Security researcher Ulf Frisk reports that patches to address the Meltdown processor flaw on Windows 7 (64-bit) and Windows Server 2008 R2 machines created a far greater vulnerability. He claims the new flaw allows any process to read everything stored in memory “at gigabytes per second.” It also allows processes to write to arbitrary memory without “fancy exploits.”
“Windows 7 already did the hard work of mapping in the required memory into every running process,” Frisk states. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or system calls required — just standard read and write!”
Because of the amount of data stored in memory is rather large and complex, Windows PCs track data using addresses listed on virtual and physical “maps” or “pages.” The reported problem resides with a four-level in-memory page table hierarchy the processor’s Memory Management Unit uses to translate the virtual addresses of data into physical addresses stored in the system memory.
According to Frisk, Windows 7 and Windows Server 2008 R2 have a self-referencing entry on Page Map Level 4 (PML4) in virtual memory with a fixed address. This address is only made available to the operating system’s lowest, most secure level: The kernel. Only processes with a “supervisor” permission have access to this address and the data on this table.
But Microsoft’s Meltdown patches released at the beginning of 2018 set the permission to “user.” That means all processes and applications can access all data stored in memory, even data only meant to be used by the operating system.
“Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization,” Frisk writes. “All one has to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory.”
To prove this discovery, Frisk added a technique to exploit the vulnerability — a memory acquisition device — in the PCLeech direct memory access toolkit. But if you’re trying to test the vulnerability on a Windows 7 or Windows Server 2008 R2 machine updated on March Patch Tuesday, you’re out of luck. Microsoft switched the PML4 permission back to “supervisor” as part of the company’s blanket of security fixes for the month.
The memory problem surfaced after Microsoft distributed its Meltdown and Spectre security fixes in the January Patch Tuesday update. Windows 7 (64-bit) and Windows Server 2008 R2 machines with the February Patch Tuesday updates are also vulnerable. Devices with Windows 10 and Windows 8.1 are not vulnerable.
That said, Windows 7 and Windows Server 2008 R2 devices owners are encouraged to update their machines with the most recent patches distributed in March. But Frisk notes that he discovered the vulnerability after Microsoft’s March Patch Tuesday update, and has not been able to “correlate the vulnerability to known CVEs or other known issues.”