오늘 아래와 같은 메일을 받았다.

 

저 내용 아래에 비트코인으로 얼마를 보내라 뭐시기 내용이 써 있었다. 물론 나는 저기에 걸릴게 하나도 없었다.

 

비트코인 내용이 써있길래 한번 간략하게 추적해봤다.

 

www.blockchain.com/btc/address/1FD71hUPhsi7hLarvx5ueBxaeEHYfp8o7H

 

트랜젝션이 하나도 없었다. 비트코인 지갑을 메일을 보낼때마다 새로 파는건 아닐테니 이번에 새롭게 스팸을 보내 돈을 갈취하는 수법을 시도하는 사람인 것 같다.

 

다른 내용도 있었다.

 

www.bitcoinabuse.com/reports/1FD71hUPhsi7hLarvx5ueBxaeEHYfp8o7H

 

해당 페이지에서 재밌는 내용들을 볼 수 있었다.

 

그냥 메일주소 하나 가지고 사기치는 사람인듯 하다.

'스팸주의' 카테고리의 다른 글

국가기관 사칭 문자 (ft. 긴급복지지원)  (0) 2022.07.25
스팸 메일 1  (0) 2021.04.02

JunYoung Park (@candymate)

Github : @candymate

Twitter : @siwu_network (candymate)

Blog : https://candymate.tistory.com

Team : None - previously PLUS (POSTECH Laboratory for Unix Security, https://plus.or.kr)

Academics

Daegu Science High School 27th (Graduated at 2017/02)

POSTECH Undergraduate (2017/02~2022/02)

KAIST GSIS Master's course (KAIST hacking lab - https://kaist-hacking.github.io/, 2022/02~)

Interests

Hypervisors, Browsers

Career

ETC

KITRI BoB 9th Vulnerability Analysis

  • Project: Virtualization Software Bug Hunting - VirtualBoBs
  • Result : 3 CVEs (CVE-2021-2086, CVE-2021-2124, CVE-2021-2127), 3 ZDI-CAN (ZDI-CAN-12407, ZDI-CAN-12621, ZDI-CAN-12761 - Total $6,500)

CTFs

Only Major CTFs are listed. I've participated a lot of CTFs as PLUS, or as other teams.

There might be other major CTFs I forgot.

Team

PLUS, and many other teams (MINUS, LeaveCat-PLUS, KaisHack+PLUS+GoN, ...)

Major Participations

DEFCON 26, 27, 28 Finalist (as KaisHack+PLUS+GoN, seoulplusbadass, koreanbadass)

Codegate CTF Finals (University) 2018, 2019, 2020 (PLUS - each 4th, 1st, 2nd)

Defenit CTF 2020 1st (as ToEatSushi)

Bugs

 

'공지' 카테고리의 다른 글

About Me  (0) 2021.03.26

계속해서 업데이트 됩니다.

 

1. andrea.corbellini.name/2015/05/23/elliptic-curve-cryptography-finite-fields-and-discrete-logarithms/

'보안 > Crypto' 카테고리의 다른 글

ECC Study Links  (0) 2021.03.24

한달 전쯤에 이 게임을 다운받아 정신놓고 한 결과 어느샌가 다 깨게 되었다.

(1e4000 EP가 클리어라고 하는 사람들도 있겠지만 본인은 도전과제를 다 깬 시점에서 클리어라고 생각한다)

 

게임을 열심히 하면서 느낀 것은 다른 키우기류 게임들과 다르게 게임 디자인이 깔끔하다는 것이다. 게임에 대한 어느정도의 이해도를 요구하긴 하지만 엄청 높은 이해도를 요구하는 것도 아니고, 환생 시스템과 비스무리한건 있지만 끔찍하게 반복적인 것을 요구하는 것이 아니며, 지루하려고 하면 새로운 컨텐츠를 소개하는 완급조절이 잘 되어 있어서 게임을 재밌게 할 수 있었다. 모바일 게임치고 광고를 많이 띄우거나 요구하는 것도 아니고... 쿠키 클리커나 페이퍼클립 게임과 비슷한 류의 게임이지만 그 둘보다는 훨씬 재미있는 게임이라고 생각하면 될 것 같다.

