360MarvelTeam virtualization vulnerabilities the second bomb: CVE-2 0 1 5-5 2 7 9 vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201567458
Type myhack58
Reporter 佚名
Modified 2015-09-28T00:00:00


Cloud computing has now become a by most Internet companies to accept the service mode, it provides customized hardware resources, applications, and services. As the implementation of the cloud computing concept the most important technical cornerstone, the virtualization system provides hardware resources of quantization allocation and flexible scheduling, to ensure that the cloud service successfully implemented. Therefore, the cloud service's healthy development is inseparable from the virtualization system stable operation. 3 6 0 Marvel Team will continue to disclose a series of independent discovery for virtualization software of high-risk 0day vulnerability analysis of the article, uncover the virtualization attack techniques of the mystery. In 9 on 2 9, 3 6 0 ISC 2 0 1 5 conference team security researcher Tang Qing Hao, will be on the cloud virtualization system vulnerability Mining Technology of the topic of the lecture in the topic will share the vulnerability of mining core technology. This article is the series of the second article, the detailed analysis of the CVE-2 0 1 5-5 2 7 9 qemu NIC heap overflow vulnerability-related knowledge. The first article is for the CVE-2 0 1 5-6 8 1 5 vulnerability analysis. A. Vulnerability basics CVE-2 0 1 5-5 2 7 9 is a qemu virtualized environment rtl8029 network card device there is a stack overflow type of vulnerability. So what is the qemu software? qemu software, and kvm virtualization there is what kind of relationship? rtl8029 network card what is a device? Below one by one to answer these questions. QEMU is a processor simulation software, can provide user-mode simulation and system mode simulation. When in the user mode of the simulation state will be used when dynamic translation technology allows a cpu to build the process in another cpu. The system mode Analog state, allowing for the entire pc system processor and the use of related peripheral devices for simulation. qemu provides emulation of peripherals include a hardware Video Graphics Array (VGA) emulator, PS/2 mouse and keyboard, IDE hard disk and CD-ROM interface, and a floppy disk emulation. Also includes the E2000 Peripheral Controller Interconnect (PCI) Network Adapter, a serial port, a large number of sound card and PCI Universal Host Controller Interface (UHCI) Universal Serial Bus (USB) controller with a virtual USB hub the simulation. In addition to the simulation of standard PC or ISA PC without PCI bus, QEMU also can emulate other non-PC hardware, such as ARM Versatile base plate using 926E and Malta million instructions per second (MIPS) Board. For a variety of other platforms, including Power Macintosh G3 (Blue & White) and the Sun-4u platform, can work. ! Figure 1. qemu can simulate peripheral devices KVM is a hardware-dependent Virtualization Technology Intel VT or AMD-V Bare-Metal virtualization program, which uses the Linux kernel as its hypervisor. The KVM virtualization support self-2.6.20 version has become the mainstream Linux kernel in the default section. KVM supports theoperating systemis very broad, including Linux, BSD, Solaris, Windows, Haiku And ReactOS and AROS Research Operating System. In the KVM architecture, the virtual machine is implemented as regular Linux process, by the standard Linux Scheduler for scheduling. In fact, each virtual CPU is displayed as a regular Linux process. This allows the KVM to be able to enjoy the Linux kernel all the features. Device simulation is provided by a modified qemu version to complete. In the understanding of the kvm and qemu principles and mutual relations, we then come to attention under the rtl8029 network card device, as shown in Fig. Here you need to know is in the qemu simulation rtl8029 NIC the device the module is a ne2000 on. ne2000 simulate the rtl8029 network card send and receive data packet process, the logical position is located in the virtual machine device drivers and the host machine qemu network adapters between the modules when the virtual machine's user space socket send operation, the device driving the encapsulated data is sent to the ne2000 device simulator, and then into the qemu related to the adapter module, and then through the host machine's physical network card to send out data. While the receiving data is the reverse process. ! Figure 2. rtl8029 network card physical photo II. The vulnerability principle analysis In the first part of a brief analysis of the kvm, qemu, as well as on the ne2000 card module these to understand the vulnerability of the principles of the basics, we then to analyze the CVE-2 0 1 5-5 2 7 9 vulnerability specific reasons. The vulnerability occurs in the ne2000 network card module to receive data packet process, the relevant code screenshot is as follows. This part of the code taken from qemu-2.4.0/hw/net/ne2000. c file in the ne2000_receive function. ne2000_receive function is the virtual machine receives an external data packet of a key function, which is roughly the process: 1. Determine whether the card is in working state, the data buffer is in full state; and 2. By detecting whether it is in promiscuous mode, mac address match, whether to the broadcast address, which determines whether it has received the data packet; 3. As the buffer is small, then its extension; 4. Into the data packet handling process as in the following figure the code shown: processing the packet header; write the data packet content; 5. The end of the packet receiving process as in the following figure the code. ! Figure 3. Defective code After entering the packet receiving code before, s->curpag, s->stop, s->start is Can is hack the control to any value. Therefore, in the above-mentioned function process of Step 4, index, avail, len these key variables can also be set to a controlled value. Using this feature, a hacker can create a what attack? The first can lead to logical loops, i.e. when entering the while loop, so that len is constantly equal to 0, the implementation of”size -= len; ”to this line command, The size never decreases, therefore the“ while (size > 0) ”the judge always is true, into the dead cycle. The second kind is caused by a heap buffer overflow in the implementation of the“memcpy(s->mem + index, buf, len); ”this line of code, since the index is being manipulated, and therefore can be in the right buffer with the write data packet content. To achieve this the use of way, the need to control the packet receiving process in the first step, i.e. the determination of the buffer zone the boundary of the process. Related code screenshot is as follows. ! Figure 4. The need for attention to the key code III. Vulnerability hazard CVE-2 0 1 5-5 2 7 9 is the qemu official security team is defined as high-risk vulnerabilities, once by hackers malicious use, you can achieve denial of service attacks, virtual machine escape attack. In the successful exploitation of the vulnerability is after a hacker then can control the host machine and the host machine on the other virtual machine, thus causing sensitive corporate information leakage, the network was the penetration of the terrible consequences.

[1] [2] next