AMD Sinkclose-Universal Ring2 Privilege Escalation
Enrique Nissim, Krzysztof Okupski
DEF CON 32 Main Stage · Day 1 · Main Stage
This talk, "AMD Sinkclose-Universal Ring2 Privilege Escalation," delivered by Enrique Nissim and Krzysztof Okupski at DEF CON 32, reveals a critical architectural flaw present in AMD processors for at least 18 years. The presentation details a novel method to achieve **Ring2 privilege escalation** to **System Management Mode (SMM)**, the most privileged execution environment on an x86 system. This vulnerability, dubbed "Sinkclose," exploits an overlooked configuration bit in AMD's **TSEG Mask register** to redirect SMM data accesses, ultimately leading to arbitrary code execution within SMM.
AI review
Nissim and Okupski have unearthed a foundational architectural flaw in AMD processors, dormant for nearly two decades, that enables a Ring0 to SMM privilege escalation. The 'Sinkclose' vulnerability, exploiting an unprotected bit in the TSEG Mask register combined with a clever integer overflow during GDT loading, grants full, undetectable control over the system's most privileged execution environment. This isn't just a bug; it's a systemic oversight with profound implications for platform security, making it an absolute must-see for anyone serious about low-level offensive or defensive…