本文将介绍在Pwn2Own 2020中的Oracle VirtualBox逃逸漏洞,这两个漏洞会影响Oracle VirtualBox 6.1.4和更低的版本。
0x01 漏洞分析
漏洞利用链包括2个漏洞:
·英特尔PRO 1000 MT桌面(E1000)网络适配器-越界读取漏洞
https://www.zerodayinitiative.com/advisories/ZDI-20-581/
·开放主机控制器接口(OHCI)USB控制器-未初始化变量漏洞
https://www.zerodayinitiative.com/advisories/ZDI-20-582/
1.E1000越界读取漏洞
有关E1000网络适配器内部工作的更多信息,可以在此处阅读有关信息。
https://github.com/hongphipham95/Vulnerabilities/blob/master/VirtualBox/Oracle VirtualBox Intel PRO 1000 MT Desktop - Integer Underflow Vulnerability/Oracle VirtualBox Intel PRO 1000 MT Desktop - Integer Underflow Vulnerability.md
使用E1000网络适配器发送以太网帧时,我们可以通过设置IXSM数据描述符选项字段中的位来控制IP校验和的插入:
// VirtualBox-6.1.4\src\VBox\Devices\Network\DevE1000.cpp:5191
static bool e1kLocateTxPacket(PE1KSTATE pThis)
{
...
E1KTXDESC *pDesc = &pThis->aTxDescriptors[i];
switch (e1kGetDescType(pDesc))
{
...
case E1K_DTYP_DATA:
...
if (cbPacket == 0)
{
/*
* The first fragment: save IXSM and TXSM options
* as these are only valid in the first fragment.
*/
pThis->fIPcsum = pDesc->data.dw3.fIXSM;
pThis->fTCPcsum = pDesc->data.dw3.fTXSM;
fTSE = pDesc->data.cmd.fTSE;
...
}
随着pThis->fIPcsum有效标记,IP校验将被插入到以太网帧:
// VirtualBox-6.1.4\src\VBox\Devices\Network\DevE1000.cpp:4997
static int e1kXmitDesc(PPDMDEVINS pDevIns, PE1KSTATE pThis, PE1KSTATECC pThisCC, E1KTXDESC *pDesc,
RTGCPHYS addr, bool fOnWorkerThread)
{
...
switch (e1kGetDescType(pDesc))
{
...
case E1K_DTYP_DATA:
{
STAM_COUNTER_INC(pDesc->data.cmd.fTSE?
&pThis->StatTxDescTSEData:
&pThis->StatTxDescData);
E1K_INC_ISTAT_CNT(pThis->uStatDescDat);
STAM_PROFILE_ADV_START(&pThis->CTX_SUFF_Z(StatTransmit), a);
if (pDesc->data.cmd.u20DTALEN == 0 || pDesc->data.u64BufAddr == 0)
{
...
}
else
{
...
else if (!pDesc->data.cmd.fTSE)
{
...
if (pThis->fIPcsum)
e1kInsertChecksum(pThis, (uint8_t *)pThisCC->CTX_SUFF(pTxSg)->aSegs[0].pvSeg, pThis->u16TxPktLen,
pThis->contextNormal.ip.u8CSO,
pThis->contextNormal.ip.u8CSS,
pThis->contextNormal.ip.u16CSE);
函数e1kInsertChecksum()将计算校验和并将其放入框架中,u8CSO,u8CSS以及u16CSE中pThis->contextNormal可以通过上下文描述符指定:
// VirtualBox-6.1.4\src\VBox\Devices\Network\DevE1000.cpp:5158
DECLINLINE(void) e1kUpdateTxContext(PE1KSTATE pThis, E1KTXDESC *pDesc)
{
if (pDesc->context.dw2.fTSE)
{
...
}
else
{
pThis->contextNormal = pDesc->context;
STAM_COUNTER_INC(&pThis->StatTxDescCtxNormal);
}
...<