Recently amazon, Ali cloud and other cloud providers have received the xen official of the vulnerability notification email, in this email, the official statement MarvelTeam found and reported a high-risk vulnerability. Today's protagonist is this gold number CVE-2 0 1 5-7 5 0 4, a gold affects both the kvm and the xen platform-high-risk virtualization security vulnerabilities. 2 0 1 5 cloud computing virtualization security the outbreak of the first year, following the venom vulnerability raging in the world after, kvm, xen, vmware platform and continually found high-risk vulnerabilities, these vulnerabilities can be a threat to the cloud computing system of stable operation, the hackers use these vulnerabilities from the virtual machine damage the host machine, or to control the host machine, enter the threat to the cloud computing system is located within the network. This article is the series of third article, the detailed analysis of the team in the 9 month 2 2 filed CVE-2 0 1 5-7 5 0 4 qemu pcnet network card to a buffer overflow vulnerability related to knowledge. With the before we disclose the vulnerability, the vulnerability of the overflow location is very exquisite, can easily enable hackers to control the code flow, is a gold equivalent of security vulnerabilities. In addition, we also tucao under qemu official processing efficiency, the vulnerability from submission to formal publication, went through 2 months and 7 days. Such a high-risk vulnerability during this period of long time hackers used a cloud computing system attack or leak, the odds are great! On the previous two articles, the link is as follows: 1 2 A． What is pcnet QEMU software, the realization of a large number of the network card of the simulation, such as the pcnet and rtl8139 and ne2000, the eepro100 and e1000, etc., by components meet the virtual machine users on a variety of card needs. Card-related vulnerabilities have also been found many, such as before we find that the e1000 network card the vulnerability, that is, in the data packet receiving process in the emergence of the code problems. pcnet's virtualization software QEMU implemented in the AMD PCNET network card function Analog components, the relevant code is located in the/hw/net/pcnet. c. In qemu with pcnet card, you need the following command line for configure: qemu-system-x86_64 centos-6.5-x64. img-m 1 0 2 4 - net nic,model=pcnet-net user II. The vulnerability principle analysis Understand the pcnet the basis of knowledge, and then to talk about CVE-2 0 1 5-7 5 0 4 the vulnerability principle. We already said, the exploit can directly control the code execution path, then it is how to do it? First we look at the vulnerability to trigger the process, the vulnerability occurs in the pcnet network card module to receive data packet process, the correlation function pcnet_receive the execution logic: the first detection of CSR_DRX(s), CSR_STOP(s), CSR_SPND(s), size, CSR_LOOP(s), s->looptest whether these values are consistent with the boundary requirements, determine whether the function continues processing. And if buf is too small, then it expanded to MIN_BUF_SIZE, after detecting whether to accept the package. Finally the data is copied to the rmd in the physical address. Related code screenshot is as follows: ! Figure 1. Defective code In the above code, we can see that in the data packet buffer the operation of the logic, the programmer appeared an obvious mistake: not determined data packet length is already equal to the buffer length. In addition, in the pcnet. c another function of the pcnet_transmit also the buffer position and the data length of the packet processing, screenshot as follows: ! Figure 2. pcnet_transmit function in a buffer related to the processing If the data packet length approaching the length of the buffer（4 0 9 6, since the code logic will automatically add 4 bytes of the crc value, so it will happen buffer overflow. Coincidentally overflow of the buffer after the four bytes happens to be covering a structure pointer. As shown: ! Figure 3. buffer where the structure of the body ! Figure 4. qemu_irq the structure of the body The overflow occurs, the code flow proceeds pcnet_update_irq function, the function through layers of calls, and ultimately use the irq->handler as function pointers now! And the irq struct pointer we can to control it, and therefore completes the code logic of the hijacking. ! ! Figure 5. pcnet_update_irq the code logic III. Vulnerability hazards&exploit demo CVE-2 0 1 5-7 5 0 4 was of the xen and qemu community official security team is defined as high-risk vulnerabilities, once by hackers malicious use, you can achieve a virtual machine escape attack. In successfully exploiting the vulnerability to launch attacks after the hacker then can control the host machine to execute any instructions,the consequences are very terrible. ! Figure 6. xen official response to the vulnerability content and the hazards of Description The Marvel Team in the demo environment, 6 4-bit centos system and completed on the vulnerability of perfect use. In this video, the hacker through the virtual machine vulnerability to realize the proxy function, the control virtual machine where the host machine, and host machine, execute arbitrary commands. Watch the video access password 5 2 9 9） IV. Vulnerability solution xen official in MarvelTeam help provide for the vulnerability of the repair patch, screenshot as follows: ! Figure 7. The official patch information In the patch file, the pcnet_receive and pcnet_transmit two function of buffer processing are amended, the perfect fix before the existence of the vulnerability. Summary: for virtualization security vulnerability CVE-2 0 1 5-7 5 0 4, herein complete analysis of the vulnerabilities related to the principles, hazards, and repair solutions. In the exploit video, Marvel Team demonstrates a hacker takes control of the host machine of the whole process. Hope this article may be caused by more cloud service providers, virtualization security seriously.