 

깨는데 26일정도 걸린 것 같은데 처음 시작해서 클리어까지는 보통이라면 훨씬 더 오래 걸리는 것이 정상일 것이다. 본인의 경우에는 거의 여기에 매달린 것 같아서... 아무튼 재밌게 플레이했다.

'게임 > Etc' 카테고리의 다른 글

Antimatter Dimensions 올클리어  (0) 2021.03.08

Fuzzer list that I and my team VirtualBoBs wrote during BoB project.

The levels of these fuzzers are not that high, but I think it is worth opening them.

Haven't found any bugs from these, but it is worth trying to run them, hunting bugs.

 

1. Network Protocol Fuzzer working in VMs (possibly targeting SLiRP)

https://github.com/VirtualBoBs/QEMUSLNetFuzz

 

2. VirtualBox VMSVGA 3d Fuzzer (possibly for VMware as well)

https://github.com/VirtualBoBs/VBox-SVGA3D-fuzzing 

'보안 > Bug Hunting' 카테고리의 다른 글

fetch --nohooks chromium 고치기  (1) 2021.06.19
My Fuzzers  (2) 2021.02.21
QEMU USB Analysis and Fuzzing  (0) 2021.01.19
CCID Protocol  (0) 2021.01.19
VirtualBox SVGA  (0) 2021.01.19
  1. candymate 2021.03.04 15:25 신고

    Closed VMSVGA 3d fuzzer because of personal reasons.

  2. candymate 2021.04.24 18:00 신고

    VMSVGA Fuzzer now open to public (following by the disclosure of CVE-2021-2266)

https://pwnable.xyz 

 

pwnable.xyz

 

pwnable.xyz

게으름의 정점을 찍다가 이제야 다 풀었습니다. (이것도 1년전에 했어야 하지 않았을까...)

뒤쪽에 유니콘 문제들 생각보다 재밌네요.

이제 다시 커널 공부하러 갑니다.

'보안 > 일지' 카테고리의 다른 글

CVE-2021-2266 VirtualBox (ZDI-CAN-13464)  (2) 2021.04.22
추가 버그  (1) 2021.04.15
pwnable.xyz 올클  (1) 2021.02.21
커널 공부 근황 1  (0) 2021.02.18
CVE-2021-2127 VirtualBox  (1) 2021.01.20
  1. 이도현 2021.02.21 21:03

    슈퍼 해커... 고수...

요새 커널 공부를 열심히 하고 있다. procfs님 자료보면서 열심히 삽질하며 공부하고 있고, 나름대로 공부가 잘 진행되어 동아리 세미나도 2번 진행할 수 있었다.

정말 기초적인 내용이었던 LKM과 같은 내용은 건너뛸 수 있었지만 바로 return-to-user부터 모르는 내용이 나와 좀 막혔다. Return to user, SMEP, KPTI까지는 공부를 했는데 KASLR부터 이것저것 찾아보니 혼돈이 왔다. 버전마다 구현이 다르다, 이게 맞다, 등, 어... 뭐가 맞는거지? 하는 생각밖에 안 들었다. 처음에 환경세팅할 때 디버깅 세팅을 안해서 망했다.

디버깅 세팅을 하려고 열심히 buildroot 설정 건드려보고 디버거 바꿔보고 삽질을 했다. 근데 아무리 해도 vmlinux는 심볼을 어딘가에 버리고 오고, 디버거는 이번 기회에 pwndbg를 쓰게 되었지만 별 효과는 없었다. 하루 종일 삽질했는데, 결국 멘탈이 나가 워게임을 풀러가 돌아오지 못했다.

빨리 다시 커널공부로 돌아와 SMAP, KASLR 부분을 끝내고 싶다.

