VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation

2012-04-02 / 2012-04-03
Credit: Derek Soeder
Risk: High
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 8.3/10
Impact Subscore: 10/10
Exploitability Subscore: 6.5/10
Exploit range: Adjacent network
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation Derek Soeder ds.adv.pub (at) gmail (dot) com [email concealed] Reported: December 5, 2011 Published: March 30, 2012 AFFECTED VENDOR --------------- VMware, Inc. AFFECTED ENVIRONMENTS --------------------- The following VMware product versions are known to be affected: VMware Server 1.0.10 and earlier VMware Server 2.0.2 and earlier VMware Workstation 7.0.0 VMware Workstation 7.1.1 and earlier VMware ESXi 3.5.0 Update 5 VMware ESXi 4.0.0 Update 4 Build 504850 and earlier VMware ESXi 4.1.0 Build 320137 (ESXi410-201011401-BG) and earlier Other related versions not tested but assumed to be affected The following guest operating systems are known to enable exploitation: Windows NT 4.0 Windows 2000 Windows XP (32-bit) Windows Server 2003 (32-bit) UNAFFECTED ENVIRONMENTS ----------------------- The following VMware product versions are not affected: VMware Workstation 7.1.2 and later VMware ESXi 4.0.0 Update 4 with patch ESXi400-201203401-SG VMware ESXi 4.1.0 Update 1 Build 348481 (ESXi410-201101201-SG) and later VMware ESXi 5.0.0 The following guest operating systems do not appear to permit exploitation: Windows XP (64-bit) Windows Server 2003 (64-bit) Windows Vista (32-bit and 64-bit) Windows Server 2008 (32-bit and 64-bit) Windows 7 (32-bit and 64-bit) Windows Server 2008 R2 IDENTIFIERS ----------- CVE-2012-1515 IMPACT ------ The vulnerability described in this document can be exploited by unprivileged code running on certain guest operating systems in a VMware virtual machine in order to execute arbitrary code with kernel privileges. VULNERABILITY DETAILS --------------------- The VMware backdoor interface consists of a number of operations issued via I/O instructions executed in the guest with a command number in CX and data or "magic" values in a number of other registers. Command 0x1E / 30 (BDOOR_CMD_MESSAGE) and its subcommands (MESSAGE_TYPE_*) allow messages to be exchanged between the guest and host. Since the regular backdoor would only allow for the exchange of no more than one machine word of data per I/O instruction, a "high-bandwidth" backdoor exists on port 0x5659 (BDOORHB_PORT) to permit bulk transmission of data from and to the guest via the REP OUTSB and REP INSB instructions respectively. If the direction flag is clear, the host performs the transfer by memcpy'ing directly from or to its mapping of guest memory, after performing any applicable address translations and memory access checks. One special case that the host fails to consider, however, is when a REP INSB is targeting memory that would normally be emulated as read-only. If the guest operating system allows an unprivileged user to address a writable view of read-only memory, the user can exploit this vulnerability to modify the ROM's contents whereas he otherwise could not. To then parlay this ability into a successful attack requires causing privileged code that trusts the ROM to act on the altered contents in an exploitable way. EXPLOITATION ------------ Only 32-bit editions of Windows prior to Vista allow an unprivileged user to map a PAGE_READWRITE view of the BIOS ROM by launching a Virtual DOS Machine (NTVDM.EXE). On 32-bit Windows Vista and Windows Server 2008, NT!VdmpInitialize is hard-coded to map physical addresses 0xC0000 through 0xFFFFF at the corresponding virtual addresses as PAGE_READONLY, while 32-bit Windows 7 allocates writable virtual memory at 0xC0000 and copies in the contents of the BIOS ROM, and VDM support does not exist at all in 64-bit editions of Windows. (Presumably, ROM was originally mapped as writable so that 16-bit code that tried for any reason to write to ROM could do so and have it silently fail while still causing the expected side effects like updating the flags. One wonders what prompted the change on Vista.) Although this vulnerability allows modification of the in-guest BIOS ROM, there