原文始发于MDSEC:CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox
VirtualBox is a popular open source, cross-platform, virtualization software developed by Oracle Corporation. Earlier this year we identified an arbitrary file move vulnerability in the VirtualBox system service service that could facilitate privilege escalation; here we’ll outline the steps used to discover and exploit this issue.
VirtualBox 是由 Oracle Corporation 开发的一款流行的开源、跨平台虚拟化软件。今年早些时候, VirtualBox system service 我们在服务中发现了一个任意文件移动漏洞,该漏洞可能有助于权限升级;在这里,我们将概述用于发现和利用此问题的步骤。
This vulnerability was also discovered by Naor Hodorov who is also credited in the Oracle Patch Advisory.
此漏洞也是由 Naor Hodorov 发现的,他也在 Oracle 补丁公告中受到认可。
Vulnerability Discovery 漏洞发现
After installing VirtualBox for Windows, a single user-land service is installed (VirtualBox system service) which runs as SYSTEM and is configured to start on-demand:
安装 VirtualBox for Windows 后,将安装单个 user-land 服务 ( VirtualBox system service ),该服务运行 SYSTEM 为按需启动:
PS C:\\tools> sc.exe qc VboxSDS
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VboxSDS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VirtualBox system service
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
This service will create the directory C:\\ProgramData\\VirtualBox\\ for logging purposes.
此服务将创建 C:\\ProgramData\\VirtualBox\\ 用于日志记录的目录。
This directory is created without specifying explicit ACLs and as such inherits permissions from the parent directory (C:\\ProgramData) which allows users to create new files/folders:
此目录是在未指定显式 ACL 的情况下创建的,因此从父目录 ( C:\\ProgramData ) 继承权限,允许用户创建新文件/文件夹:
PS C:\\tools> cacls.exe C:\\ProgramData\\VirtualBox
C:\\ProgramData\\VirtualBox NT AUTHORITY\\SYSTEM:(OI)(CI)(ID)F
BUILTIN\\Administrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\\Users:(OI)(CI)(ID)R
BUILTIN\\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
PS C:\\tools>
When the service is started, this folder will be populated with log files, these log files will inherit the directory permissions which will prevent low privileged users from modifying/removing them and as a consequence limits abuse of directory junctions, a popular primitive used when exploiting logic access bugs:
当服务启动时,此文件夹将填充日志文件,这些日志文件将继承目录权限,这将防止低特权用户修改/删除它们,从而限制目录联结的滥用,目录联结是利用逻辑访问错误时使用的常用原语:
PS C:\\tools> ls C:\\ProgramData\\VirtualBox\\
Directory: C:\\ProgramData\\VirtualBox
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/22/2024 9:44 AM 0 VBoxSDS.log
-a---- 4/22/2024 9:43 AM 1924 VBoxSDS.log.1
-a---- 4/12/2024 1:49 AM 1924 VBoxSDS.log.10
-a---- 4/19/2024 5:32 PM 1924 VBoxSDS.log.2
-a---- 4/18/2024 10:41 AM 1281 VBoxSDS.log.3
-a---- 4/17/2024 11:27 PM 1924 VBoxSDS.log.4
-a---- 4/17/2024 10:20 PM 665 VBoxSDS.log.5
-a---- 4/17/2024 10:20 PM 1431 VBoxSDS.log.6
-a---- 4/15/2024 11:04 PM 1925 VBoxSDS.log.7
-a---- 4/15/2024 1:30 PM 665 VBoxSDS.log.8
-a---- 4/15/2024 1:30 PM 1431 VBoxSDS.log.9
PS C:\\tools> cacls.exe C:\\ProgramData\\VirtualBox\\VBoxSDS.log
C:\\ProgramData\\VirtualBox\\VBoxSDS.log NT AUTHORITY\\SYSTEM:(ID)F
BUILTIN\\Administrators:(ID)F
BUILTIN\\Users:(ID)R
PS C:\\tools>
Analysing the service during startup shows an interesting behaviour where by the VboxSDS service will perform file rename/move operation recursively inside the C:\\ProgramData\\VirtualBox directory.
在启动期间分析服务显示了一个有趣的行为,即 VboxSDS 服务将在 C:\\ProgramData\\VirtualBox 目录内递归地执行文件重命名/移动操作。
VboxSDS.log will become VboxSDS.log.1
VboxSDS.log 将成为 VboxSDS.log.1
VboxSDS.log.1 will become VboxSDS.log.2
VboxSDS.log.1 将成为 VboxSDS.log.2
If the only file inside directory is VboxSDS.log.10, it will be deleted:
如果目录中唯一的文件是 VboxSDS.log.10 ,它将被删除:
This can be abused to both delete files in the directory and perform an arbitrary file move.
