SMM exploit POC code published

As mentioned earlier today, Rafal Wojtczuk and Joanna Rutkowska have published a new paper on using cache poisoning to exploit the Systems Management Mode (SMM) in Intel 386 and above chipsets.

Some interesting snippets:

System Management Mode (SMM) is the most privileged CPU operation mode on x86/x86_64 architectures. It can be thought of as of "Ring -2", as the code executing in SMM has more privileges than even hardware hypervisors (VT), which are colloquially referred to as if operating in "Ring -1".

...Interestingly the very same cache poisoning problem we abuse in our attack against SMM has been identified a few years ago by Intel employees, who even decided to describe it in at least two different patent applications [3] [1]. We haven't been aware of the patents before we discovered the attack — we never thought a vendor might describe weaknesses in its own products and apply for a patent on how to fix them, and still not implement those fixes for a few years2… The patents turned out, however, to be easily "googlable" and it would be surprising that nobody else before us, and Loic Duflot, have created working exploits for this vulnerability.

...We assume that the attacker has access to certain platform MSR registers. In practice this is equivalent to the attacker having administrator privileges on the target system, and on some systems, like e.g. Windows, also the ability to load and execute arbitrary kernel code3.