Nemesis11
Power Member
Já no inicio de Março foi feito upload para o VirusTotal, de um exploit funcional do Spectre para Linux e Windows.
https://dustri.org/b/spectre-exploits-in-the-wild.html
Um proof of concept no Browser ainda é mais interessante.
EDIT: Reparei agora nesta parte.
Maravilha.
Someone was silly enough to upload a working spectre (CVE-2017-5753) exploit for Linux (there is also a Windows one with symbols that I didn't look at.) on VirusTotal last month, so here is my quick Sunday afternoon lazy analysis.
In the case of /etc/shadow, the default option, the content of the file is shoved in memory by running the following command in the background: return system("echo \"whatever\n\" | su - 2> /dev/null"). In my lab, on a vulnerable Fedora, the exploit is successfully dumping /etc/shadow in a couple of minutes.
https://dustri.org/b/spectre-exploits-in-the-wild.html
Um proof of concept no Browser ainda é mais interessante.
EDIT: Reparei agora nesta parte.
Google's Leaky.Page PoC is a Spectre V1 gadget that is a JavaScript array that is speculatively accessed out of bounds. While the V1 gadget can be mitigated at the software level, Chrome's V8 team determined that other gadgets such as for Spectre Variant 4 to be "simply infeasible in software" for mitigating.
Maravilha.