这可以被滥用来删除目录中的文件和执行任意文件移动。
In order to clear the directory, we need to be able to start the service as a low privileged user and also the ability to stop/crash the service, as in most cases the directory will contain multiple log files.
为了清除目录,我们需要能够以低特权用户的身份启动服务,并且能够停止/崩溃服务,因为在大多数情况下,目录将包含多个日志文件。
Starting the service as a low privileged user can be achieved through COM. The VboxSDS service registers a COM server and whenever this COM class is initiated the service is started:
可以通过 COM 以低特权用户身份启动服务。该 VboxSDS 服务注册一个 COM 服务器,每当启动此 COM 类时,都会启动该服务:
PS C:\\tools> sc.exe queryex VboxSDS
SERVICE_NAME: VboxSDS
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
PS C:\\tools> [Activator]::CreateInstance([type]::GetTypeFromCLSID("74AB5FFE-8726-4435-AA7E-876D705BCBA5"))
System.__ComObject
PS C:\\tools> sc.exe queryex VboxSDS
SERVICE_NAME: VboxSDS
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 11364
FLAGS :
PS C:\\tools>
The easiest way we discovered to crash the service was to prevent it from creating the VboxSDS.log file.
我们发现使服务崩溃的最简单方法是阻止它创建 VboxSDS.log 文件。
This can be done in few different ways, however we believe the easiest is to create a directory named VboxSDS.log, meaning the subsequent call to CreateFile API will fail as it expects a file:
这可以通过几种不同的方式完成,但我们认为最简单的方法是创建一个名为 VboxSDS.log 的目录,这意味着对 CreateFile API 的后续调用将失败,因为它需要一个文件:
In order to win the race between moving and creating the VboxSDS.log file, an opportunistic lock is created on VboxSDS.log.11. This file does not normally exist but the service will try to delete it just before creating the VboxSDS.log file:
为了赢得移动和创建 VboxSDS.log 文件之间的竞争,在 VboxSDS.log.11 上创建了一个机会锁。此文件通常不存在,但服务将在创建 VboxSDS.log 文件之前尝试将其删除:
Building an Exploit 构建漏洞利用
With abilities to both clear the directory and start/crash the VBoxSDS service we can start building an exploit:
通过清除目录和启动/崩溃 VBoxSDS 服务的能力,我们可以开始构建漏洞:
- First we create the
VboxSDS.log.11file and setoplockon it,
首先,我们创建VboxSDS.log.11文件并在其上设置oplock, - We use the exposed COM server to start the service,
我们使用公开的 COM 服务器来启动服务, - When
oplockis triggered on theVboxSDS.log.11file we create theVboxSDS.logdirectory which will cause the service to crash,
当VboxSDS.log.11在文件上触发时oplock,我们创建将导致服务崩溃的VboxSDS.log目录, - We keep starting the service until the directory is empty,
我们一直启动服务,直到目录为空, - Once the directory is empty, a
VboxSDS.log.9file is created and an opportunistic lock is placed,
一旦目录为空,就会创建一个VboxSDS.log.9文件并放置一个机会锁, - We start the service again and when
oplockis triggered theVboxSDS.log.9file is deleted and the directory is turned into a junction point to the NT Object Manager directory (\\RPC Control),
我们再次启动服务,当触发时oplock,VboxSDS.log.9文件将被删除,目录将变成 NT 对象管理器目录 (\\RPC Control) 的交接点 , - In the Object Manager directory two symbolic links are created:
在对象管理器目录中,将创建两个符号链接:VboxSDS.log.9which points to our payload dll,
VboxSDS.log.9它指向我们的有效载荷 DLL,VboxSDS.log.10which points to a non-existent dll in thesystem32directory (in this casewow64log.dll),
VboxSDS.log.10它指向system32目录中不存在的 DLL(在本例wow64log.dll中),
- Once
wow64log.dllis created, theMicrosoft Edge Update Serviceis started and our dll is loaded in to aSYSTEMprocess 🙂
创建后wow64log.dll,将启动并将Microsoft Edge Update Service我们的 dll 加载到SYSTEM进程🙂中
This blog post was written by Filip Dragovic.
这篇博文的作者是 Filip Dragovic。
版权声明:admin 发表于 2024年4月29日 下午10:28。
转载请注明:CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox | CTF导航
转载请注明:CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox | CTF导航
相关文章
