VM Escape using CVE-2019-2525/2548 (2)

• CVE-2019-2525와 CVE-2019-2548을 이용한 VM exploit.

CVE-2019-2525

• OOB Read in crUnpackExtendGetAttribLocation

Root Cause

void crUnpackExtendGetUniformLocation(void)
{
    int packet_length = READ_DATA(0, int);
    GLuint program = READ_DATA(8, GLuint);
    const char *name = DATA_POINTER(12, const char);
    SET_RETURN_PTR(packet_length-16);
    SET_WRITEBACK_PTR(packet_length-8);
    cr_unpackDispatch.GetUniformLocation(program, name);
}

#define SET_RETURN_PTR( offset ) do { \
        CRDBGPTR_CHECKZ(return_ptr); \
        crMemcpy( return_ptr, cr_unpackData + (offset), sizeof( *return_ptr ) ); \
    } while (0);

#define SET_WRITEBACK_PTR( offset ) do { \
        CRDBGPTR_CHECKZ(writeback_ptr); \
        crMemcpy( writeback_ptr, cr_unpackData + (offset), sizeof( *writeback_ptr ) ); \
    } while (0);

• SET_XX(OFFSET)에서 crMemcpy(XX, cr_unpackData + OFFSET, 8) 연산 후, 값을 guest로 보낸다.
• 이 때 OFFSET(packet_length)을 체크하지 않아 16바이트 Memory Leak이 가능하다.

How to patch

void crUnpackExtendGetUniformLocation(void)
{
    int packet_length = READ_DATA(0, int);
    GLuint program = READ_DATA(8, GLuint);
    const char *name = DATA_POINTER(12, const char);
    if (!DATA_POINTER_CHECK(packet_length))
    {
    	crError("crUnpackExtendGetAttribLocation: packet_length is out of range");
    	return;
    }
    SET_RETURN_PTR(packet_length-16);
    SET_WRITEBACK_PTR(packet_length-8);
    cr_unpackDispatch.GetUniformLocation(program, name);
}

• OFFSET(packet_length)을 체크하는 조건문이 추가 되었다.

---

CVE-2019-2548

• Integer Overflow in crServerDispatchReadPixels

Root Cause

void SERVER_DISPATCH_APIENTRY
crServerDispatchReadPixels(GLint x, GLint y, GLsizei width, GLsizei height,
                           GLenum format, GLenum type, GLvoid *pixels)
{
    const GLint stride = READ_DATA( 24, GLint );
    const GLint alignment = READ_DATA( 28, GLint );
    const GLint skipRows = READ_DATA( 32, GLint );
    const GLint skipPixels = READ_DATA( 36, GLint );
    const GLint bytes_per_row = READ_DATA( 40, GLint );
    const GLint rowLength = READ_DATA( 44, GLint );

    CRASSERT(bytes_per_row > 0);

#ifdef CR_ARB_pixel_buffer_object
    if (crStateIsBufferBound(GL_PIXEL_PACK_BUFFER_ARB))
    {
        GLvoid *pbo_offset;

        /*pixels are actually a pointer to location of 8byte network pointer in hgcm buffer
          regardless of guest/host bitness we're using only 4lower bytes as there're no
          pbo>4gb (yet?)
         */
        pbo_offset = (GLvoid*) ((uintptr_t) *((GLint*)pixels));

        cr_server.head_spu->dispatch_table.ReadPixels(x, y, width, height,
                                                      format, type, pbo_offset);
    }
    else
#endif
    {
        CRMessageReadPixels *rp;
        uint32_t msg_len;

        if (bytes_per_row < 0 || bytes_per_row > UINT32_MAX / 8 || height > UINT32_MAX / 8)
        {
            crError("crServerDispatchReadPixels: parameters out of range");
            return;
        }

        msg_len = sizeof(*rp) + (uint32_t)bytes_per_row * height;

        rp = (CRMessageReadPixels *) crAlloc( msg_len );
        if (!rp)
        {
            crError("crServerDispatchReadPixels: out of memory");
            return;
        }

        /* Note: the ReadPixels data gets densely packed into the buffer
         * (no skip pixels, skip rows, etc.  It's up to the receiver (pack spu,
         * tilesort spu, etc) to apply the real PixelStore packing parameters.
        */
        cr_server.head_spu->dispatch_table.ReadPixels(x, y, width, height,
                                                      format, type, rp + 1);

        rp->header.type = CR_MESSAGE_READ_PIXELS;
        rp->width = width;
        rp->height = height;
        rp->bytes_per_row = bytes_per_row;
        rp->stride = stride;
        rp->format = format;
        rp->type = type;
        rp->alignment = alignment;
        rp->skipRows = skipRows;
        rp->skipPixels = skipPixels;
        rp->rowLength = rowLength;

        /* <pixels> points to the 8-byte network pointer */
        crMemcpy( &rp->pixels, pixels, sizeof(rp->pixels) );
    
        crNetSend( cr_server.curClient->conn, NULL, rp, msg_len );
        crFree( rp );
    }
}

• crAlloc(msg_len)호출을 위해 msg_len값을 설정하는 부분에서 Integer Overflow가 발생한다.
• 항상 sizeof(rp)보다 큰 정수값을 반환할 거라 예상하지만 (sizeof(rp) == 0x38) ,
• Integer Overflow를 통해 0x38보다 작은 특별한 크기 (0x20)으로 설정할 수 있다.
• 이를 이용해 Heap Overflow가 가능하다.

