Menu

Search for hundreds of thousands of exploits

"VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation"

Author

Exploit author

"Google Security Research"

Platform

Exploit platform

windows

Release date

Exploit published date

2019-04-24

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
VirtualBox: COM RPC Interface Code Injection Host EoP
Platform: VirtualBox 6.0.4 r128413 x64 on Windows 10 1809
Class: Elevation of Privilege

Summary: 

The hardened VirtualBox process on a Windows host doesnt secure its COM interface leading to arbitrary code injection and EoP.

Description:

This issue is similar in scope to others Ive reported such as S0867394/CVE-2017-10204. It allows you to call arbitrary code inside the hardened process which can expose the kernel drivers to normal user processes resulting in EoP. Im assuming that this is still an issue youd like to fix?

The VirtualBox hardening code allows other processes running as the same user to read all virtual memory by granting the PROCESS_VM_READ access right. It isnt obvious that this could result in arbitrary code execution, except that VirtualBox initializes out-of-process COM and by extension exposes an RPC interface. With access to read arbitrary memory from such a process its possible to call existing interfaces running inside the VirtualBox process such as the undocumented IRundown interface which COM uses for various infrastructure tasks. This interface has a DoCallback method which will execute an arbitrary function in the process with a single arbitrary pointer sized argument.

You can get more details from my blog about using this technique as a mechanism to bypass Windows Protected Processes, https://googleprojectzero.blogspot.com/2018/11/injecting-code-into-windows-protected.html. In this case we dont need to abuse an old version of WERFault to dump memory as the hardening driver allows us to do just read memory.

To fix this issue you might want to block PROCESS_VM_READ access entirely, its not clear if this is a necessary access right for something or just because it didnt seem to be dangerous. Id also call CoInitializeSecurity at process start and pass an security descriptor to the pSecDesc parameter which limits access to administrators and perhaps service accounts. However be careful if you decide to only initialize CoInitializeSecurity as its process wide and has weird behaviors which might result in the security descriptor getting unset. Id probably call the API every time you call CoInitialize just in case.

Proof of Concept:

Ive provided a PoC as a C# project. It will use the vulnerability to call ExitProcess with the exit code 12345678 inside a VirtualBox process. Note that by default its designed to work out of the box on Windows 10 1809 x64 updated to March 2019. It will fallback to trying to lookup symbol addresses using the DBGHELP library if the combase DLL doesnt match, however youll need to have cached the symbols for combase inside C:\ProgramData\dbg\sym. You can do this by running the symchk tool from a Debugging Tools for Windows installation and passing the path to the x64 version of combase.

1) Compile the C# project using Visual Studio 2017. Itll need to pull NtApiDotNet from NuGet to build.
2) Start a virtual machine and note the PID of the hardened VirtualBox process.
3) As a normal user run the PoC passing the PID of the hardened VirtualBox process.

Expected Result:
The PoC fails to call code inside the target process.

