core security
play

CORE SECURITY Breaking Out of VirtualBox through 3D Acceleration - PowerPoint PPT Presentation

Oct 13, 2022 •223 likes •1.17k views

CORE SECURITY Breaking Out of VirtualBox through 3D Acceleration Francisco Falcon (@fdfalcon) REcon 2014 P A G E About me Exploit writer for Core Security. From Argentina. Interested in the usual stuff: reverse engineering,

  1. CORE SECURITY Breaking Out of VirtualBox through 3D Acceleration Francisco Falcon (@fdfalcon) REcon 2014 P A G E

  2. About me • Exploit writer for Core Security. • From Argentina. • Interested in the usual stuff: reverse engineering, vulnerability research, exploitation … • This is my 2nd time presenting at REcon. P A G E 2

  3. Agenda P A G E 3

  4. Agenda • Motivations and related work • How VirtualBox implements 3D Acceleration • Speaking the VBoxHGCM and Chromium protocols • Chromium rendering commands • The vulnerabilities • The fixes • Exploitation • Live Demo! • Conclusions/Q & A P A G E 4

  5. Motivations and related work P A G E 5

  6. Motivations • Tarjei Mandt: Oracle VirtualBox Integer Overflow Vulnerabilities (specially CVE-2011-2305: VBoxSharedOpenGL Host Service Integer Overflow Vulnerability). http://mista.nu/blog/2011/07/19/oracle-virtualbox-integer- overflow-vulnerabilities/ P A G E 6

  7. Related work • Cloudburst: Hacking 3D (and Breaking Out of VMware) [Kostya Kortchinsky, Black Hat US 2009] • Virtunoid: Breaking out of KVM [Nelson Elhage, Black Hat US 2011] • A Stitch in Time Saves Nine: A case of Multiple Operating System Vulnerability [Rafal Wojtczuk, Black Hat US 2012] P A G E 7

  8. An overview of VirtualBox P A G E 8

  9. An overview of VirtualBox “ VirtualBox is a general-purpose full virtualizer for x86 hardware, targeted at server, desktop and embedded use. ” • Supported Host OS: Windows, Linux, Mac OS X, Solaris. • Supported Guest OS : Windows, Linux, Solaris, FreeBSD, OpenBSD, Mac OS X… P A G E 9

  10. An overview of VirtualBox VirtualBox provides hardware- based 3D Acceleration for Windows, Linux and Solaris guests. This allows guest machines to use the host machine’s hardware to process 3D graphics based on the OpenGL or Direct3D APIs. P A G E 1 0

  11. VirtualBox Guest Additions • VirtualBox implements 3D Acceleration through its Guest Additions (Guest Additions must be installed on the guest OS). • 3D Acceleration must be manually enabled in the VM settings. P A G E 1 1

  12. VirtualBox Guest Additions • The Guest Additions install a device driver named VBoxGuest.sys in the guest machine. • On Windows guests, this device driver can be found in the Device Manager under the “System Devices” branch. • VBoxGuest.sys uses port-mapped I/O to communicate with the host. P A G E 1 2

  13. They warned you! https://www.virtualbox.org/manual/ch04.html#guestadd-3d: P A G E 1 3

  14. The Chromium library P A G E 1 4

  15. Chromium • VirtualBox 3D Acceleration is based on Chromium . • Chromium is a library that allows for remote rendering of OpenGL-based 3D graphics. • Client/server architecture. • Not related at all with the Web browser! P A G E 1 5

  16. Chromium • VirtualBox added support for a new protocol to Chromium: VBoxHGCM (HGCM stands for Host/Guest Communication Manager). • This protocol allows Chromium clients running in the guest machine to communicate with the Chromium server running in the host machine. • The VBoxHGCM protocol works through the VBoxGuest.sys driver. P A G E 1 6

  17. P A G E 1 7

  18. Speaking the VBoxHGCM protocol P A G E 1 8

  19. Speaking the VBoxHGCM protocol • Step 1: obtain a handle to the VBoxGuest.sys device driver. HANDLE hDevice = CreateFile("\\\\.\\VBoxGuest", GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); • No privileges needed for this at all; even guest users can open the device! P A G E 1 9