How to patch

if (bytes_per_row <= 0 || height <= 0 || bytes_per_row > INT32_MAX / height)
{
    crError("crServerDispatchReadPixels: parameters out of range");
    return;
}

msg_len = sizeof(*rp) + (uint32_t)bytes_per_row * height;

rp = (CRMessageReadPixels *) crAlloc( msg_len );

• 검증 조건이 수정되었다.

---

Heap Spray

• CVE-2019-2548에서 msg_len을 특별한 크기 0x20으로 설정 할 수 있다고 했다.

  typedef struct _CRVBOXSVCBUFFER_t {
      uint32_t uiId;
      uint32_t uiSize;
      void*    pData;
      _CRVBOXSVCBUFFER_t *pNext, *pPrev;
  } CRVBOXSVCBUFFER_t;

• 여기서 0x20은 CRVBOXSVCBUFFER_t 구조체의 크기이다.

def alloc_buf(client, sz, msg='a'):
    buf,_,_,_ = hgcm_call(client, SHCRGL_GUEST_FN_WRITE_BUFFER, [0, sz, 0, msg])
    return buf

def crmsg(client, msg, bufsz=0x1000):
    ''' Allocate a buffer, write a Chromium message to it, and dispatch it. '''
    assert len(msg) <= bufsz
    buf = alloc_buf(client, bufsz, msg)
    # buf,_,_,_ = hgcm_call(client, SHCRGL_GUEST_FN_WRITE_BUFFER, [0, bufsz, 0, msg])
    _, res, _ = hgcm_call(client, SHCRGL_GUEST_FN_WRITE_READ_BUFFERED, [buf, "A"*bufsz, 1337])
    return res

• alloc_buf에서 할당한 메모리는 crmsg가 호출되기 전까지 Free되지 않는다..
• 따라서 아래와 같이 Heap Spray가 가능하다.

• alloc_buf함수 호출, CRVBOXSVCBUFFER_t 객체 heap spray

• crmsg함수 호출, 짝수 bufID의 heap만 free

• crAlloc함수 호출, msg_len = 0x20인 CRMessageReadPixels 할당

• Heap Overflow!!
• 구체적인 구조체 형태는 아래와 같다.

• heap overflow로 다음 chunk에 있던 CRVBOXSVCBUFFER_t 의 uiId와 uiSize 부분이 overwrite 된다.
• overwrite된 uiID로 해당 공간에 접근할 수 있게된다.

Exploit

crSpawn, crServerDispatchBoundsInfoCR

CRpid crSpawn( const char *command, const char *argv[] )
{
#ifdef WINDOWS
	char newargv[1000];
	int i;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;

	(void) command;

	ZeroMemory( &si, sizeof(si) );
	si.cb = sizeof(si);
	ZeroMemory( &pi, sizeof(pi) );

	crStrncpy(newargv, argv[0], 1000 );
	for (i = 1; argv[i]; i++) {
		crStrcat(newargv, " ");
		crStrcat(newargv, argv[i]);
	}

	if ( !CreateProcess(NULL, newargv, NULL, NULL, FALSE, 0, NULL,
				NULL, &si, &pi) )
	{
		crWarning("crSpawn failed, %d", GetLastError());
		return 0;
	}
	return pi.hProcess;
#else
	pid_t pid;
	if ((pid = fork()) == 0)
	{
		/* I'm the child */
		int err = execvp(command, (char * const *) argv);
		crWarning("crSpawn failed (return code: %d)", err);
		return 0;
	}
	return (unsigned long) pid;
#endif
}

• crSpawn 함수는 command를 입력받아 execvp를 호출한다.
• crSpawn은 cr_unpackDispatch에 존재하는 함수지만, 직접 호출 할 수 없다.
• crMessage의 opcode가 존재하는 함수에 한해서만 함수 호출을 할 수 있기 때문이다.

void SERVER_DISPATCH_APIENTRY
crServerDispatchBoundsInfoCR( const CRrecti *bounds, const GLbyte *payload, GLint len, GLint num_opcodes )

• crServerDispatchBoundsInfoCR함수의 인자는 crSpawn와 비슷하다.
• CR_BOUNDSINFOCR_OPCODE는 crServerDispatchBoundsInfoCR 함수를 호출한다.

Exploit Scenario

1. CVE-2019-2525로 필요한 메모리 주소 leak
2. CRVBOXSVCBUFFER_t 객체 heap spray 후, 짝수 buifID 객체 free
3. CVE-2019-2548로 CRMessageReadPixels 객체 할당, heap overflow
4. heap overflow를 통한 bufID overwrite
5. overwrite된 bufID로 Arbitrary write
   • cr_unpackDispatch에서의 crServerDispatchBoundsInfoCR 함수 주소를 crSpawn으로 overwrite.
6. CR_BOUNDSINFOCR_OPCODE의 msg를 보내 crSpawn 함수 호출
7. VM escape!

Demo

• https://youtu.be/MHI2f1_EjNU

Reference

• Virtualization Bug #1 Singi (멘토님 강의자료)
• https://github.com/niklasb/3dpwn
• https://labs.f-secure.com/assets/BlogFiles/offensivecon-2019-3d-accelerated-exploitation-jason-matthyser.pdf
• https://wogh8732.tistory.com/273?category=804777
• https://cosyp.tistory.com/247
• https://1993-constant.tistory.com/590?category=927096