CVE-2017-10204 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1257 VirtualBox: Windows Process DLL Signature Bypass EoP Platform: VirtualBox v5.1.22 r115126 x64 (Tested on Windows 10) Class: Elevation of Privilege Summary: The process hardening implemented by the VirtualBox driver can be circumvented to load arbitrary code inside a VirtualBox process giving access to the VBoxDrv driver which can allow routes to EoP from a normal user. Description: NOTE: I don’t know if you consider this an issue or not, however you fixed the last bypass I sent so it’s possible you still consider it a security boundary. The ring 3 process hardening in VirtualBox adds three hooks to module loading to try and prevent untrusted code being loaded into the process, LdrLoadDll, NtCreateSection and a LDR DLL notification. Each will try and verify a DLL load and either reject the load with an error or kill the process is it’s not possible to prevent it from occurring. Looking at the hooks there a couple of issues which when combined together allow a user to inject an arbitrary DLL into a protected process. The location checks are not very rigorous. As far as I can tell arbitrary files need to be owned by an admin/trustedinstaller but this check is waived if the file is in system32/WinSxS. However this doesn’t take into account that there are some directories which can be written to inside system32 such as Tasks. The code to enforce specific certificates doesn’t seem to be enabled so at the very least combined with 1, you can load any validly signed file. It might be considered that 2 isn’t an issue as getting a signing cert could be a sufficient burden for a “malicious” attacker, so instead it’s worth considering what else the weak path checking allows you to do. The handling of DLL paths has some interesting behaviours, most interestingly there’s the behaviour where if no file extension is added to the path then the loader will automatically append .DLL to it. This is actually implemented inside LdrLoadDll, this leads to our third problem: 3. If the path passed to LdrLoadDll doesn’t have an extension then the protection code will signature check the extension less file but the loader will load the file with a .DLL extension. E.g. if trying to load \path\abc then \path\abc is signature checked but \path\abc.dll is loaded. When combined with the ability to bypass the owner check we can drop an arbitrary valid signed file alongside our untrusted DLL and exploit this TOCTOU to load an arbitrary unsigned DLL. The following will show inside the VboxHardening.log when loading the file testdll. 2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll: Owner is not trusted installer 2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll: Relaxing the TrustedInstaller requirement for this DLL (it's in system32). 2064.492c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll) WinVerifyTrust 2064.492c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll 2064.492c: supR3HardenedMonitor_LdrLoadDll: pName=c:\windows\system32\tasks\dummy\testdll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000002009:<flags> [calling] This shows that it successfully passed the signature check inside the LdrLoadDll hook, however one of the other hooks should try and recheck the real testdll.dll file when it gets loaded instead. As the name of this file won’t match the cached signature check it should still fail to complete loading. This is where the fourth issue comes in: 4. When doing the check inside supHardenedWinVerifyImageByHandle with WinVerifyTrust disabled (i.e. when in the DLL load notification hook) and the target file has no signature information an incorrect error code is returned which looks like success leading to the DLL being allowed to load and execute. Specifically when supR3HardenedDllNotificationCallback is called it passes true to the fAvoidWinVerifyTrust parameter of supR3HardenedScreenImage. This first uses the RT code to check if the file is signed or not, if we use an unsigned file then this will return the error VERR_LDRVI_NOT_SIGNED (-22900). Later in supHardenedWinVerifyImageByLdrMod this error is checked and the function supHardNtViCheckIfNotSignedOk is called. This seems to result in the error coding changing from an error to VINF_LDRVI_NOT_SIGNED (22900) which is actually a success code. Normally this would be overridden again by the call to WinVerifyTrust but because that’s disabled the final result of this process is the DLL notification callback thinks the signature check was successful even though it wasn’t. This results in the DLL being allowed to complete loading. For example the following is a snippet of the output when the bypass occurs. 2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll: Owner is not trusted installer 2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll: Relaxing the TrustedInstaller requirement for this DLL (it's in system32). 2064.492c: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #1 'user32.dll'. 2064.492c: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #2 'advapi32.dll'. 