Working exploits targeting Linux and Windows systems not patched against a three-year-old vulnerability dubbed Spectre were found by security researcher Julien Voisin on VirusTotal.
The vulnerability was unveiled as a hardware bug in January 2018 by Google Project Zero researchers.
If successfully exploited on vulnerable systems, it can be used by attackers to steal sensitive data, including passwords, documents, and any other data available in privileged memory.
Spectre (CVE-2017-5753) side-channel attacks impact many modern processor models with support for speculative execution and branch prediction made by Intel, AMD, and ARM.
As Google found, Spectre also affects major operating systems, including Windows, Linux, macOS, Android, and ChromeOS.
Since its discovery, the hardware bug has received firmware patches and software fixes from all major processor and OS vendors.
Spectre exploit leaked on VirustTotal
Unprivileged users can use the exploits to dump LM/NT hashes on Windows systems and the Linux /etc/shadow file from the targeted devices’ kernel memory.
The exploit also allows dumping Kerberos tickets that can be used with PsExec for local privilege escalation and lateral movement on Windows systems.
The linked exploits were uploaded on VirusTotal last month as part of a larger package, a Immunity Canvas 7.26 installer for Windows and Linux.
The CANVAS penetration testing tool bundles “hundreds of exploits, an automated exploitation system,” and it also comes with an exploit development framework for creating custom exploits.
The company announced that CANVAS would provide security professionals and penetration testers with access to working Spectre exploits (Windows and Linux) within months after the vulnerability was disclosed.
While OS and CPU vendors have released software and firmware mitigations for affected products since Spectre was disclosed, users who haven’t updated their systems are still exposed to Spectre attacks.
Those running older OS versions on older silicon (2015-era PCs with Haswell or older Intel processors) are probably the most exposed to Spectre attacks.
Microsoft explained that they are most prone to skip applying mitigations due to a more noticeable decrease in system performance after the patch.
As Voisin said, the exploits will break if the machine it’s executed on runs a patched Linux or Windows version.
Adding to that, even if an attacker would get their hands on any of the two exploits, only running them will not get any results as they both have to be executed with the right arguments.
However, even though they can’t immediately be used in attacks on their own, a determined attacker can figure it out with enough effort.