CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox

VirtualBox is a popular open source, cross-platform, virtualization software developed by Oracle Corporation. Earlier this year we identified an arbitrary file move vulnerability in the VirtualBox system service service that could facilitate privilege escalation; here we’ll outline the steps used to discover and exploit this issue.
VirtualBox 是由 Oracle Corporation 开发的一款流行的开源、跨平台虚拟化软件。今年早些时候, VirtualBox system service 我们在服务中发现了一个任意文件移动漏洞,该漏洞可能有助于权限升级;在这里,我们将概述用于发现和利用此问题的步骤。

This vulnerability was also discovered by Naor Hodorov who is also credited in the Oracle Patch Advisory.
此漏洞也是由 Naor Hodorov 发现的,他也在 Oracle 补丁公告中受到认可。

Vulnerability Discovery 漏洞发现

After installing VirtualBox for Windows, a single user-land service is installed (VirtualBox system service) which runs as SYSTEM and is configured to start on-demand:
安装 VirtualBox for Windows 后,将安装单个 user-land 服务 ( VirtualBox system service ),该服务运行 SYSTEM 为按需启动:

PS C:\\tools> sc.exe qc VboxSDS
[SC] QueryServiceConfig SUCCESS

        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : VirtualBox system service
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

This service will create the directory C:\\ProgramData\\VirtualBox\\ for logging purposes.
此服务将创建 C:\\ProgramData\\VirtualBox\\ 用于日志记录的目录。

This directory is created without specifying explicit ACLs and as such inherits permissions from the parent directory (C:\\ProgramData) which allows users to create new files/folders:
此目录是在未指定显式 ACL 的情况下创建的,因此从父目录 ( C:\\ProgramData ) 继承权限,允许用户创建新文件/文件夹:

PS C:\\tools> cacls.exe C:\\ProgramData\\VirtualBox
C:\\ProgramData\\VirtualBox NT AUTHORITY\\SYSTEM:(OI)(CI)(ID)F
                          CREATOR OWNER:(OI)(CI)(IO)(ID)F
                          BUILTIN\\Users:(CI)(ID)(special access:)

PS C:\\tools>

When the service is started, this folder will be populated with log files, these log files will inherit the directory permissions which will prevent low privileged users from modifying/removing them and as a consequence limits abuse of directory junctions, a popular primitive used when exploiting logic access bugs:

PS C:\\tools> ls C:\\ProgramData\\VirtualBox\\

    Directory: C:\\ProgramData\\VirtualBox

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         4/22/2024   9:44 AM              0 VBoxSDS.log
-a----         4/22/2024   9:43 AM           1924 VBoxSDS.log.1
-a----         4/12/2024   1:49 AM           1924 VBoxSDS.log.10
-a----         4/19/2024   5:32 PM           1924 VBoxSDS.log.2
-a----         4/18/2024  10:41 AM           1281 VBoxSDS.log.3
-a----         4/17/2024  11:27 PM           1924 VBoxSDS.log.4
-a----         4/17/2024  10:20 PM            665 VBoxSDS.log.5
-a----         4/17/2024  10:20 PM           1431 VBoxSDS.log.6
-a----         4/15/2024  11:04 PM           1925 VBoxSDS.log.7
-a----         4/15/2024   1:30 PM            665 VBoxSDS.log.8
-a----         4/15/2024   1:30 PM           1431 VBoxSDS.log.9

PS C:\\tools> cacls.exe C:\\ProgramData\\VirtualBox\\VBoxSDS.log
C:\\ProgramData\\VirtualBox\\VBoxSDS.log NT AUTHORITY\\SYSTEM:(ID)F
PS C:\\tools>

Analysing the service during startup shows an interesting behaviour where by the VboxSDS service will perform file rename/move operation recursively inside the C:\\ProgramData\\VirtualBox directory.
在启动期间分析服务显示了一个有趣的行为,即 VboxSDS 服务将在 C:\\ProgramData\\VirtualBox 目录内递归地执行文件重命名/移动操作。

VboxSDS.log will become VboxSDS.log.1
VboxSDS.log 将成为 VboxSDS.log.1

VboxSDS.log.1 will become VboxSDS.log.2
VboxSDS.log.1 将成为 VboxSDS.log.2

CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox

If the only file inside directory is VboxSDS.log.10, it will be deleted:
如果目录中唯一的文件是 VboxSDS.log.10 ,它将被删除:

CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox

This can be abused to both delete files in the directory and perform an arbitrary file move.

