-c3-x86-processors/RE: Backdoor Mechanism Discovered in VIA C3 x86 Processors - aemalakai - 02-24-2021
Talk about a blast from the past. I ran a cyrix chip back in the 90's. it amazes me that there are still people out there trying to exploit old un-popular hardware.
RE: Backdoor Mechanism Discovered in VIA C3 x86 Processors - nsan3 - 04-02-2021
Wouldn't updating the processor system software or the like fix such problems? Forgive me if am wrong, have not dealt into processors.
RE: Backdoor Mechanism Discovered in VIA C3 x86 Processors - nodnar - 04-02-2021
what amazes me more why so-called security crooks need to go public with very-hard-to-implement-hardware-flaws decide to do it at all;
melt-down & spectre spring to mind here; after all the panic it caused, it would have been more appropriate if those crooks
codenamed [another disease of their crooked minds; give it a code name,] it laurel&hardy..for what actually happened in the wild?
sweet fanny adams..i am afraid that so-called backdoor will turn out be the same.we will see; just follow the money.
and i also wonder why this particular fool had to think of a charming codename like that..
RE: Backdoor Mechanism Discovered in VIA C3 x86 Processors - Wiz - 10-22-2021
The moron who came up with Plundervolt comes to mind.
I bought a *fanless* I5 surface pro 7 specifically to run undervolted, the reasons for which are many for a notebook designed like this.
It can't anymore, or ever again. Because of a stupid exploit some guy "discovered" that is practically impossible. Forever annoyed at that.
RE: Backdoor Mechanism Discovered in VIA C3 x86 Processors - Uthar - 10-25-2021
Even thought it is for an old cpu in many cases it can still be relevant.
As mentioned in the article a similar 'vulnerability' could exist in newer similar cpus,
and legacy systems tend to use old hardware.
More often than not legacy systems are just working fine and too expensive to upgrade/replace.