xorl %eax, %eax

CVE-2009-3692: VirtualBox VBoxNetAdpCtl Privilege Escalation

with 7 comments

This vulnerability was disclosed by Sun Microsoystems on 6 October 2009. The bug is fairly straightforward to spot. Here it is…

#define VBOXADPCTL_IFCONFIG_PATH "/sbin/ifconfig"
    ...
static bool removeAddresses(const char *pszAdapterName)
{
    char szCmd[1024], szBuf[1024];
    char aszAddresses[MAX_ADDRESSES][MAX_ADDRLEN];

    memset(aszAddresses, 0, sizeof(aszAddresses));
    snprintf(szCmd, sizeof(szCmd), VBOXADPCTL_IFCONFIG_PATH " %s", pszAdapterName);
    FILE *fp = popen(szCmd, "r");

    if (!fp)
        return false;
    ...
    return true;
}
    ...
int main(int argc, char *argv[])
{
    const char *pszAdapterName;
    ...
           pszAdapterName = argv[1];
    ...
    if (fRemove)
    ...
   }
   else
   {
        /* We are setting/replacing address. */
    ...
            if (!removeAddresses(pszAdapterName))
    ...
   return rc;
}

So, as you can see, the user controlled ‘pszAdapterName’ from main() is used in removeAddresses() using snprintf() to construct a string similar to: “/sbin/ifconfig DEVICE”. However, a malicious user could inject characters to execute arbitrary commands with the privileges of VBoxNetAdpCtl utility during popen(3) call. This utility is installed as SUID root binary by default.
This was patched by completely removing the buggy popen(3) and replacing it with execve(2) along with a new routine named checkAdapterName() which performs some basic checks on the given argument.

int checkAdapterName(const char *pcszNameIn, char *pszNameOut)
{
    int iAdapterIndex = -1;

    if (   strlen(pcszNameIn) >= VBOXNETADP_MAX_NAME_LEN
        || sscanf(pcszNameIn, "vboxnet%d", &iAdapterIndex) != 1
        || iAdapterIndex < 0 || iAdapterIndex > 99 )
    {
        fprintf(stderr, "Setting configuration for %s is not supported.\n", pcszNameIn);
        return ADPCTLERR_BAD_NAME;
    }
    sprintf(pszNameOut, "vboxnet%d", iAdapterIndex);
    if (strcmp(pszNameOut, pcszNameIn))
    {
        fprintf(stderr, "Invalid adapter name %s.\n", pcszNameIn);
        return ADPCTLERR_BAD_NAME;
    }

    return 0;
}

Written by xorl

October 13, 2009 at 23:58

Posted in bugs

7 Responses

Subscribe to comments with RSS.

  1. Great, you’re back !

    Nicob

    October 14, 2009 at 08:45

  2. So this doesn’t let you break out of VirtualBox guest.
    It allows a local user on the HOST to get root privileges.

    Lars

    October 14, 2009 at 09:34

  3. Nice to have you back, keep up the good work.

    slibah

    October 14, 2009 at 13:32

  4. Exactly Lars, it’s a common privilege escalation vulnerability. Nothing fancy.

    xorl

    October 14, 2009 at 18:36

  5. popen() is not buggy per se, the users not realizing it does something like system() (using sh) are. Of course some characters in that context have a special meaning unlike with execve() where you just execute something as the current process and no /bin/sh is involved.

    At least the code features snprintf and there is no (obvious) overflow :)

    fiction

    October 14, 2009 at 22:28

  6. Its worth noting that it is only in the IPv6 handling code when you try to “change” a virtual adapters IP address. Additionally as its popen() the default /bin/sh should be a non-privilege dropping shell (not as common as you’d think!) I am sure you can see how trivial it is to exploit from this output.

    -(fantastic@fantastics-macbook)-(0)-(11:00 pm Thu Oct 15)->
    -(~/foo)-(9 files, 3544b)–> ./x
    [ Run ./sh after moron
    ifconfig: interface vboxnet0|./runme does not exist
    -(fantastic@fantastics-macbook)-(0)-(11:00 pm Thu Oct 15)->
    -(~/foo)-(9 files, 3544b)–> unset PS1
    ./sh
    # id
    uid=501(fantastic) gid=20(staff) euid=0(root)
    groups=20(staff),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(admin),79(_appserverusr),61(localaccounts),12(everyone),101(com.apple.sharepoint.group.1),401(c
    om.apple.access_screensharing),102(com.apple.sharepoint.group.2)

    have fun! keep up the great blog!

    prdelka

    October 15, 2009 at 22:18

  7. prdelka

    October 16, 2009 at 20:27


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s