사실 진작 2년정도 전에 공부했어야지... ㅠㅠ

'보안 > 일지' 카테고리의 다른 글

CVE-2021-2266 VirtualBox (ZDI-CAN-13464)  (2) 2021.04.22
추가 버그  (1) 2021.04.15
pwnable.xyz 올클  (1) 2021.02.21
커널 공부 근황 1  (0) 2021.02.18
CVE-2021-2127 VirtualBox  (1) 2021.01.20

Before going on content...

I originally mentioned that this bug will be disclosed 3 months after the patch. However, I decided to release it today since 3 months seems to be too long... As long as there is an another researcher who disclosed his bugs at the patch date, it would be fine releasing this bug today.


High-level overview of the vulnerability and the possible effect of using it

A divide by zero vulnerability exists in vmsvga3dSurfaceDMA, in SVGA3D of Oracle VirtualBox 6.1.16 Linux distributions. To use this vulnerability, 3D acceleration option should be turned for a guest OS, and an attacker must get a root privilege in the guest OS.

This vulnerability allows local or remote attackers to crash VMs with 3D acceleration, leading to a denial-of-service condition. Flaws exist in three points: (1) Invalid surfaces can be defined in vmsvga3dSurfaceDefine, (2) Textures can be bound to invalid surfaces, (3) No check for divisor in vmsvga3dSurfaceDMA.

Exact product that was found to be vulnerable including complete version information

Version Information

Oracle VirtualBox 6.1.16 releases (which is the latest release in 2020/11/17) except for Windows are affected by this vulnerability. PoC code is tested with the release and Ubuntu 20.04.1 desktop for host and guest OSes, but it is also expected to work with other operating systems, except with Windows.

Precondition

An attacker must get a root privilege in a guest OS in order to use this vulnerability. Also, 3D acceleration option must be turned on for the guest OS to use this vulnerability. Finally, graphics controller option must be set to VMSVGA, which is the default option for Linux guest OSes.

Root Cause Analysis

Overview

A divide by zero vulnerability exists in vmsvga3dSurfaceDMA, which handles the SVGA_3D_CMD_SURFACE_DMA command in the SVGA FIFO loop. A VM crashes when the vulnerability is triggered, leading to the denial-of-service condition on the software. The vulnerability lies in the simple overflow check of the guest offset, before the offset gets verified by vmsvgaR3GmrTransfer. (See Code 1)

// Code 1

// Devices/Graphics/DevVGA-SVGA3d.cpp:610
/* srcx, srcy and srcz values are used to calculate the guest offset.
 * The offset will be verified by vmsvgaR3GmrTransfer, so just check for overflows here.
 */
AssertReturn(srcz < UINT32_MAX / pMipLevel->mipmapSize.height / cbGuestPitch, VERR_INVALID_PARAMETER);

cbGuestPitch can be zero with forged surfaces, leading to a divide by zero vulnerability. No check exists for pMipLevel->cbSurfacePitch, so cbGuestPitch can be zero. AssertReturn function remains as an if-else statement in a release version, so the vulnerability exists in a release version.

Three steps are needed to reach the vulnerable condition. These steps each uses a bug contained in its process.

  1. Two invalid surfaces, which have invalid mipmap sizes, are defined using a SVGA_3D_CMD_SURFACE_DEFINE command. One of two surfaces may be a valid surface. It doesn't affect the next step.
  2. Textures are bound to two surfaces using SVGA_3D_CMD_SURFACE_STRETCHBLT command. Two surfaces are each sent as source and destination surfaces.
  3. Divide by zero is triggered by using SVGA_3D_CMD_SURFACE_DMA command with guest.pitch = 0

Code flow from input to vmsvga* functions

Commands are asynchronously handled with the FIFO loop. (vmsvgaR3FifoLoop in Devices/Graphics/DevVGA-SVGA.cpp) Commands sent via VMware SVGA II PCI device are first enqueued to a SVGA command FIFO buffer, and they are dequeued and handled asynchronously in FIFO order by the loop.