Observed Result:
The PoC executes ExitProcess inside the hardened process and verifies the return code once the process exits.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46747.zip
Release DateTitleTypePlatformAuthor
2020-02-20"Core FTP Lite 1.3 - Denial of Service (PoC)"doswindows"berat isler"
2020-02-20"Easy2Pilot 7 - Cross-Site Request Forgery (Add User)"webappsphpindoushka
2020-02-19"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak"webappshardwarebyteGoblin
2020-02-19"Virtual Freer 1.58 - Remote Command Execution"webappsphpSajjadBnd
2020-02-19"DBPower C300 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-18"WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting"webappsphp"Ultra Security Team"
2020-02-17"SOPlanning 1.45 - 'by' SQL Injection"webappsphpJ3rryBl4nks
2020-02-17"Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-17"Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)"webappsphpJ3rryBl4nks
2020-02-17"SOPlanning 1.45 - 'users' SQL Injection"webappsphpJ3rryBl4nks
2020-02-17"Anviz CrossChex - Buffer Overflow (Metasploit)"remotewindowsMetasploit
2020-02-17"Avaya Aura Communication Manager 5.2 - Remote Code Execution"webappshardware"Sarang Tumne"
2020-02-17"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)"webappsphpJ3rryBl4nks
2020-02-17"WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting"webappsphp"Ashkan Moghaddas"
2020-02-17"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation"localwindowsnu11secur1ty
2020-02-17"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"LabVantage 8.3 - Information Disclosure"webappsjava"Joel Aviad Ossi"
2020-02-17"Cuckoo Clock v5.0 - Buffer Overflow"localwindowsboku
2020-02-17"HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-17"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path"localwindowsboku
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-13"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-13"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting"webappsphp"Mehran Feizi"
Release DateTitleTypePlatformAuthor
2020-02-20"Core FTP Lite 1.3 - Denial of Service (PoC)"doswindows"berat isler"
2020-02-17"HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-17"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation"localwindowsnu11secur1ty
2020-02-17"Cuckoo Clock v5.0 - Buffer Overflow"localwindowsboku
2020-02-17"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path"localwindowsboku
2020-02-17"Anviz CrossChex - Buffer Overflow (Metasploit)"remotewindowsMetasploit
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-12"MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow"localwindowsZwX
2020-02-12"HP System Event Utility - Local Privilege Escalation"localwindowshyp3rlinx
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow"localwindowsZwX
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-10"Dota 2 7.23f - Denial of Service (PoC)"doswindows"Bogdan Kurinnoy"
2020-02-10"Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow"localwindowsZwX
2020-02-10"Ricoh Driver - Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-02-07"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-02-06"AbsoluteTelnet 11.12 - 'license name' Denial of Service (PoC)"doswindowschuyreds
Release DateTitleTypePlatformAuthor
2020-02-10"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()"dosmultiple"Google Security Research"
2020-02-10"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init"doslinux"Google Security Research"
2020-01-28"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image"dosmultiple"Google Security Research"
2020-01-14"WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM"dosandroid"Google Security Research"
2020-01-14"Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN"dosandroid"Google Security Research"
2019-12-18"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()"dosmacos"Google Security Research"
2019-12-16"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds"locallinux"Google Security Research"
2019-12-11"Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font"doswindows"Google Security Research"
2019-11-22"macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache"localmacos"Google Security Research"
2019-11-22"Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback"doswindows"Google Security Research"
2019-11-20"Ubuntu 19.10 - ubuntu-aufs-modified mmap_region() Breaks Refcounting in overlayfs/shiftfs Error Path"doslinux"Google Security Research"
2019-11-20"iOS 12.4 - Sandbox Escape due to Integer Overflow in mediaserverd"dosios"Google Security Research"
2019-11-20"Ubuntu 19.10 - Refcount Underflow and Type Confusion in shiftfs"doslinux"Google Security Research"
2019-11-11"iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address"dosmultiple"Google Security Research"
2019-11-11"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream"doswindows"Google Security Research"
2019-11-11"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)"doswindows"Google Security Research"
2019-11-05"macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()"dosmacos"Google Security Research"
2019-11-05"WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive"dosmultiple"Google Security Research"
2019-11-05"JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects"dosmultiple"Google Security Research"
2019-10-30"JavaScriptCore - GetterSetter Type Confusion During DFG Compilation"dosmultiple"Google Security Research"
2019-10-28"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed"dosmultiple"Google Security Research"
2019-10-21"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)"doswindows"Google Security Research"
2019-10-10"Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File"doswindows"Google Security Research"
2019-10-10"Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File"doswindows"Google Security Research"
2019-10-10"Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter"doswindows"Google Security Research"
2019-10-10"Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File"doswindows"Google Security Research"
2019-10-10"Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File"doswindows"Google Security Research"
2019-10-10"Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File"doswindows"Google Security Research"
2019-10-09"XNU - Remote Double-Free via Data Race in IPComp Input Path"dosmacos"Google Security Research"
2019-10-04"Android - Binder Driver Use-After-Free"localandroid"Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46747/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse