If you are a paid subscriber you get extra bits from VirusTotal.
One of which is you can see what files are "parents" of the sample. In this case, there are a bunch of zip files that contain this file, all named Immunity Canvas or similar. Canvas is a pentesting tool where they publish exploits, so I guess he's saying you can attribute it to Immunity.
And yes, VirusTotal lets you download the file if you pay. It's the foundation of the "threat-intelligence" industry :)
> And yes, VirusTotal lets you download the file if you pay
Indeed, so it is critical to never upload any binaries to them that you do not have full permission to redistribute. Nowadays they are very open about the sharing, but in the past this was kind of hidden.
> - To what extend is this fixed by the mitigations which the kernel provides [0] for the Intel bugs? What do I have to add to my kernel command line?
The key part of this post is "In my lab, on a vulnerable Fedora" which means that the author is using an old, known-vulnerable version of Fedora on which to do their testing.
You don't have to do anything other than be running a reasonably modern version of the kernel that gets updates from -stable or from your distro.
BTW, this is a Spectre-v1-style exploit. These are EXTREMELY widespread across lots of processors with conditional branch speculation. It's (relatively) unrelated to the family of things like MDS or Spectre-v2 where microcode updates were issued.
Disclaimer: I work on Linux at Intel, occasionally on mitigation for this stuff.
While I'm sure there are folks that would appreciate the mitigation provided by that package, I'm not sure it provides any mitigation to this _specific_ exploit.
You can do it while using microcode patches and software mitigations or not: it’s a hardening measure because SMT usually shares TLBs and L1s between threads.
No SMT, no sharing of TLBs and L1s (I know that writing it this way is a gross oversimplification).
certainly an interesting read. says it was written in 2015 which could explain why it doesn't support modern ubuntu/fedora or maybe it was fixed in recent kernels? latest kernels i see are from the mid/late 4.x series
Based on the write up, I suspect you could do the attribution very quickly by downloading the binary (if you’re a VirusTotal subscriber?) and running “strings” on the file.
This is not really in the wild or even the "wild" by any reasonable definition:
1. The exploit isn't by a real attacker. It comes from a pen-testing firm (white hats).
2. It was patched years ago, probably written years ago. Article doesn't say what happens when the kernel is newer than 2018 but presumably, it doesn't work? Spectre is still relevant for programs sandboxing code within themselves like browsers, but for normal patched systems, it doesn't seem to matter.
3. There are still no known cases of real attackers using Spectre, even though we have just seen an attack that Microsoft claimed may have had more than 1000 developers working on it (the Solar Winds supply chain attack). Spectre just doesn't seem like a very interesting way in for attackers compared to other types of vulnerability.
So are the Linux kernel spectre mitigations broken or useless? I thought this was mostly patched away with a combination of microcode updates and kernel workarounds?
The author doesn't explicitly mention turning off the mitigations for testing the exploit, but that might be the case here. The article is certainly vague enough to not know for sure.
> Amusingly, this method is still working on an up to date Linux
This may refer to the whole thing working, or just the KASLR bypass part.
It's not worth it on older CPUs. I turned them off.
I understand browsers already have some protection against them now. I don't see the point in slowing down the entire system, either I trust the apps I have or I don't.
I don't believe a magic packet containing a melted down spectre is going to smash through my router and everything else and turn into skynet on my humble PC.
But you could imagine that an exploit might exist that would defeat the existing countermeasures, and that exploit would probably still be described as a "spectre exploit." So without that explicit context in the article, it's left to the reader to fret over :)
A quick web search shows that a lot of everyday users are interested in turning off mitigations on their machine “to test performance” - both on Linux and Windows 10.
In the wild exploits are almost certainly hitting vulnerable machines.
While there are ways to disable mitigation against many of the side-channel issues, this is not one of them. I believe this one is mitigated by the "sbb;and" sequence here:
Huh? It isn't to me. Can someone clarify on this?
Also:
- To what extend is this fixed by the mitigations which the kernel provides [0] for the Intel bugs? What do I have to add to my kernel command line?
- Where did he get the binary from? VirusTotal doesn't allow arbitrary people to download binaries which someone else uploaded, does it?
[0] https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/i...