ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
66 lines
No EOL
3.1 KiB
Text
66 lines
No EOL
3.1 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1091
|
|
|
|
This bug report describes two separate issues that, when combined,
|
|
allow any user on a Linux host system on which VirtualBox is installed
|
|
to gain code execution in the kernel. Since I'm not sure which one of
|
|
these issues crosses something you consider to be a privilege boundary,
|
|
I'm reporting them together.
|
|
|
|
To reproduce, download the attached file
|
|
virtualbox-host-r3-to-host-r0-crasher.tar, ensure that at least one VM
|
|
is running, then:
|
|
|
|
/tmp$ tar xf virtualbox-host-r3-to-host-r0-crasher.tar
|
|
/tmp$ cd virtualbox-host-r3-to-host-r0-crasher/
|
|
/tmp/virtualbox-host-r3-to-host-r0-crasher$ ./attack.sh
|
|
./attack.sh: line 7: 82634 Killed QT_QPA_PLATFORM_PLUGIN_PATH=fake_qt_platform_plugins /usr/lib/virtualbox/VirtualBox --startvm
|
|
/tmp/virtualbox-host-r3-to-host-r0-crasher$ dmesg
|
|
[...]
|
|
[279468.028025] BUG: unable to handle kernel paging request at 0000000013370028
|
|
[...]
|
|
|
|
|
|
The first step of the attack is to get access to the device
|
|
/dev/vboxdrv, which can normally only be opened by root:
|
|
|
|
~$ ls -l /dev/vboxdrv
|
|
crw------- 1 root root 10, 54 Jan 17 16:23 /dev/vboxdrv
|
|
|
|
In order to be able to open this device, the main VirtualBox binary is
|
|
setuid root:
|
|
|
|
$ ls -l /usr/lib/virtualbox/VirtualBox
|
|
-r-s--x--x 1 root root 35240 Jan 16 19:55 /usr/lib/virtualbox/VirtualBox
|
|
|
|
VirtualBox uses its root privileges to open /dev/vboxdrv, then quickly
|
|
drops its privileges. However, it retains the open file descriptor to
|
|
/dev/vboxdrv. Therefore, an attacker can gain access to the device
|
|
/dev/vboxdrv by injecting code into a VirtualBox userspace process.
|
|
|
|
After dropping privileges, VirtualBox loads various libraries,
|
|
including QT, that are not designed to run in a setuid context.
|
|
See https://doc.qt.io/qt-5/qcoreapplication.html#setSetuidAllowed :
|
|
"Qt is not an appropriate solution for setuid programs due to its
|
|
large attack surface." Using the environment variable
|
|
QT_QPA_PLATFORM_PLUGIN_PATH, an attacker can let QT load a library
|
|
from an arbitrary directory.
|
|
|
|
|
|
The second step is to use the device /dev/vboxdrv to corrupt the
|
|
kernel. The SUP_IOCTL_CALL_VMMR0 ioctl takes a pointer to a structure
|
|
in ring 0 as an argument (pVMR0) and ends up calling the function
|
|
VMMR0EntryEx(). With the attached PoC, this function crashes when
|
|
attempting to read pVM->pVMR0. However, an attacker who supplies a
|
|
pointer to attacker-controlled kernel memory could reach any point in
|
|
the function. For some operations, e.g.
|
|
VMMR0_DO_VMMR0_INIT, the attacker-controlled pointer pVM is then used
|
|
in vmmR0CallRing3SetJmpEx() to save and restore various kernel
|
|
registers, including RSP. By supplying a pointer to which the attacker
|
|
can concurrently write data, an attacker can therefore control the
|
|
kernel stack and thereby perform arbitrary operations in the kernel.
|
|
(As far as I can tell, a comment in VMMR0EntryEx points out this
|
|
issue: "/** @todo validate this EMT claim... GVM knows. */")
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41905.zip |