seem to be few opportunities to get Windows to execute modified BIOS code. One possible attack involves putting the modified code in place and initiating or waiting for a soft reboot, after which the planted code would execute and could mount a BootRoot-style attack to alter the guest kernel as it loads. Another possibility is to modify BIOS code and wait for some other user to run a 16-bit program that changes the video mode or makes an exotic BIOS call unhandled by NTVDM, but this is obviously flimsy. The third and best possibility, discussed below, is to cause the kernel to change the video mode, which will execute an INT 10h instruction from one of two Virtual-8086 mode environments, either of which can be escaped to infiltrate the kernel. As the author mentioned in the advisory for CVE-2007-1206 (which allowed modification of the Interrupt Vector Table rather than the BIOS code it references), HAL.DLL will issue an INT 10h to prepare for hibernation or a blue-screen, both of which could be considered "local denial-of-service" conditions. However, the author has since found that requesting full-screen text mode or switching to a VGA display mode will also cause the INT 10h handler to be executed, although by NTOSKRNL.EXE rather than HAL. Rough reverse call trees for both are depicted below: HAL!HalpBiosCall ^ HAL!HalpBiosDisplayReset (via NT!HalPrivateDispatchTable) . ^ BOOTVID!VidResetDisplay . . ^ NT!VidResetDisplay . . . ^ NT!InbvResetDisplay . . . . ^ NT!KeBugCheck2 . . . . . ^ (blue-screen) . . . . ^ HAL!InbvResetDisplay . . . . . ^ HAL!HalHandleNMI . . . . . . ^ NT!KiTrap02 . . . . . . . ^ (catastrophe) . . . . ^ NT!PopSaveHiberContext (via DPC) . . . . . ^ NT!PopInvokeSystemStateHandler . . . . . . ^ NT!PopShutdownSystem . . . . . . . ^ NT!PopGracefulShutdown . . . . . . . . ^ NT!NtSetSystemPowerState . . . . . . . . . ^ NT!NtShutdownSystem . . . . . . ^ NT!PopSleepSystem . . . . . . . ^ NT!NtSetSystemPowerState . . . . . . . . ^ NT!NtShutdownSystem NT!Ke386CallBios ^ VIDEOPRT!Ke386CallBios . ^ VIDEOPRT!VideoPortInt10 . . ^ VGA!VgaSetMode . . . ^ VGA!VgaStartIO . . . . ^ VIDEOPRT!pVideoPortDispatch . . . . . ^ NT!IofCallDriver . . . . . . ^ WIN32K!GreDeviceIoControl . . . . . . . ^ WIN32K!EngDeviceIoControl . . . . . . . . ^ (...) . . . . . . . . . ^ WIN32K!DrvChangeDisplaySettings . . . . . . . . . . ^ WIN32K!xxxUserChangeDisplaySettings . . . . . . . . . . . ^ WIN32K!NtUserChangeDisplaySettings . . . . . . . . . . . . ^ USER32!NtUserChangeDisplaySettings . . . . . . . . . . . . . ^ USER32!ChangeDisplaySettings* . . . . . . . . ^ (...) . . . . . . . . . ^ WIN32K!xxxbFullscreenSwitch . . . . . . . . . . ^ WIN32K!xxxConsoleControl . . . . . . . . . . . ^ WIN32K!NtUserConsoleControl . . . . . . . . . . . . ^ WINSRV!NtUserConsoleControl . . . . . . . . . . . . . ^ WINSRV!ChangeDispSettings . . . . . . . . . . . . . . ^ WINSRV!HandleSysKeyEvent . . . . . . . . . . . . . . . ^ WINSRV!ConsoleWindowProc . . . . . . . . . . . . . . . . ^ (...) . . . . . . . . . . . . . . . . . ^ NTDLL!CsrClientCallServer . . . . . . . . . . . . . . . . . . ^ KERNEL32!SetConsoleDisplayMode . . ^ VIDEOPRT!VpInt10CallBios . . . ^ VGA!GetVideoMemoryBaseAddress . . . . ^ VGA!VgaSetMode . . . . . ^ (...) As suggested above, unprivileged code can cause execution of the BIOS INT 10h handler from either HAL or NTOSKRNL, the former through a blue-screen or shutdown (such as hibernation), and the latter by changing the video mode, which requires console access. Assuming that malicious code has access to the console, and assuming that the video driver does not prevent it (as the VMware Tools video driver in some cases does), the malicious code could call ChangeDisplaySettings[Ex] or SetConsoleDisplayMode to force a video mode change without needing SeShutdownPrivilege or an independent blue-screen flaw. The following paragraphs cover exploitation in both the HAL and NTOSKRNL cases, starting from the assumption that an attacker has already modified the BIOS's INT 10h handler code. To infiltrate the kernel when invoked via HAL!HalpBiosCall, the malicious INT 10h handler code can simply modify the pages of memory containing