VirtualBox VMSVGA a plurality of virtual machine escape vulnerability analysis-vulnerability warning-the black bar safety net

VirtualBox simulates a VMware virtual SVGA devices, which interface the detailed information and programming model can be on the network from public access. In addition, in the VMware hosted I/O architecture of GPU virtualization on paper, for the VMware SVGA device architecture had a very good description. In addition, Kostya Kortchinsky’s CLOUDBURST – Vmware Guest to Host escape story of a text, describes in detail how to use the VMware SVGA device of the vulnerabilities VM-escape.
Oracle January 2015 critical patch update, fixing a VMSVGA device the presence of a range of issues, CVE-2014-6595, CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, CVE-2015-0427-in. In the article by the hardware simulation to attack a virtual machine management program, provides information about VirtualBox in VMSVGA vulnerability of some of the details.
It is worth noting that, due to the VMSVGA device is not enabled by default, so affected users may be very limited. However, the user can according to the VBoxManage documentation for instructions to enable this feature.
VBoxManage modifyvm VMNAME --graphicscontroller vmsvga
Oracle in 2017, 7 months, and 2017 10 month’s critical patch update, fixes VMSVGA vulnerability CVE-2017-10210, CVE-2017-10236, CVE-2017-10239, CVE-2017-10240, CVE-2017-10392, CVE-2017-10407 and CVE-2017-10408 these vulnerabilities is by I find and report. In addition, from 360 Gear team of Li Qiang, also simultaneously and independently discovered the CVE-2017-10210, CVE-2017-10236, CVE-2017-10239 and CVE-2017-10240 the four holes. In this blog post, detailing some of the issues and demonstrates how to use these vulnerabilities are virtual machine escape.
We are in the macOS environment VirtualBox 5.1.22 version. The Linux version of VirtualBox does not support VMSVGA 3D function, this function only on Windows and macOS.
vmsvga3dSurfaceDefine（DevVGA-SVGA3d.cpp in validation validating face[0]. numMipLevel process there is an integer overflow vulnerability, CVE-2017-10210）
int vmsvga3dSurfaceDefine(PVGASTATE pThis, a uint32_t that sid, a uint32_t that surfaceFlags, SVGA3dSurfaceFormat format,
SVGA3dSurfaceFace face[SVGA3D_MAX_SURFACE_FACES], a uint32_t that multisampleCount,
SVGA3dTextureFilter autogenFilter, a uint32_t that cMipLevels, SVGA3dSize paMipLevelSizes)
{
. . .
/ cFaces must be 6 for a cubemap, and 1 otherwise. */
AssertReturn(cFaces == (a uint32_t that)((surfaceFlags & SVGA3D_SURFACE_CUBEMAP) ? 6 : 1), VERR_INVALID_PARAMETER);
AssertReturn(cMipLevels == cFaces * face[0]. numMipLevels, VERR_INVALID_PARAMETER);
. . .
}
In the use of“surfaceflag” SVGA3D_SURFACE_CUBEMAP,“cFaces”value can be set to 6. Then, you can“face[0]. numMipLevels”set as cFaces * face[0]. numMipLevels wraps of the calculation results.“cMipLevels”depends on SVGA_3D_CMD_SURFACE_DEFINE command passed SVGA3dSize structure number, e.g. 2 == 6 * 0x2aaaaaab it.
For a plurality of other commands in the face[0]. numMipLevels value is that results in memory corruption culprit. In CVE-2017-10210 PoC, the use of the SVGA_3D_CMD_SURFACE_DESTROY command to show memory corruption, ultimately leading to free()is invalid.
int vmsvga3dSurfaceDestroy(PVGASTATE pThis, a uint32_t that sid)
{
. . .
if (pSurface->pMipmapLevels)
{
for (uint32_t face=0; face cFaces; face++)
{
for (uint32_t i=0; i faces[face]. numMipLevels; i++)
{
a uint32_t that idx = i + face * pSurface->faces[0]. numMipLevels;
if (pSurface->pMipmapLevels[idx]. pSurfaceData)
RTMemFree(pSurface->pMipmapLevels[idx]. pSurfaceData);
}
}
RTMemFree(pSurface->pMipmapLevels);
}
. . .
}
renorobert@ubuntu:~/virtualbox-vmsvga-bugs/CVE-2017-10210$ sudo ./ poc
[sudo] password for renorobert:
poc: [+] Triggering the integer overflow using SVGA_3D_CMD_SURFACE_DEFINE…
poc: [+] Triggering the crash using SVGA_3D_CMD_SURFACE_DESTROY…
[lldbinit] process attach --pid 57984
[-] warning: get_frame() failed. Is the target binary started?
Process 57984 stopped

• thread #1, queue = ‘com. apple. main-thread’, stop reason = signal SIGSTOP
  frame #0: 0x00007fff5f9ae20a libsystem_kernel. dylib`mach_msg_trap + 10
  Target 0: (VirtualBoxVM) stopped.

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] next