VirtualBox virtual machine latest escape vulnerability E1000 0day detailed analysis of under-vulnerability warning-the black bar safety net

Recently, Russian security researcher Sergey Zelenyuk released for VirtualBox 5.2.20 early version of the zero-day exploit detailed information, these versions can allow an attacker to escape the virtual machine and executed on the host RING 3-layer code. Then, the attacker can take advantage of the traditional attack techniques will be elevation of privilege to RING 0 layer.
Exploit
The exploitability of the vulnerability the Linux kernel module LKM loaded to the client virtual machineOS. If the virtual machineOSis Windows you only need one with LKM different drivers, this driver is to initialize the wrapper and the kernel API calls needed.
In twooperating systemto load the driver requires elevated permissions. The use of mention of the right to a universal, it is not considered to be an insurmountable obstacle. Look at the researchers at the Pwn2Own competition for the use of the exploit chain: in the client virtual machineOSin the browser to open a malicious website to exploit the vulnerability, a browser sandbox escape can get the complete RING3 access the you need from the virtual machineOSto attack a virtual machine management program the place you useoperating systemthe vulnerability can be elevated to RING0 is. The power of the most powerful hypervisor vulnerabilities are certainly those from the client virtual machine RING3 take advantage of the vulnerability. In VirtualBox also has such a code, in the absence of the virtual machine root privileges to execute, and most of the code have not been audited.
This exploits the success rate is 100%. This means that it either always succeeds or never because they do not match the binary file or the other without taking into account the more subtle reasons which led to the use of fail. At least in Ubuntu 16. 04 and 18. 04 x86_64 on a virtual machine using the default configuration of the case of the use of is successful.
The development of the exploit program

1. The attacker uninstalling the Linux guest virtual machine in the default load of e1000. ko and load the exploit program of the LKM.
2. LKM according to the data of the table initialize the E1000. Because they do not need to receive the other half, so only initialize the send half.
3. Step 1: information leakage.
   · a. LKM is disabled E1000 loopback mode, so that the stack buffer overflow code is unreachable.
   · b. LKM using an integer underflow vulnerability allows a heap buffer overflow.
   · c. A heap buffer overflow an attacker can use the E1000 EEPROM in relative to the stack buffer of 128 KB within the scope of the written two arbitrary bytes. Therefore the attacker to obtain a write primitive.
   · d. LKM using the write primitive is eight times the write bytes on the heap ACPI（advanced configuration and power interface data structure. Byte is written to the heap buffer of the index variable, which reads a single byte. Since the buffer size is less than the maximum index number of 255, so the attacker can read the buffer, so eventually the attacker gained read primitive.
   · e. LKM used to read primitive eight times, access to the ACPI and from the stack in 8 bytes. These bytes are VBoxDD. so the Shared Library pointers.
   · f. LKM from the pointer by subtracting the RVA to get VBoxDD. so the mirror base address.
4. Step 2: stack buffer overflow.
   · a. LKM enabled E1000 loopback mode, so that the stack buffer overflow code.
   · b. LKM using an integer underflow vulnerability allows a heap buffer overflow and stack buffer overflow. Save the return address of the RIP / EIP will be overwritten. The attacker gained control.
   · c. The implementation of the ROP chain to execute the shellcode loader.
   5 Step 3: shellcode of.
   · a. shellcode loader from adjacent the stack to copy the shellcode to. shellcode is executed.
   · b. shellcode execution fork and execve system calls on the host side to generate an arbitrary process.
   · c. The parent process continues to run processes.
5. The attacker unload the LKM and loaded the e1000. ko allows the virtual machine to use the network.
   Initialization
   LKM mapping related to the E1000 MMIO physical memory. The physical address and size by the management program predefined.
   void* map_mmio(void) {
   off_t pa = 0xF0000000;
   size_t len = 0x20000;
   void* va = ioremap(pa, len);
   if (! va) {
   printk(KERN_INFO PFX"ioremap failed to map MMIO\n");
   return NULL;
   }
   return va;
   }
   And then configure the E1000 General-purpose registers, allocate Tx Ring memory, the configuration of the send register.
   void e1000_init(void* mmio) {
   // Configure the general purpose registers
   configure_CTRL(mmio);
   // Configure the TX registers
   g_tx_ring = kmalloc(MAX_TX_RING_SIZE, GFP_KERNEL);
   if (! g_tx_ring) {
   printk(KERN_INFO PFX"Failed to allocate TX Ring\n");
   return;
   }
   configure_TDBAL(mmio);
   configure_TDBAH(mmio);
   configure_TDLEN(mmio);
   configure_TCTL(mmio);
   }
   ASLR bypass
   Write primitive
   From the exploit program development began, I decided not to use the default disable of the service primitive. The first thing to say is to provide 3D acceleration of Chromium service is not a browser, and last year researchers discovered more than 40 vulnerabilities.
   Now the problem is in the default VirtualBox subsystem found in information leakage. The obvious idea is that if an integer underflow allows to overflow a heap buffer, then we can control any more than the buffer contents. Next we will see we do not need an additional vulnerability: integer underflow seems to be very powerful, we can derive read, write and leakage of information of the primitive, not here in the stack buffer overflow.
   Let’s see the stack on exactly what kind of overflow.
   /** * Device state structure. */struct E1kState_st
   {
   … uint8_t aTxPacketFallback[E1K_MAX_TX_PKT_SIZE];

[1] [2] [3] [4] [5] next