HAL!HalpRealModeStart, the V86-mode stack, and HAL!HalpRealModeEnd, which HAL!HalpBiosDisplayReset maps with write permissions at virtual address 0x20000. Once execution returns to HAL!HalpRealModeEnd following attempted execution of the C4h/C4h sequence, the attacker will be executing code in the familiar Windows kernel environment, albeit with some cleanup necessary. Malicious code might detect the HAL case by observing if SS = 0x2000. Infiltrating the kernel from the NT!Ke386CallBios environment, on the other hand, is a little more indirect. NTOSKRNL issues an INT 10h from a proper VDM with no interesting kernel code targets, but the VDM TIB is accessible to V86-mode code (at address 0x12000). The malicious INT 10h handler can modify the kernel stack pointer stored in 'CONTEXT.Esi', just as described in Tavis Ormandy's CVE-2010-0232 advisory ("Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack"), in order to hijack execution after the cleanup code at NT!Ki386BiosCallReturnAddress completes. Malicious code might detect the NTOSKRNL case by checking for SS = 0x1000. Of course, none of this matters without the ability to meaningfully modify BIOS code. Malicious code in the guest can only modify ROM through the high-bandwidth backdoor REP INSB instruction, meaning it can only overwrite ROM with bytes it can read from the host. Although VMware Server 1.0 permits the guest to read host stack memory beyond the end of any host-to-guest message, which allows reading of (and therefore overwriting with) arbitrary bytes by first "seeding" the buffer with a long REP OUTSB, a more version-independent approach is to first use the "info-set" command to store an arbitrary low-byte string in the VMDb "guestinfo" database, and then use "info-get" to read the string from the host and overwrite the desired portion of guest ROM. The author's proof-of-concept exploit uses this technique to implement a six-stage approach, comprising: (1) the replacement INT 10h handler, a tiny, low-byte arithmetic / PUSH / Jcc sequence that computes the offset of the next stage, pushes it, and branches to a nearby RET, RETF, or IRET; (2) a larger, low-byte sequence stored over the 8x8 graphics font table (hopefully in video BIOS ROM pointed to by the INT 1Fh vector) that computes the bytes of the next stage, pushes them onto the stack, and branches to a nearby RETF or IRET; (3) a small, base-64-like decoder that decodes and executes the next stage, which was also stored in the font table; (4) a loader that reads the subsequent stages into RAM from the "guestinfo" database via the VMware backdoor interface, decodes them, and executes the next stage; (5) the main V86-mode payload, which prepares the next stage to execute in ring 0 using the appropriate, aforementioned HAL or NTOSKRNL infiltration technique; and (6) the main kernel payload, which creates an interrupt gate for convenient kernel access and cleans up the environment so that execution can resume without crashing. The Win32 portion of the exploit can then use the interrupt gate as needed. With ring-0 privileges, the payload can restore the original contents of BIOS ROM (assuming it preserved them) by making ROM writable via PCI configuration space. In the eight bytes of PCI configuration space starting at address 0x80000058, bit 0 and bit 4 each indicate whether or not a segment of BIOS ROM is mapped, and bits 1 and 5 determine whether or not those segments are writable. Setting the writable bits for all mapped segments, then, allows the ROM to be directly overwritten with arbitrary bytes, as opposed to being overwritten indirectly and only with low bytes through re-exploitation of the vulnerability. Another ramification of exploitation requiring rectification is the unavoidable change in video mode. Before it invokes the INT 10h handler, the kernel has already changed the display mode and consequently blacked out the screen, so programming the malicious handler to return without executing the original handler doesn't help and could actually make it more difficult to properly restore the display. One easy means of recovering from the mode change is to inject code into session 0's WINLOGON.EXE