Stefan Mileschin

Help you to find God mode

Some older x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU.

Insecurity expert Christopher Domas told the assorted throngs at the Black Hat Briefings conference in Las Vegas that the command ".byte 0x0f, 0x3f" in Linux "isn't supposed to exist, doesn't have a name, and gives you access to root right away.

He dubbed the command "God Mode" we guess it is because it shafts Linux users while they are feeling smug about the failings of propriety tech.

The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces ("userland") run in ring 3, furthest from the kernel and with the least privileges.

Domas' God Mode takes you from the outermost to the innermost ring in four bytes.

"We have direct ring 3 to ring 0 hardware privilege escalation. This has never been done.... It's a secret, co-located core buried alongside the x86 chip. It has unrestricted access to the x86."

Fortunately, Domas has only found God on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. However, it is possible that such hidden backdoors exist on many other chipsets.

"Some of the VIA C3 x86 processors have God Mode enabled by default. You can reach it from userland. Antivirus software, ASLR and all the other security mitigations are useless."

https://fudzilla.com/news/46942-anci...dden-backdoors