Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201892052
HistoryNov 15, 2018 - 12:00 a.m.

VirtualBox virtual machine latest escape vulnerability E1000 0 day detailed analysis of the on-vulnerability warning-the black bar safety net

2018-11-1500:00:00
佚名
www.myhack58.com
339
JSON

Recently, Russian security researcher Sergey Zelenyuk released for VirtualBox 5.2. 20 early versions of the 0 day vulnerabilities detailed information, these versions can allow an attacker to escape the virtual machine and executed on the host RING 3-layer code. Then, the attacker can take advantage of the traditional attack techniques will be elevation of privilege to RING 0 layer.
Below is Sergey Zelenyuk in his Github that is disclosed about the vulnerability of all of the details:
Why you want to disclose the vulnerability details
I like VirtualBox, it with I why publish a 0 day vulnerability has nothing to do. The reason is I to the contemporary information security status have a different opinion, especially safety study of Vulnerability Rewards:

  1. From the submission of the vulnerability began to wait for six months, until the patched the vulnerability so far.
  2. In the bug bounty description:
    · Wait for up to a month, until the verification of the submitted vulnerability, and only then decide to buy or not to buy.
    · Dynamically change the decision. Today you are in the software to find the bug bounty programs listed in the buy vulnerability, but after a week you may find that they have responded to these vulnerabilities and exploits program“lost interest” in.
    · Not an exact list of software to illustrate the bug bounty rules. For bug bounty blonde cloth very convenient, but for security researchers to say it’s embarrassing.
    · There is no precise vulnerability price of lower limit and upper limit. Affect the price there are many factors, but security researchers need to know what is worth studying and what is not.
  3. Delusional nonsense: the naming of vulnerabilities and for them to create a website; within one year of the convening of a thousand times meeting; exaggerated themselves as a security researcher the importance of the work; consider themselves to be the“world Savior” is.
    I’m tired of the first two things, so my style is full disclosure. Infosec, please continue to move forward!
    General information
    Vulnerable software: VirtualBox 5.2.20 and the previous version. Host machineOS: anyoperating system, this vulnerability is in a shared code library. A virtual machineOS: anyoperating system. Virtual machine configuration: the default, the only requirement is that the card needs is the Intel PRO/1000 MT Desktop 82540EM, the LAN mode is NAT to.
    How to protect yourself
    In VirtualBox the security patch build to complete before you can connect the virtual machine’s network card to change the mode of the PCnet(one of the two, or is a semi-virtualized network. If not, please turn the mode from NAT to change to another mode. The former Way is more secure.
    Description
    The default VirtualBox virtual network device is the Intel PRO/1000 MT Desktop 82540EM, the default network mode is NAT. We will be called E1000. The E1000 has a vulnerability, exploit this vulnerability an attacker in a virtual machine to get to the root or administrator permissions, you can escape to the host machine of the RING3 layer. Then, the attacker can use the existing mention of the right technology through the/dev/vboxdrv permissions upgrade for RING0 is.
    Vulnerability details
    E1000 101
    If you want to send a network packet, the virtual machine like common PC as the operation: the need to configure the network card for the virtual machine to provide network data packets. The data packet is a data link layer frame and other higher-level network Protocol header. Provided to the adapter in the data packet loaded in the Tx descriptor in the Tx indicates the transmission of. The Tx descriptor is a 82540EM data table 317453006EN. PDF, Revision 4.0, description of the data structure. It stores the data packet size, VLAN tag, TCP/IP is enabled segments of signs and other meta-information. 82540EM data table provides three Tx descriptor type: Legacy(Legacy), context(context), data(data). legacy should have been deprecated. The other two need to be used together. Our only concern is to context descriptor set the maximum packet size and switching TCP/IP segment, and the data descriptor to save the network data packet a physical address and its size. The data descriptor of the data packet size must be less than the context descriptor the maximum packet size. Usually the context descriptor in the data descriptor previously provided to the card. In order to to the card to provide the Tx descriptor, the virtual machine will write it to the Tx Ring. This is the one that resides in a predefined address of the physical memory RING buffer. When all descriptors are written into the Tx RING, the virtual machine will update the E1000 MMIO TDT register Transmit Descriptor Tail to inform the host machine has a new descriptor to be processed.
    Input
    Suppose you have the following Tx descriptor array:
    [context_1, data_2, data_3, context_4, data_5]
    Let us in the following manner to fill the structure field the name of the field it has been assumed for human-readable words, but the value of the field is directly mapped to the 82540EM specification):
    context_1. header_length = 0
    context_1. maximum_segment_size = 0x3010
    context_1. tcp_segmentation_enabled = true
    data_2. data_length = 0x10
    data_2. end_of_packet = false
    data_2. tcp_segmentation_enabled = true
    data_3. data_length = 0
    data_3. end_of_packet = true
    data_3. tcp_segmentation_enabled = true
    context_4. header_length = 0
    context_4. maximum_segment_size = 0xF
    context_4. tcp_segmentation_enabled = true
    data_5. data_length = 0x4188
    data_5. end_of_packet = true
    data_5. tcp_segmentation_enabled = true
    We will gradually analyze, understand why they are being filled.
    Root cause analysis
    [context_1, and data_2, and data_3]process
    Assuming that the above descriptor to specify the order written into the Tx RING, and the virtual machine updates the TDT register. Now the host will be in src/VBox/Devices/Network/DevE1000. cpp file implementation e1kXmitPending function in order to facilitate the reading of the code, have deleted most of the comments to:
    static int e1kXmitPending(PE1KSTATE pThis, bool fOnWorkerThread)
    {

    while (! pThis->fLocked && e1kTxDLazyLoad(pThis))
    {
    while (e1kLocateTxPacket(pThis))
    {
    fIncomplete = false;
    rc = e1kXmitAllocBuf(pThis, pThis->fGSO);
    if (RT_FAILURE(rc))

[1] [2] [3] [4] [5] next

JSON