  20. Speaking the VBoxHGCM protocol • Step 2: Send a message to the VBoxGuest driver through DeviceIoControl. BOOL rc = DeviceIoControl(hDevice, VBOXGUEST_IOCTL_HGCM_CONNECT, &info, sizeof(info), &info, sizeof(info), &cbReturned, NULL); P A G E 2 0

  21. IoControl codes • The VBoxGuest driver handles DeviceIoControl messages in the VBoxGuestCommonIOCtl() function [ src/VBox/Additions/common/VBoxGuest/VBoxGuest .cpp ]. • Some of the accepted IoControl codes: • VBOXGUEST_IOCTL_GETVMMDEVPORT • VBOXGUEST_IOCTL_VMMREQUEST • VBOXGUEST_IOCTL_SET_MOUSE_NOTIFY_CALLBACK • VBOXGUEST_IOCTL_HGCM_CONNECT • VBOXGUEST_IOCTL_HGCM_CALL • VBOXGUEST_IOCTL_HGCM_DISCONNECT • […] P A G E 2 1

  22. Connecting to the service Connecting to the “ VBoxSharedCrOpenGL ” service: VBoxGuestHGCMConnectInfo info; memset(&info, 0, sizeof(info)); info.Loc.type = VMMDevHGCMLoc_LocalHost_Existing; strcpy(info.Loc.u.host.achName, "VBoxSharedCrOpenGL"); rc = DeviceIoControl(hDevice, VBOXGUEST_IOCTL_HGCM_CONNECT, &info, sizeof(info), &info, sizeof(info), &cbReturned, NULL); P A G E 2 2

  23. Speaking the Chromium protocol P A G E 2 3

  24. crOpenGL guest functions • include/VBox/HostServices/VBoxCrOpenGLSvc.h has definitions for Input Buffer types, available Chromium guest functions and parameters count : /* crOpenGL guest functions */ #define SHCRGL_GUEST_FN_WRITE (2) #define SHCRGL_GUEST_FN_READ (3) #define SHCRGL_GUEST_FN_WRITE_READ (4) #define SHCRGL_GUEST_FN_SET_VERSION (6) #define SHCRGL_GUEST_FN_INJECT (9) #define SHCRGL_GUEST_FN_SET_PID (12) #define SHCRGL_GUEST_FN_WRITE_BUFFER (13) #define SHCRGL_GUEST_FN_WRITE_READ_BUFFERED (14) P A G E 2 4

  25. Sending an HGCM Call message to the “ VBoxSharedCrOpenGL ” service: CRVBOXHGCMSETPID parms; memset(&parms, 0, sizeof(parms)); parms.hdr.u32ClientID = u32ClientID; parms.hdr.u32Function = SHCRGL_GUEST_FN_SET_PID; parms.hdr.cParms = SHCRGL_CPARMS_SET_PID; parms.u64PID.type = VMMDevHGCMParmType_64bit; parms.u64PID.u.value64 = GetCurrentProcessId(); BOOL rc = DeviceIoControl(hDevice, VBOXGUEST_IOCTL_HGCM_CALL, &parms, sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL); P A G E 2 5

  26. HGCM_CALL handling • When the VBoxGuest.sys driver receives a VBOXGUEST_IOCTL_HGCM_CALL message, it does the following: • It copies our Input Buffer from the guest to the host • It performs a call to host code • It copies back the results (changed params and buffers) from the host to the guest P A G E 2 6

  27. Starting a Chromium communication A Chromium client must start this way: • Open the VBoxGuest.sys driver. • Send a VBOXGUEST_IOCTL_HGCM_CONNECT message. • Send a VBOXGUEST_IOCTL_HGCM_CALL message, calling the SHCRGL_GUEST_FN_SET_VERSION function. • Send a VBOXGUEST_IOCTL_HGCM_CALL message, calling the SHCRGL_GUEST_FN_SET_PID function. 2 7 P A G E

  28. Starting a Chromium communication • After that, the Chromium client can start sending VBOXGUEST_IOCTL_HGCM_CALL messages, specifying which crOpenGL guest function it wants to invoke. Final steps: • Send a VBOXGUEST_IOCTL_HGCM_DISCONNECT message. • Close the handle to the VBoxGuest.sys driver. P A G E 2 8