Parsing and executing commands is done in vmsvgaR3FifoLoop function, which contains a simple switch-case statement to handle commands. With a given command id, the loop selects the method of parsing and handling the command. The loop eventually calls vmsvga~~ function to handle a command.

Step 1. Definition of invalid surfaces

Definition of an invalid surface is needed for to reach the vulnerable condition. Our goal is to make a surface that has the following conditions:

  1. Mipmap size is not zero so the clip box is not considered as empty in DMA command.
  2. cbSurfacePitch (derived from cBlocksX, cBlocksY, ...) is zero to trigger divide by zero.
  3. Texture is bound to the surface so that oglId is not zero.

In this step, a surface is defined with a non-zero mipmap size and a zero cbSurfacePitch value. A surface should not be defined in this condition, so this can be considered as a bug.

Making an invalid surface is simple: a surface can be defined with a negative size. (i.e. (-1, -1, -1)) Then, the definition fails in the condition described below. (See Code 2)

// Code 2

// Devices/Graphics/DevVGA-SVGA3d.cpp:278
if (RT_LIKELY(pSurface->cxBlock == 1 && pSurface->cyBlock == 1))
{
    cBlocksX = pMipmapLevel->mipmapSize.width;
    cBlocksY = pMipmapLevel->mipmapSize.height;
}
else
{
    (...)
}

(...)

const uint32_t cMaxBlocksX = cbMemRemaining / pSurface->cbBlock;
if (cBlocksX > cMaxBlocksX)
    return VERR_INVALID_PARAMETER;

cBlocksX becomes a negative value (i.e. -1), which is given as the argument of the command. cMaxBlocksX is 0x80000000 / n since cbMemRemaining remains 0x80000000 and pSurface->cbBlock becomes a small integer which is calculated from a given surface format. (i.e. 1, 2, 4, ..., see DevVGA-SVGA3d-shard.cpp:263 for details) Since the check is done with an unsigned comparison, cBlocksX is always bigger than cMaxBlocksX, so the check fails and the function returns.

A mipmap is already allocated before checking the validity of cBlocks, and the default value of a mipmap is zero for all other remaining values that are not initialized. Therefore, *cbSurfacePitch also becomes zero since it is not initialized. Mipmap size is already assigned before validation, so it is not zero. (See Code 3)

// Code 3

// Devices/Graphics/DevVGA-SVGA3d.cpp:223
for (uint32_t i=0; i < cMipLevels; i++)
    pSurface->paMipmapLevels[i].mipmapSize = paMipLevelSizes[i];

The outcome of step 1 is an object that looks like below. (Size is given as (-1, -1, -1)) Note that mipmapSize is not zero, and cbSurfacePitch is zero.

[*] surface
$2441 = 0x7fff6c7c49a0
$2442 = {
  id = 0x0,
  idWeakContextAssociation = 0xffffffff,
  surfaceFlags = 0x2,
  format = SVGA3D_BUFFER,
  internalFormatGL = 0xffffffff,
  formatGL = 0xffffffff,
  typeGL = 0xffffffff,
  enmOGLResType = VMSVGA3D_OGLRESTYPE_NONE,
  oglId = {
    texture = 0x0,
    buffer = 0x0,
    renderbuffer = 0x0
  },
  targetGL = 0x0,
  bindingGL = 0x0,
  fEmulated = 0x0,
  idEmulated = 0x0,
  faces = {{
      numMipLevels = 0x1
    }, {
      numMipLevels = 0x0
    }, {
      numMipLevels = 0x0
    }, {
      numMipLevels = 0x0
    }, {
      numMipLevels = 0x0
    }, {
      numMipLevels = 0x0
    }},
  cFaces = 0x1,
  cMipmapLevels = 0x1,
  paMipmapLevels = 0x7fff6fca48a0,
  multiSampleCount = 0x0,
  autogenFilter = SVGA3D_TEX_FILTER_NONE,
  cbBlock = 0x1,
  cxBlock = 0x1,
  cyBlock = 0x1,
  cbBlockGL = 0x1,
  fDirty = 0x0
}
[*] paMipmapLevel[0]
$2443 = {
  mipmapSize = {
    width = 0xffffffff,
    height = 0xffffffff,
    depth = 0xffffffff
  },
  cBlocksX = 0x0,
  cBlocksY = 0x0,
  cBlocks = 0x0,
  cbSurfacePitch = 0x0,
  cbSurfacePlane = 0x0,
  cbSurface = 0x0,
  pSurfaceData = 0x0,
  fDirty = 0x0
}

