God Mode discovered in old VIA CPUs

Posted on Monday, Aug 13 2018 @ 11:07 CEST by Thomas De Maesschalck
Over at the Black Hat conference in Las Vegas, a security researcher demonstrated the existence of a hidden backdoor in certain x86 processors from VIA. By sending a command to an undocumented RISC core that manages the main processor, Christopher Domas was able to access a "God Mode" that gives instant root access.

The backdoor was discovered in VIA C3 Nehemiah processors from 2003, which are used in embedded systems and thin clients. The feature was intended for debugging purposes but was accidentally left on. Interestingly, the backdoor was discovered by analyzing patents:
Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents. He found one — US8341419 — that mentioned jumping from ring 3 to ring 0 and protecting the machine from exploits of model-specific registers (MSRs), manufacturer-created commands that are often limited to certain chipsets.

Domas followed the "trail of breadcrumbs," as he put it, from one patent to another and figured out that certain VIA chipsets were covered by the patents. Then he collected many old VIA C3 machines and spent weeks fuzzing code.
Full details at Tom's Hardware.

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments