HomeBBQ NewsCore PC ComponentsAPU/CPU/Chipset NewsCPU-Z Validation can be faked/ manipulated due to absence of data integrity checks

CPU-Z Validation can be faked/ manipulated due to absence of data integrity checks

Over the series of days, I and many of you guys have been seeing a series of websites putting up  CPU-Z screenshot leaks of unreleased processors and showing the overclocking potential (on boot, anyways) of the processor, like Haswell- and even GTX 700 series which claims to have DX12 support, but hack tricks have shown that CPU-Z validation can be hacked and approved by CPU-Z validation. But now personally I had doubts, that doubts have grown much stronger after knowing that CPU-Z validation file can be manipulated and approved.

According to the author, the validation information which can be saved locally lets it to export to either .txt or .html format. While the the writer did point out that CPU-Z has a good feature to validate a clock setting by using simple math, but also showed that CPU-Z can still be faked with an example as it doesn’t do any data integrity check of the validation file submitted by the user:

cpuz-cvf

Despite the validator’s ability to check for the validity of overclocking speeds, the site does not seem to care about the integrity of the other data.  As you saw early in the post, it was possible to put an HTML link back to this website directly on the CPU-Z page.  In the wrong hands, it is theoretically possible to inject malicious code.  As long as client-side data is imported to the server without any checks, dangers exist.  How was this possible?  When the user clicks validate in CPU-Z, a buffer area 8192 bytes in size is created.  Each hardware specification is written into the buffer in Unicode format.  The entire buffer is then transformed into ASCII format, encrypted, and finally converted to a string to become the cvf format.

It should be noted that currently CPU-Z version 1.64 is available, and the writer showed it with 1.63, reality is that 1.64 version came on April 23th, 2013, whereas the article was put up on April 28th, 2013. The author did contact CPU-Z team on May 2nd, 2013 and told them about the issue to which he got a reply on May 4th.

If you look at CPU-Z 1.64’s version history, it simply provides support for Intel Atom “Cloverview” CPUs, Intel Ivy Bridge-E/EP/EX CPUs and AMD Richland APUs. But CPU-Z did say that they are working to fix the security issue.

cpuz-validator-2

CPU-Z team in the meanwhile quickly removed the validation link that was approved of the data which claimed to have 2600K clocked at 7360MHz.

Source: 1

bbqcommunityinvite

banner