A new hack has been discovered by researchers that exploits physical weakness in certain types of DDR memory chips to elevate the system of rights of untrusted users of Intel-compatible PCs running Linux.
This new technique has been outlined in a blog post published Monday by Google’s Project Zero security initiative. The problem or exploit is called “Rowhammer” in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. The Google team had tested a selection of laptops and found that many of them exhibited the problem. The team has built two working privilege exploits that use this effect.
One of them uses Rowhammer bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged user process. When the exploit is run on a vulnerable machine the process is able to introduce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
The team is not sure how many machines are vulnerable to this attack, or how many existing vulnerable machines are fixable. Their exploit uses the x86 CLFLUSH instruction to generate many accesses to DRAM. The team also warned that the exploit could be made to work on other operating systems and that it is not inherently Linux-specific.