Step 2. Texture binding

Texture binding to the surface made in step 1 is needed to reach the vulnerable condition. In step 2, SVGA_3D_CMD_SURFACE_STRETCHBLT command is used to bind a texture. Draw primitive functions may be used to bind textures, but they are more complicated than vmsvga3dSurfaceStretchBlt function, so the function is used in step 2. Also, a buffer may be bound to a surface instead of binding a texture to it, but binding a texture is chosen because of the same reason.

vmsvga3dSurfaceStretchBlt needs two surfaces: one as a source surface and the other as a destination surface. One of two surfaces may be valid, but one of them must be the surface which is made in step 1 to exploit the vulnerability.

Codes described in Code 4 is used to create and bind the texture to the surfaces. Even if a surface is invalid, a texture will be created and bound to the surface. vmsvga3dBackCreateTexture function will create a texture and bind it to the surface.

// Code 4

// Devices/Graphics/DevVGA-SVGA3d.cpp:437
if (!VMSVGA3DSURFACE_HAS_HW_SURFACE(pSrcSurface))
{
    /* Unknown surface type; turn it into a texture, which can be used for other purposes too. */
    LogFunc(("unknown src sid=%u type=%d format=%d -> create texture\n", sidSrc, pSrcSurface->surfaceFlags, pSrcSurface->format));
    rc = vmsvga3dBackCreateTexture(pState, pContext, pContext->id, pSrcSurface);
    AssertRCReturn(rc, rc);
}

if (!VMSVGA3DSURFACE_HAS_HW_SURFACE(pDstSurface))
{
    /* Unknown surface type; turn it into a texture, which can be used for other purposes too. */
    LogFunc(("unknown dest sid=%u type=%d format=%d -> create texture\n", sidDst, pDstSurface->surfaceFlags, pDstSurface->format));
    rc = vmsvga3dBackCreateTexture(pState, pContext, pContext->id, pDstSurface);
    AssertRCReturn(rc, rc);
}

A texture should not be bound if a surface is invalid. Therefore, this can be also considered as a bug.

The outcome of step 2 is an object that looks like below. Note that oglId is not zero anymore.

[*] pSurface
$2453 = {
  id = 0x1,
  idWeakContextAssociation = 0xffffffff,
  surfaceFlags = 0x22,
  format = SVGA3D_BUFFER,
  internalFormatGL = 0xffffffff,
  formatGL = 0xffffffff,
  typeGL = 0xffffffff,
  enmOGLResType = VMSVGA3D_OGLRESTYPE_TEXTURE,
  oglId = {
    texture = 0x38,
    buffer = 0x38,
    renderbuffer = 0x38
  },
  targetGL = 0x806f,
  bindingGL = 0x806a,
  fEmulated = 0x0,
  idEmulated = 0x0,
  faces = {{
      numMipLevels = 0x1
    }, {
      numMipLevels = 0x0
    }, {
      numMipLevels = 0x0
    }, {
      numMipLevels = 0x0
    }, {
      numMipLevels = 0x0
    }, {
      numMipLevels = 0x0
    }},
  cFaces = 0x1,
  cMipmapLevels = 0x1,
  paMipmapLevels = 0x7fff6c7c17a0,
  multiSampleCount = 0x0,
  autogenFilter = SVGA3D_TEX_FILTER_NONE,
  cbBlock = 0x1,
  cxBlock = 0x1,
  cyBlock = 0x1,
  cbBlockGL = 0x1,
  fDirty = 0x0
}
[*] pMipLevel
$2454 = {
  mipmapSize = {
    width = 0xffffffff,
    height = 0xffffffff,
    depth = 0xffffffff
  },
  cBlocksX = 0x0,
  cBlocksY = 0x0,
  cBlocks = 0x0,
  cbSurfacePitch = 0x0,
  cbSurfacePlane = 0x0,
  cbSurface = 0x0,
  pSurfaceData = 0x0,
  fDirty = 0x0
}

