GhostWrite (Exploit Kit) – Malware

Overview

The GhostWrite exploit is a serious vulnerability found in the T-Head XuanTie C910 and C920 RISC-V CPUs, which are used in a range of devices from cloud servers to embedded systems. This vulnerability undermines key security measures in modern computing, particularly the isolation of processes from one another, which ensures that programs cannot access each other’s memory. GhostWrite allows attackers, even those without privileged access, to bypass these protections and directly manipulate physical memory. By exploiting this flaw, attackers can gain full control over a system’s memory and potentially hijack connected hardware devices, posing significant risks to both individual users and organizations that rely on affected hardware.

Targets

Individuals

How they operate

Under normal circumstances, modern operating systems isolate processes from each other by mapping their virtual memory addresses to distinct physical memory locations. This ensures that one process cannot access the memory space of another, providing a layer of security and stability in multi-tasking environments. The T-Head XuanTie CPUs, like most processors, rely on these mechanisms to prevent unauthorized access to sensitive data or control of system resources. However, the vector extension instructions in these processors malfunction by allowing an unprivileged user to write data directly to physical memory. This bypasses the operating system’s controls, essentially giving the attacker unrestricted access to the memory of the entire system.

The exploit works by utilizing these faulty instructions in a deterministic and reliable manner, executing within microseconds. Once triggered, GhostWrite allows the attacker to not only overwrite critical memory areas but also read from any memory location, granting the attacker access to sensitive information, including passwords, encryption keys, and other private data stored in the system’s memory. What makes the attack particularly dangerous is its ability to affect hardware components that rely on memory-mapped input/output (MMIO), such as network cards and storage devices. By manipulating the memory directly, the attacker can hijack these devices, sending malicious commands and gaining control over the system’s peripherals.

The GhostWrite exploit’s ability to manipulate memory extends beyond writing alone. Through a series of modified instructions, the attacker can alter the page tables in memory, which control the mapping of virtual addresses to physical memory locations. By modifying these tables, the attacker effectively gains the ability to read any part of the memory. This capability is demonstrated in proof-of-concept exploits where an attacker uses GhostWrite to leak sensitive information from a system, such as administrator credentials or encryption keys. Once the page tables are manipulated, the attacker can obtain the physical address of any virtual memory space and read its content, even in the presence of secure memory isolation mechanisms like Docker containers or virtual machine sandboxes.

GhostWrite’s technical severity lies in its hardware-based nature. Unlike software vulnerabilities that can often be patched or mitigated through updates, GhostWrite is embedded within the CPU’s architecture, meaning that fixing the flaw would require altering the processor’s design itself. The only temporary mitigation is disabling the entire vector extension, a solution that essentially disables half of the CPU’s functionality, drastically reducing performance and capabilities. As a result, systems relying on the T-Head XuanTie CPUs are left in a difficult position, balancing security with operational efficiency. The vulnerability’s discovery highlights the growing need for rigorous hardware validation and testing, as the attack exploits a fundamental flaw in the processor’s design that bypasses traditional software defenses.

References:

• GhostWrite