In order to clear the directory, we need to be able to start the service as a low privileged user and also the ability to stop/crash the service, as in most cases the directory will contain multiple log files.

Starting the service as a low privileged user can be achieved through COM. The VboxSDS service registers a COM server and whenever this COM class is initiated the service is started:
可以通过 COM 以低特权用户身份启动服务。该 VboxSDS 服务注册一个 COM 服务器,每当启动此 COM 类时,都会启动该服务:

PS C:\\tools> sc.exe queryex VboxSDS

        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
PS C:\\tools> [Activator]::CreateInstance([type]::GetTypeFromCLSID("74AB5FFE-8726-4435-AA7E-876D705BCBA5"))
PS C:\\tools> sc.exe queryex VboxSDS

        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 11364
        FLAGS              :
PS C:\\tools>

The easiest way we discovered to crash the service was to prevent it from creating the VboxSDS.log file.
我们发现使服务崩溃的最简单方法是阻止它创建 VboxSDS.log 文件。

This can be done in few different ways, however we believe the easiest is to create a directory named VboxSDS.log, meaning the subsequent call to CreateFile API will fail as it expects a file:
这可以通过几种不同的方式完成,但我们认为最简单的方法是创建一个名为 VboxSDS.log 的目录,这意味着对 CreateFile API 的后续调用将失败,因为它需要一个文件:

CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox

In order to win the race between moving and creating the VboxSDS.log file, an opportunistic lock is created on VboxSDS.log.11. This file does not normally exist but the service will try to delete it just before creating the VboxSDS.log file:
为了赢得移动和创建 VboxSDS.log 文件之间的竞争,在 VboxSDS.log.11 上创建了一个机会锁。此文件通常不存在,但服务将在创建 VboxSDS.log 文件之前尝试将其删除:

CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox

Building an Exploit 构建漏洞利用

With abilities to both clear the directory and start/crash the VBoxSDS service we can start building an exploit:
通过清除目录和启动/崩溃 VBoxSDS 服务的能力,我们可以开始构建漏洞:

  • First we create the VboxSDS.log.11 file and set oplock on it,
    首先,我们创建 VboxSDS.log.11 文件并在其上设置 oplock ,
  • We use the exposed COM server to start the service,
    我们使用公开的 COM 服务器来启动服务,
  • When oplock is triggered on the VboxSDS.log.11 file we create the VboxSDS.log directory which will cause the service to crash,
    当 VboxSDS.log.11 在文件上触发时 oplock ,我们创建将导致服务崩溃的 VboxSDS.log 目录,
  • We keep starting the service until the directory is empty,
  • Once the directory is empty, a VboxSDS.log.9 file is created and an opportunistic lock is placed,
    一旦目录为空,就会创建一个 VboxSDS.log.9 文件并放置一个机会锁,
  • We start the service again and when oplock is triggered the VboxSDS.log.9 file is deleted and the directory is turned into a junction point to the NT Object Manager directory (\\RPC Control),
    我们再次启动服务,当触发时 oplock , VboxSDS.log.9 文件将被删除,目录将变成 NT 对象管理器目录 ( \\RPC Control ) 的交接点 ,
  • In the Object Manager directory two symbolic links are created:

    • VboxSDS.log.9 which points to our payload dll,
      VboxSDS.log.9 它指向我们的有效载荷 DLL,
    • VboxSDS.log.10 which points to a non-existent dll in the system32 directory (in this case wow64log.dll),
      VboxSDS.log.10 它指向 system32 目录中不存在的 DLL(在本例 wow64log.dll 中),
  • Once wow64log.dll is created, the Microsoft Edge Update Service is started and our dll is loaded in to a SYSTEM process 🙂
    创建后 wow64log.dll ,将启动并将 Microsoft Edge Update Service 我们的 dll 加载到 SYSTEM 进程🙂中
CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox

This blog post was written by Filip Dragovic.
这篇博文的作者是 Filip Dragovic。

原文始发于MDSEC:CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox

版权声明:admin 发表于 2024年4月29日 下午10:28。
转载请注明:CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox | CTF导航