Step 3. Triggering the bug

Divide by zero bug in vmsvga3dSurfaceDMA can now be triggered with the surface made in step 1 and step 2. The problematic code is described in Code 5.

// Code 5

// Devices/Graphics/DevVGA-SVGA3d.cpp:610
/* srcx, srcy and srcz values are used to calculate the guest offset.
 * The offset will be verified by vmsvgaR3GmrTransfer, so just check for overflows here.
 */
AssertReturn(srcz < UINT32_MAX / pMipLevel->mipmapSize.height / cbGuestPitch, VERR_INVALID_PARAMETER);

Here, divide by zero occurs when cbGuestPitch is zero. cbGuestPitch becomes zero if we give guest.pitch = 0. (guest.pitch is an argument of a DMA command given by the user) AssertReturn function remains as an if-else statement in a release version, so the vulnerability exists in a release version. See Code 6.

// Code 6

// Devices/Graphics/DevVGA-SVGA3d.cpp:597
uint32_t cbGuestPitch = guest.pitch;
if (cbGuestPitch == 0)
{
    /* Host must "assume image is tightly packed". Our surfaces are. */
    cbGuestPitch = pMipLevel->cbSurfacePitch;
}
else { (...) }

There are two checks that need to be bypassed to reach the vulnerable condition. One (Code 7) is bypassed by defining an invalid surface in step 1, and the other (Code 8) is bypassed by binding a texture to the invalid surface defined in step 2. The check in Code 7 requires a non-zero mipmap size, and the other check in Code 8 requires a non-zero oglId.

// Code 7

// Devices/Graphics/DevVGA-SVGA3d.cpp:536
/* The copybox's "dest" is coords in the host surface. Verify them against the surface's mipmap size. */
SVGA3dBox hostBox;
hostBox.x = paBoxes[i].x;
hostBox.y = paBoxes[i].y;
hostBox.z = paBoxes[i].z;
hostBox.w = paBoxes[i].w;
hostBox.h = paBoxes[i].h;
hostBox.d = paBoxes[i].d;
vmsvgaR3ClipBox(&pMipLevel->mipmapSize, &hostBox);

if (   !hostBox.w
    || !hostBox.h
    || !hostBox.d)
{
    Log(("Skip empty box\n"));
    continue;
}

// Devices/Graphics/DevVGA-SVGA.cpp:5274
/**
 * Unsigned coordinates in pBox. Clip to [0; pSize).
 *
 * @param   pSize   Source surface dimensions.
 * @param   pBox    Coordinates to be clipped.
 */
void vmsvgaR3ClipBox(const SVGA3dSize *pSize, SVGA3dBox *pBox)
{
    /* x, w */
    if (pBox->x > pSize->width)
        pBox->x = pSize->width;
    if (pBox->w > pSize->width - pBox->x)
        pBox->w = pSize->width - pBox->x;

    /* y, h */
    if (pBox->y > pSize->height)
        pBox->y = pSize->height;
    if (pBox->h > pSize->height - pBox->y)
        pBox->h = pSize->height - pBox->y;

    /* z, d */
    if (pBox->z > pSize->depth)
        pBox->z = pSize->depth;
    if (pBox->d > pSize->depth - pBox->z)
        pBox->d = pSize->depth - pBox->z;
}
// Code 8

