The Patch From Meltdown Has Led To A More Critical Vulnerability Of Windows 7×64/2008R2
The patch that closes the vulnerability Meltdown has led to a more critical vulnerability of Windows 7X64 and Windows 2008R2. Vulnerabilities are susceptible to systems updated with patches 2018-01 or 2018-02. Vulnerabilities are not affected by systems not patched since December 2017, or if a cumulative patch 2018-03 is installed on them.
- The Microsoft Meltdown patch opened an even greater security gap in Windows 7/2008, allowing any user application to read content from the operating system kernel and even write data to the kernel’s memory.
Swedish IT security expert Ulf Frisk discovered this vulnerability by working on a PCILeech device designed to carry out direct memory access (DMA) attacks and a dump of the operating system’s protected memory.
According to the expert, the Meltdown fix from Microsoft (for CVE-2017-5754), accidentally turned a bit, which controls access rights for kernel memory.
The user/kernel rights bit was set to the user in PML4 (page 4 of the page map. This made the page tables available to the user mode code in each process. In normal mode, page tables should be accessible only to the kernel itself. In Windows 7, the PML4 state is fixed at position 0x1ED, offset 0xF68 (in Windows 10 this value is random). This means that PML4 will always be displayed at the address: 0xFFFFF6FB7DBED000 in virtual memory.
The values in PML4e 0x0000000062100867 (from the example above) indicates that bits 0, 1, 2 are set, which means that it is available for reading and writing.
PML4 is the base of the 4-tier hierarchy of page tables in memory used by the processor’s memory management module (MMU) to convert virtual process addresses to physical memory addresses in RAM.
This issue has affected only 64-bit versions of Windows 7 and Windows Server 2008 R2. Microsoft fixed the error by overriding the PML4 permission bit back to its original value in patch 2018-3.
To test your system, you can use the utility pcileech, unloading the memory into a file:
pcileech.exe dump -out memorydump.raw -device totalmeltdown -v -force
For convenience, you can use Dokany, – mount running processes and virtual kernel memory as files and folders. To mount the processes, you must run the following command:
pcileech.exe mount -device totalmeltdown
UPD: PoC exploits to test vulnerability.