SSD Advisory – VirtualBox VRDP Guest-to-Host Escape
Credit to Author: SSD / Ori Nimron| Date: Mon, 20 Aug 2018 06:00:52 +0000
Vulnerability Summary
VirtualBox has a built-in RDP server which provides access to a guest machine. While the RDP client sees the guest OS, the RDP server runs on the host OS. Therefore, to view the guest OS the RDP client will make a connection to the host OS IP address rather than the guest OS IP address.
The VRDP server is composted of two parts: a high level, which is open source and residing in the VirtualBox source tree, and is responsible for the display management, and a low level shipped with Extension Pack which is the RDP server which conforms to RDP specifications.
The vulnerability is in the high level part. The vulnerability can be triggered when a connection to a Windows guest OS is closed, i.e. when we close the window of the RDP client application like rdesktop or Microsoft Remote Desktop.
While the crashing bug was reported to the VirtualBox tracker (https://www.virtualbox.org/ticket/16444), it was never considered a security vulnerability, and is not marked as one. This ticket is 15 months old at the time of writing this post and still marked as unresolved.
Prerequisites to exploit the vulnerability:
- VirtualBox Extension Pack installed on a host. It’s required to enable VRDP server
- VRDP server enabled
- 3D acceleration enabled
- Windows 10 as a guest
The vulnerability can probably be triggered from other guest OS due to the fact the the vulnerable code resides inside the Guest Additions driver.
Credit
An independent security researcher, Sergey Zelenyuk, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Affected systems
VirtualBox version 5.2.10
Vendor response
We reported this vulnerability to Oracle, the latest update from them is that they are still looking into it, while in fact the latest version of Oracle VirtualBox version 5.2.18 has silently introduced a patch without giving credit or mentioning of the vulnerability report. We do not know at this time if this fix was intentional (to fix our report) or done for some other reason, the change log does mention: “VRDP: fixed VM process termination on RDP client disconnect if 3D is enabled for the virtual machine”.
Vulnerability Analysis
General analysis
The vulnerability consists of two parts: a type confusion and a UAF. It’s not clear which of them is a bug and which one was the developer’s intention. We will discuss them separately later in subsection Root Cause Analysis.
Starting from the end, when RDP connection is being closed we gain control at the following place in /VirtualBox-5.2.8/src/VBox/Main/src-client/ConsoleVRDPServer.cpp file, line 1994:
The corresponding assembly is in VBoxC.so library:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | .text:0000000000100DF0 ; void __fastcall ConsoleVRDPServer::H3DORVisibleRegion(void *H3DORInstance, uint32_t cRects, const void *paRects) .text:0000000000100DF0 ConsoleVRDPServer__H3DORVisibleRegion proc near .text:0000000000100DF0 .text:0000000000100DF0 .text:0000000000100DF0 var_10 = dword ptr –10h .text:0000000000100DF0 var_C = dword ptr –0Ch .text:0000000000100DF0 var_8 = dword ptr –8 .text:0000000000100DF0 var_4 = dword ptr –4 .text:0000000000100DF0 .text:0000000000100DF0 ; __unwind { .text:0000000000100DF0 push rbp .text:0000000000100DF1 mov rax, rdi .text:0000000000100DF4 mov rbp, rsp .text:0000000000100DF7 sub rsp, 10h .text:0000000000100DFB test esi, esi .text:0000000000100DFD jz short loc_100E10 .text:0000000000100DFF mov rax, [rax] .text:0000000000100E02 mov rdi, [rdi+8] .text:0000000000100E06 call qword ptr [rax+320h] .text:0000000000100E0C leave .text:0000000000100E0D retn |
Root Cause Analysis
Stopping at ConsoleVRDPServer::H3DORVisibleRegion we get a stack trace (here we use binaries with symbols compiled by us rather than those downloaded from VirtualBox website):