// Devices/Graphics/DevVGA-SVGA3d.cpp:504
if (!VMSVGA3DSURFACE_HAS_HW_SURFACE(pSurface))
{
    /*
     * Not realized in host hardware/library yet, we have to work with
     * the copy of the data we've got in VMSVGA3DMIMAPLEVEL::pSurfaceData.
     */
    AssertReturn(pMipLevel->pSurfaceData, VERR_INTERNAL_ERROR);
}

// Devices/Graphics/DevVGA-SVGA3d-internal.h:683 (VMSVGA3D_DIRECT3D not defined in linux release)
/** @def VMSVGA3DSURFACE_HAS_HW_SURFACE
 * Checks whether the surface has a host hardware/library surface.
 * @returns true/false
 * @param   a_pSurface      The VMSVGA3d surface.
 */
#ifdef VMSVGA3D_DIRECT3D
# define VMSVGA3DSURFACE_HAS_HW_SURFACE(a_pSurface) ((a_pSurface)->u.pSurface != NULL)
#else
# define VMSVGA3DSURFACE_HAS_HW_SURFACE(a_pSurface) ((a_pSurface)->oglId.texture != OPENGL_INVALID_ID)
#endif

Vulnerable code can be reached by bypassing these two conditions. VM crashes with divide by zero, trying to divide with cbGuestPitch, which has zero value.

gdb-peda$ c
Continuing.

Thread 24 "VMSVGA FIFO" received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0x7f3acc41f700 (LWP 73906)]
[----------------------------------registers-----------------------------------]
RAX: 0x1 
RBX: 0x0 
RCX: 0xffffffff 
RDX: 0x0 
RSI: 0x0 
RDI: 0x0 
RBP: 0x7f3acc41ed10 --> 0x7f3acc41ee50 --> 0x7f3acc41ee90 --> 0x7f3acc41eeb0 --> 0x7f3acc41eef0 --> 0x0 
RSP: 0x7f3acc41ec10 --> 0x400000001 
RIP: 0x7f3acd87b333 (div    ebx)
R8 : 0x0 
R9 : 0x0 
R10: 0x1 
R11: 0x2a ('*')
R12: 0x0 
R13: 0x7f3a94603ed0 --> 0xffffffff00000001 
R14: 0x7f3a9775f260 --> 0xffffffffffffffff 
R15: 0x7f3a94000b80 --> 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7f3acd87b32b:    mov    eax,ecx
   0x7f3acd87b32d:    div    DWORD PTR [r14+0x4]
   0x7f3acd87b331:    xor    edx,edx
=> 0x7f3acd87b333:    div    ebx
   0x7f3acd87b335:    cmp    eax,DWORD PTR [rbp-0xbc]
   0x7f3acd87b33b:    jbe    0x7f3acd87b568
   0x7f3acd87b341:    mov    eax,ecx
   0x7f3acd87b343:    xor    edx,edx
[------------------------------------stack-------------------------------------]
0000| 0x7f3acc41ec10 --> 0x400000001 
0008| 0x7f3acc41ec18 --> 0x7f3a94000b64 --> 0xfffffffe 
0016| 0x7f3acc41ec20 --> 0x7f3ad8134568 --> 0xffffeeee 
0024| 0x7f3acc41ec28 --> 0x22057251 
0032| 0x7f3acc41ec30 --> 0x0 
0040| 0x7f3acc41ec38 --> 0x7f3ad8134250 --> 0x5000000010 
0048| 0x7f3acc41ec40 --> 0x7f3acc6e4140 --> 0x7f3ab8000000 --> 0xff1d1d1dff1d1d1d 
0056| 0x7f3acc41ec48 --> 0x7f3acc6e4800 --> 0x8000000 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGFPE
0x00007f3acd87b333 in ?? () from /usr/lib/virtualbox/VBoxDD.so
gdb-peda$ bt
#0  0x00007f3acd87b333 in  () at /usr/lib/virtualbox/VBoxDD.so
#1  0x00007f3acd876bcb in  () at /usr/lib/virtualbox/VBoxDD.so
#2  0x00007f3b10724c8a in  () at /usr/lib/virtualbox/components/VBoxVMM.so
#3  0x00007f3b21f879e8 in  () at /usr/lib/virtualbox/VBoxRT.so
#4  0x00007f3b2204b452 in  () at /usr/lib/virtualbox/VBoxRT.so
#5  0x00007f3b2235f609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#6  0x00007f3b22280293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
gdb-peda$ vmmap
(...)
0x00007f3acd7c6000 0x00007f3acd7e8000 r--p    /usr/lib/virtualbox/VBoxDD.so
0x00007f3acd7e8000 0x00007f3acd94d000 r-xp    /usr/lib/virtualbox/VBoxDD.so
0x00007f3acd94d000 0x00007f3acdb7f000 r--p    /usr/lib/virtualbox/VBoxDD.so
0x00007f3acdb7f000 0x00007f3acdb80000 ---p    /usr/lib/virtualbox/VBoxDD.so
0x00007f3acdb80000 0x00007f3acdb93000 r--p    /usr/lib/virtualbox/VBoxDD.so
0x00007f3acdb93000 0x00007f3acdb9b000 rw-p    /usr/lib/virtualbox/VBoxDD.so
0x00007f3acdb9b000 0x00007f3ace201000 rw-p    mapped
(...)

