HN
Today

Can you get root with only a cigarette lighter? (2024)

This story details a surprisingly effective method to induce DRAM bit-flips using a common piezo-electric cigarette lighter. It showcases how this low-cost hardware hack can lead to local privilege escalation on a Linux system, captivating Hacker News's interest in novel security exploits and deep dives into system internals. The author also speculates on potential future applications, from bypassing anti-cheat to breaking hypervisors.

4
Score
0
Comments
#2
Highest Rank
15h
on Front Page
First Seen
Mar 23, 5:00 AM
Last Seen
Mar 23, 7:00 PM
Rank Over Time
226225581010131621252829

The Lowdown

The author explores the surprising effectiveness of cheap, readily available tools for hardware fault injection. Specifically, a piezo-electric cigarette lighter is shown to reliably induce memory errors by generating electromagnetic pulses near DRAM data lines.

  • Low-Cost Fault Injection: A simple piezo-electric lighter, with an attached antenna wire (a resistor and a wire soldered to a DQ pin on a DDR3 SODIMM), is used to induce bit-flips in DRAM.
  • Reliable Bit-Flips: The method reliably flips the same bit (bit 29 in the author's setup) during memory read/write operations when the lighter is clicked near the antenna.
  • CPython Exploit: A "sandbox escape" exploit for CPython is demonstrated. This involves creating a bytes object containing a fake bytearray structure, then exploiting the bit-flip to corrupt a pointer to the bytes object, making it point to the crafted bytearray. This provides an arbitrary memory read/write primitive, eventually leading to shellcode execution.
  • Linux LPE Strategy: For a local privilege escalation (LPE) on Linux, the strategy leverages memory caching, virtual memory, and page tables.
  • Page Table Corruption: The core LPE involves filling physical memory with level-0 page tables, then glitching a page table entry (PTE) during a page table traversal. This corruption redirects the PTE to point to one of the user-controlled page tables.
  • Arbitrary Physical Memory Access: Gaining R/W access to a page table allows the author to manipulate PTEs, flushes the TLB, and ultimately obtain full read/write access to all physical memory.
  • Root Shell Injection: The exploit culminates in finding the physical page of the /usr/bin/su executable, overwriting its first page with a custom ELF payload that spawns a root shell, effectively poisoning the Linux page cache.
  • Practical Implications: The author speculates on potential uses, such as bypassing anti-cheat systems, breaking out of hypervisors, and challenging device integrity checks (e.g., SafetyNet).

This research highlights a novel, accessible approach to hardware fault injection, demonstrating its potential for exploiting fundamental system vulnerabilities in real-world scenarios.