The 2012 Pwnie Nominee For Best Privilege Escalation Bug

Xen Intel x64 SYSRET Privilege Escalation (CVE-2012-0217)

Credit: Rafal Wojtczuk

It looks like Intel’s x64 SYSRET instruction operates differently enough from AMD’s x86_64 standard (some people call this “wrong”) that an OS written to the AMD standard running on Intel processors includes a bonus privilege escalation feature. Namely, you can get the kernel (or hypervisor) to handle a SYSRET with a user-specified RSP. What could possibly go wrong?

Wait, everyone else is vulnerable too?. Bonus in your attackers’ favor.

(CVE-2012-0217)