Patch from Meltdown led to a more critical vulnerability Windows 7x64 / 2008R2

The patch closing the Meltdown vulnerability has led to a more critical vulnerability of Windows 7X64 and Windows 2008R2. Vulnerabilities are affected by systems updated with patches 2018-01 or 2018-02. Vulnerabilities are not affected by systems that have not been patched since December 2017, or if they have a cumulative patch 2018-03 installed.

The Microsoft Meltdown patch has opened an even bigger security hole in Windows 7/2008, allowing any user application to read content from the operating system kernel and even write data to the kernel memory.

Swedish IT security expert Ulf Frisk discovered this vulnerability while working on a PCILeech device designed for Direct Memory Access (DMA) attacks and an operating system protected memory dump.
')


According to the expert, the Meltdown fix from Microsoft (for CVE-2017-5754), accidentally turned the bit, which controls access rights to the kernel memory.

The user / kernel rights bit was set to the user in PML4 (a fourth-level page map). This made the page tables accessible to the user mode code in each process. In normal mode, page tables should be accessible only to the kernel itself. In Windows 7, the state of PML4 is fixed at position 0x1ED, the offset is 0xF68 (in Windows 10, this value is random). This means that PML4 will always be displayed at: 0xFFFFF6FB7DBED000 in virtual memory.



The value in PML4e 0x0000000062100867 (from the example above) indicates that bits 0, 1, 2 are set, which means that it is available for reading and writing.



PML4 is the base of a 4-level hierarchy of page tables in memory used by the processor’s memory management module (MMU) to convert virtual process addresses to physical memory addresses in RAM.

This issue only affected 64-bit versions of Windows 7 and Windows Server 2008 R2. Microsoft fixed the error by redefining the PML4 enable bit back to its original value in patch 2018-3.

To test your system, you can use the pcileech utility, unloading memory into a file:

pcileech.exe dump -out memorydump.raw -device totalmeltdown -v -force 

For convenience, you can use Dokany, - mount running processes and virtual kernel memory as files and folders. To mount processes, run the following command:

 pcileech.exe mount -device totalmeltdown 

---

UPD: PoC exploit to check for vulnerabilities.