2064.492c: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll) 2064.492c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll 2064.492c: supR3HardenedDllNotificationCallback: load 00007ff8a8600000 LB 0x00027000 c:\windows\system32\tasks\dummy\testdll.DLL [fFlags=0x0] 2064.492c: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll [avoiding WinVerifyTrust] 2064.492c: Detected loader lock ownership: rc=Unknown Status 22900 (0x5974) '\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll'. 2064.492c: supR3HardenedWinVerifyCacheProcessWvtTodos: 22900 (was 22900) fWinVerifyTrust=0 for '\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll' [rescheduled] This combination of issues results in being able to inject arbitrary executable code into a VirtualBox protected process and access the resources such as the kernel driver that this would provide. Proof of Concept: I’ve provided a PoC DLL which will be loaded through abusing the VBox COM Client loading process in source form. I’ve also provided a registry file which will need to be imported. Prerequisites: The DLL must be compiled in release mode for the architecture you’re going to run VirtualBox on. Then follow these steps: 1) Create the directory c:\windows\system32\tasks\dummy on the command line using ‘mkdir c:\windows\system32\tasks\dummy’ 2) Import the provided .reg file to setup the COM hijack using the command line ‘reg import keys.reg’ 3) Copy a valid signed file (such as VirtualBox.exe) to the file c:\windows\system32\tasks\dummy\testdll. 4) Copy the compiled PoC dll to c:\windows\system32\tasks\dummy\testdll.dll. 5) Start a VM. Each process the DLL is injected into will show a message box. This will include the protected VirtualBox.exe process. Expected Result: Untrusted DLL loading should fail inside a protected process. Observed Result: DLL is loaded into the protected process. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42425.zip

VirtualBox: COM RPC Interface Code Injection Host EoP Platform: VirtualBox 6.0.4 r128413 x64 on Windows 10 1809 Class: Elevation of Privilege Summary: The hardened VirtualBox process on a Windows host doesn’t secure its COM interface leading to arbitrary code injection and EoP. Description: This issue is similar in scope to others I’ve reported such as S0867394/CVE-2017-10204. It allows you to call arbitrary code inside the hardened process which can expose the kernel drivers to normal user processes resulting in EoP. I’m assuming that this is still an issue you’d like to fix? The VirtualBox hardening code allows other processes running as the same user to read all virtual memory by granting the PROCESS_VM_READ access right. It isn’t obvious that this could result in arbitrary code execution, except that VirtualBox initializes out-of-process COM and by extension exposes an RPC interface. With access to read arbitrary memory from such a process it’s possible to call existing interfaces running inside the VirtualBox process such as the undocumented IRundown interface which COM uses for various infrastructure tasks. This interface has a DoCallback method which will execute an arbitrary function in the process with a single arbitrary pointer sized argument. You can get more details from my blog about using this technique as a mechanism to bypass Windows Protected Processes, https://googleprojectzero.blogspot.com/2018/11/injecting-code-into-windows-protected.html. In this case we don’t need to abuse an old version of WERFault to dump memory as the hardening driver allows us to do just read memory. To fix this issue you might want to block PROCESS_VM_READ access entirely, it’s not clear if this is a necessary access right for something or just because it didn’t seem to be dangerous. I’d also call CoInitializeSecurity at process start and pass an security descriptor to the pSecDesc parameter which limits access to administrators and perhaps service accounts. However be careful if you decide to only initialize CoInitializeSecurity as it’s process wide and has weird behaviors which might result in the security descriptor getting unset. I’d probably call the API every time you call CoInitialize just in case. Proof of Concept: I’ve provided a PoC as a C# project. It will use the vulnerability to call ExitProcess with the exit code ‘12345678’ inside a VirtualBox process. Note that by default it’s designed to work out of the box on Windows 10 1809 x64 updated to March 2019. It will fallback to trying to lookup symbol addresses using the DBGHELP library if the combase DLL doesn’t match, however you’ll need to have cached the symbols for combase inside C:\ProgramData\dbg\sym. You can do this by running the ‘symchk’ tool from a Debugging Tools for Windows installation and passing the path to the x64 version of combase. 1) Compile the C# project using Visual Studio 2017. It’ll need to pull NtApiDotNet from NuGet to build. 2) Start a virtual machine and note the PID of the hardened VirtualBox process. 3) As a normal user run the PoC passing the PID of the hardened VirtualBox process. Expected Result: The PoC fails to call code inside the target process. Observed Result: The PoC executes ExitProcess inside the hardened process and verifies the return code once the process exits. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46747.zip