Suggested Fixes

Three main causes exist in this vulnerability.

  1. An invalid surface, which has a non-zero mipmap size and zero cBlocks* and cbSurfacePitch, can be defined.
  2. A texture can be bound to an invalid surface.
  3. No check for the divisor, which is cbGuestPitch, in DMA command.

Fixing this vulnerability depends on the design choice that developers make. There are two options to fix this vulnerability.

  1. Deallocate the surface when defining a surface fails.
  2. Validate mipmaps of surfaces whether they have proper fields whenever surfaces are used in commands. For this vulnerability, there are problems in vmsvga3dSurfaceStretchBlt, vmsvga3dBackCreateTexture, and vmsvga3dSurfaceDMA. However, other commands may also contain problems.

Proof-of-Concept

Environment

Proof-of-Concept code is tested on VirtualBox 6.1.16 version (recent version in 2020-11-20), Linux distribution. Version for host and guest OSes are Ubuntu 20.04.1 desktop, but other OSes except Windows are supposed to work as well. 3D acceleration under display option should be turned on, and graphics controller option should remain VMSVGA, which is the default setting for display in Linux distribution.

Running PoC code

https://github.com/candymate/pwn/tree/master/CVE/CVE-2021-2127

PoC code should be run inside a guest. Thus, download the attached file inside a guest and extract the file.

libpciaccess-dev should be installed first to run the attached code. Run sudo apt install libpciaccess-dev first before running the code.

After installing the library, run make to compile the code. Next, run the compiled code with root privilege. (Do sudo ./poc)

Additional Information

Most of the codes are based on one of released PoC codes, which are in https://github.com/renorobert/virtualbox-vmsvga-bugs.

Software Download Link

VirtualBox release can be downloaded in https://www.virtualbox.org/wiki/Downloads. Linux distribution needs to be downloaded for this vulnerability. (PoC code is tested on Ubuntu 20.04.1 desktop for guest and host OSes)

Ubuntu 20.04.1 desktop image can be downloaded in https://releases.ubuntu.com/20.04/. This may be optional.


Patch

Patched at 6.1.18. Allocation (or Definition) of invalid surfaces is now prohibited. (See VBox/Devices/Graphics/DevVGA-SVGA3d.cpp)

 

  1. candymate 2021.02.18 20:19 신고

    Added PoC Code : https://github.com/candymate/pwn/tree/master/CVE/CVE-2021-2127

+ Recent posts