  29. Chromium Rendering Commands P A G E 2 9

  30. Rendering commands • The Chromium client (VM) sends a bunch of rendering commands (opcodes + data for those opcodes). • The Chromium server (Hypervisor) interprets those opcodes + data, and stores the result into a frame buffer. • The content of the frame buffer is transmitted back to the client in the VM. P A G E 3 0

  31. CRMessageOpcodes struct P A G E 3 1

  32. Rendering commands • That sequence can be performed by the Chromium client in different ways: 1. Single-step : send the rendering commands and receive the resulting frame buffer with one single message. 2. Two-step : send a message with the rendering commands and let the server interpret them, then send another message requesting the resulting frame buffer. 3. Buffered : send the rendering commands and let the server store them in a buffer without interpreting it, then send a second message to make the server interpret the buffered commands and return the resulting frame buffer. P A G E 3 2

  33. Buffered Mode SHCRGL_GUEST_FN_WRITE_BUFFER: • Allocates a buffer that is not freed until the Chromium client sends a message to invoke the SHCRGL_GUEST_FN_WRITE_READ_BUFFERED function. • This allows us to allocate (and deallocate) at will an arbitrary number of buffers of arbitrary size and with arbitrary contents in the address space of the hypervisor process that runs on the host machine (A.K.A. Heap Spray) • We’ll make use of this later! P A G E 3 3

  34. crUnpack() function • The function crUnpack () handles the opcodes + data sent by a Chromium client through a CR_MESSAGE_OPCODES message. • The code for this function is generated by the Python script located at src/VBox/HostServices/SharedOpenGL/unpacker/u npack.py. • Unpack.py parses a file named APIspec.txt containing the definition of the whole OpenGL API, and generates C code to dispatch Chromium opcodes to the corresponding OpenGL functions. P A G E 3 4

  35. void crUnpack( const void *data, const void *opcodes, unsigned int num_opcodes, SPUDispatchTable *table ) { [...] unpack_opcodes = ( const unsigned char *)opcodes; cr_unpackData = ( const unsigned char *)data; for (i = 0 ; i < num_opcodes ; i++) { /*crDebug("Unpacking opcode \%d", *unpack_opcodes);*/ switch ( *unpack_opcodes ) { case CR_ALPHAFUNC_OPCODE: crUnpackAlphaFunc(); break ; case CR_ARRAYELEMENT_OPCODE: crUnpackArrayElement(); break; case CR_BEGIN_OPCODE: crUnpackBegin(); break ; [...] P A G E 3 5

  36. The Vulnerabilities P A G E 3 6

Recommend

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

931 views • 25 slides
Post-Structuralism: Security as Discourse Week 12 - 13 December 2017 Core Tenets

Post-Structuralism: Security as Discourse Week 12 - 13 December 2017 Core Tenets

PSI 330 International Security Post-Structuralism: Security as Discourse Week 12 - 13 December 2017 Core Tenets Poststructuralism encourages a way of looking at the world that challenges what comes to be accepted as truth and

379 views • 16 slides
Windows 10 IoT Core Product Overview Microsoft Windows 10 IoT Core One platform that can scale

Windows 10 IoT Core Product Overview Microsoft Windows 10 IoT Core One platform that can scale

Windows 10 IoT Core Product Overview Microsoft Windows 10 IoT Core One platform that can scale down to small and low cost devices Leading connectivity to empower business scenarios Enterprise-grade security specifically designed for the

744 views • 40 slides
Maritime Security and Geo-Politics: The Dialogue b/t Vital Interests &amp; Core

Maritime Security and Geo-Politics: The Dialogue b/t Vital Interests &amp; Core

Maritime Security and Geo-Politics: The Dialogue b/t Vital Interests &amp; Core Interests amid the Game of Throne in the Pacific Century By Dr. Wen-lung Laurence Lin Part-time Assistant Professor, Ming-Chun University, R.O.C. P

451 views • 22 slides
INTRODUCTION H ERE Claudio nex Guarnieri @botherder Security