process that enumerates desktops and calls "ChangeDisplaySettings(NULL, CDS_RESET)" while attached to each, although some amount of display flickering is nevertheless inevitable. MITIGATION ---------- * Disable NTVDM in the guest operating system Disabling Virtual DOS Machine (NTVDM) support in the guest should deny an unprivileged user the ability to obtain a writable mapping of ROM on affected versions of Windows, thereby preventing exploitation of the vulnerability. To disable NTVDM, follow the guidance presented in one of the following Microsoft Knowledge Base Articles: http://support.microsoft.com/kb/979682 http://support.microsoft.com/kb/220159 Or, manually set the "VDMDisallowed" registry value, which is mentioned on the following page: (Note that this registry value is not recognized by all versions of Windows.) http://technet.microsoft.com/en-us/library/cc783069.aspx Be aware that disabling NTVDM will break 32-bit applications that rely on DOS functionality, in addition to 16-bit applications. * Run untrusted programs in a Remote Desktop session, and do not allow the guest to power down or restart The most likely exploitation scenarios require that the attack code be able to trigger a kernel BIOS call, which is most easily accomplished by changing the guest's video mode. Running suspect code in a Remote Desktop session--as opposed to a console session--prevents the code from changing the video mode, thereby reducing the likelihood of successful elevation to kernel privileges. (Of course, make sure that dangerous Remote Desktop features, such as local drive sharing, are disabled when running untrusted code in this way.) Another feasible exploitation scenario involves overwriting the BIOS and then causing a shutdown, a restart, or hibernation. Run untrusted code in the guest as an unprivileged user without shutdown privileges, and force the virtual machine to power down afterwards; do not allow the guest to gracefully power down or restart, as that might give modified code an opportunity to execute. Because this workaround does not prevent modification of BIOS ROM, malicious code could still attempt to exploit the vulnerability by causing a blue-screen or planting code for other users' VDMs to execute. * Disable the "info-get" and "info-set" commands Exploitation depends on the attacker being able to overwrite ROM with the contents of backdoor command responses, which the "info-set" and "info-get" commands facilitate by allowing the attacker to store and retrieve arbitrary data. These commands can be disabled in a specific guest by adding the following lines to the virtual machine's .vmx configuration file: isolation.tools.getInfo.disable = "TRUE" isolation.tools.setInfo.disable = "TRUE" Note that the second line also disables the "SetGuestInfo" command. It is not known if disabling these commands disrupts any guest monitoring or other VMware Tools functionality. * Restrict access to the VMware backdoor interface Adding the following line to the virtual machine's .vmx configuration file will prevent unprivileged code (code with CPL > IOPL) from accessing the VMware backdoor interface, rendering the vulnerability unexploitable for the sake of privilege elevation: monitor_control.restrict_backdoor = "TRUE" With this setting in place, an unprivileged attempt to execute a VMware backdoor port I/O instruction will result in a privileged instruction exception. Note that this setting crashes the user-mode portion of VMware Tools, and thus disrupts certain features such as guest-host copy-and-paste and drag-and-drop. CONCLUSION ---------- This document discloses a guest privilege elevation vulnerability arising from fairly arcane behavior of VMware's backdoor interface, and makes a case for its exploitability by presenting at a high level the steps performed by the author's own functioning proof of concept. It is not known if other machine virtualization software is susceptible to similar issues regarding incomplete emulation of read-only memory. GREETINGS --------- www.ridgewayis.com www.ftmband.com

References:

http://www.ridgewayis.com
http://www.ftmband.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top