3 6 0 Marvel Team virtualization vulnerabilities the fourth bomb: CVE-2 0 1 5-8 5 6 7 vulnerability analysis-vulnerability warning-the black bar safety net

2016-01-02T00:00:00
ID MYHACK58:62201670620
Type myhack58
Reporter 佚名
Modified 2016-01-02T00:00:00

Description

2 0 1 5 years is“the cloud leap”year, is also a virtualization vulnerability really is people cognition, attention of a year, unwilling to“like the wind”3 6 0 Marvel Team take the initiative, with practical actions for cloud computing escort. As of today, we accumulated in kvm, xen, vmware platform open by up to 1 4 gold high-risk security 0day vulnerabilities, these vulnerabilities will lead to a General purpose cloud system was hacked. Today, the government, enterprises, individuals have more and more data and information on the cloud storage, once the cloud system is compromised, it means that these important information will be leaked. Hackers use virtualization vulnerabilities can not only steal important information, even from a virtual machine of the normal user-initiated attack the control host, ultimately control the entire cloud environment of all users. This article is the series of the fourth article, is also this year's wrap up, the article will be a detailed analysis of the number of CVE-2 0 1 5-8 5 6 7 qemu memory leak vulnerability, the vulnerability exists in xen and kvm system qemu module vmxnet3 NIC components, a hacker in a virtual machine using the vulnerabilities that can lead to the same host machine on the other virtual machine to crash. 3 6 0 Marvel Team in the 1 0 on 2 2 filed the bug, the official on 1 2 on 1 6 discloses a number of vulnerability information and the repair patch. 1, on qemu and vmxnet3 QEMU is a present in xen and kvm system to achieve device simulation software, it implements in a virtual machine using the keyboard, network communication, disk storage, and many other hardware equipment involved in the function, and can simulate the Hardware Device Type of the very rich, as it provides a 1 0 two or more types of devices the network card device Analog components, including the pcnet and rtl8139 and ne2000, the eepro100 and e1000. vmxnet3 components to simulate the vmware paravirtualized network card functions. You can use the following command to start with vmxnet3 network card Analog functions of the virtual machine: qemu-system-x86_64-m 2 0 4 8-enable-kvm-device vmxnet3 centos-6.5-x64. img 2, the CVE-2 0 1 5-8 5 6 7 vulnerability principle analysis We first to analyze the emergence of CVE-2 0 1 5-8 5 6 7 the vulnerable code is in qemu-2.4.0/hw/net/vmxnet3. c vmxnet3_handle_command function. The function will be based on the cmd value is performed for the network card to a different operation, such as the cmd value is equal to VMXNET3_CMD_ACTIVATE_DEV, will enter the vmxnet3_activate_device the execution of the function activating apparatus of the related logic. ! Figure 1. vmxnet3_handle_command a function of the portion of the content When the logic into the vmxnet3_activate_device function, in accordance with the following 3 stages to achieve the network card device activation: (1)According to the configuration information, client type and other conditions to set the device operation data, such as sending the number of queues, the Receive queue number; (2)According to the transmission queue number, the initialization of the transmission queue buffer; according to the initialization of the queue in the process to calculate the max_tx_frags value is initialized to send data packets; (3)the initialization of the received data packet; initialize the Receive queue buffer. vmxnet3_activate_device function code screenshot is as follows: ! Figure 2. vmxnet3_activate_device a function of the portion of the content In Phase 2, The use of vmxnet_tx_pkt_init function initializes the transmission data packet, and in the function use g_malloc assigned a length of max_frags + VMXNET_TX_PKT_PL_START_FRAG memory space. The relevant code is shown below: ! Figure 3. vmxnet_tx_pkt_init a function of the portion of the content In the entire“activation”logic, the lack of equipment the current state of the judgment, and therefore there are multiple“Active”risk. In simple terms, the vmxnet3_activate_device function at the end of the Set A s->device_active the value is true, however throughout the function and is not checked s->device_active whether the value already is true, the attacker can continue through the control card to enter the“active”logic, so that multiple calls to g_malloc function to allocate memory until the host system memory depletion. 3, the vulnerability hazards&exploit the programme Official on CVE-2 0 1 5-8 5 6 7 vulnerability to the hazards described as: virtual machine authorized to the user to exploit the vulnerability can leak host memory, cause a denial of service. The information of the link address is: https://access.redhat.com/security/cve/cve-2015-8567 ! Figure 4. The official publication of the vulnerability described 3 6 0 Marvel Team in the discovery of the vulnerability after the completion of the test environment in the exploit program. In the test environment, with multiple virtual machines running on a host machine, a hacker located in one of the virtual machines, when a hacker runs the exploit program, after about 4 0 Minutes of time, more than one virtual machine crashes. Here is the final result of the screenshot is as follows: ! Figure 5. Exploit the results of the screenshot 4, bug fixes Manufacturers can use the patch way to patch the vulnerability. Official provides complete for CVE-2 0 1 5-8 5 6 7 vulnerability patch, the link is: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html the. Which increases the previously mentioned s->device_active value of the judge the screenshots. ! Figure 6. The official publication of the vulnerability the patch section screenshots 5, the summary: For 3 6 0 Marvel Team independently found the virtualization security vulnerability CVE-2 0 1 5-8 5 6 7, This article complete the analysis of the vulnerability of the relevant principles, the use of the program, hazard explanation, and repair solutions. Hope this article may be caused by more use of public cloud and private cloud business concerns, the importance of virtualization security.

2 0 1 5 years is“the cloud leap”year, is also a virtualization vulnerability really is people cognition, attention of a year, unwilling to“like the wind”3 6 0 Marvel Team take the initiative, with practical actions for cloud computing escort. As of today, we accumulated in kvm, xen, vmware platform open by up to 1 4 gold high-risk security 0day vulnerabilities, these vulnerabilities will lead to a General purpose cloud system was hacked.

[1] [2] next