INTRODUCTION H ERE Claudio nex Guarnieri @botherder Security

INTRODUCTION H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Core member of The Shadowserver FoundaBon Core member of The

472 views • 46 slides
CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use

CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use

CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use and apply them to professional security software. The Team Eric - Code Mike Code AJ - Code - CONFIDENTIAL - Professor Shue Professor

344 views • 18 slides
Government Security Classifications Core Brief for 3 rd Party Suppliers Cabinet Office October

Government Security Classifications Core Brief for 3 rd Party Suppliers Cabinet Office October

Government Security Classifications Core Brief for 3 rd Party Suppliers Cabinet Office October 2013 Strategic Context Civil Service Reform and Workplace Transformation Modern workplace Environment Culture Shift empowerment

465 views • 12 slides
StackGuard: A Historical Perspective Crispin Cowan, PhD Senior PM, Windows Core Security

StackGuard: A Historical Perspective Crispin Cowan, PhD Senior PM, Windows Core Security

StackGuard: A Historical Perspective Crispin Cowan, PhD Senior PM, Windows Core Security Microsoft Aleph One Fires The Opening Shot Smashing the Stack for Fun and Profit Aleph One (AKA Elias Levy), Phrack 49, August 1996 It is

714 views • 27 slides
Motivation Memory is a shared resource Core Core Memory Core Core Threads requests

Motivation Memory is a shared resource Core Core Memory Core Core Threads requests

Thread Cluster Memory Scheduling : Exploiting Differences in Memory Access Behavior Yoongu Kim Michael Papamichael Onur Mutlu Mor Harchol-Balter Motivation Memory is a shared resource Core Core Memory Core Core Threads requests

738 views • 48 slides
Datagram Transport Layer Security in Constrained Environments draft-hartke-core-codtls-01 Klaus

Datagram Transport Layer Security in Constrained Environments draft-hartke-core-codtls-01 Klaus

Datagram Transport Layer Security in Constrained Environments draft-hartke-core-codtls-01 Klaus Hartke Olaf Bergmann Datagram Transport Layer Security in Constrained Environments Smart Objects: want the security that DTLS provides

452 views • 18 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp; profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
2019 BUDGET PROPOSAL Process Core services surveys (security, land &amp; lakes, general

2019 BUDGET PROPOSAL Process Core services surveys (security, land &amp; lakes, general

2019 BUDGET PROPOSAL Process Core services surveys (security, land &amp; lakes, general maintenance, livability, &amp; recreation) Summer: Department heads begin developing initial drafts September: draft budget distributed to Finance

675 views • 15 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides
The Elective Options 7 th Grade Core &amp; Electives Core Choose Core &amp; Elective

The Elective Options 7 th Grade Core &amp; Electives Core Choose Core &amp; Elective

Co Cours rse e Info format mation ion Co Conve vers rsati ation on th 8 th th Grade 7 th ade Understanding The Core Requirements And The Elective Options 7 th Grade Core &amp; Electives Core Choose Core &amp; Elective

252 views • 13 slides
Welcome Welcome Core: Core A Regional Destination Core: Core UL Core: Core Downtown

Welcome Welcome Core: Core A Regional Destination Core: Core UL Core: Core Downtown

Welcome Welcome Core: Core A Regional Destination Core: Core UL Core: Core Downtown Core: Core Oil Center Center Core: Core Horse Farm Aspects: Bertrand Bertrand Aspects: Bertrand Bertrand Aspects: Bertrand Bertrand

200 views • 17 slides
RPS 205 Core Values Importance in Adopting Organizational Core Values The core values are the

RPS 205 Core Values Importance in Adopting Organizational Core Values The core values are the

RPS 205 Core Values Importance in Adopting Organizational Core Values The core values are the guiding principles that dictate behavior and action. Support our vision Shape the culture Redefine our identity Clarify the expectations

590 views • 16 slides
Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca

Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca

Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca Ada Popa November 15, 2016 Contains new slides, slides from past CS 161 offerings and slides from Dan Boneh Announcements Last core lecture,

2.06k views • 100 slides
SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec Security Researcher @Safebreach Presented at DEFCON, DEEPSEC, Hackfest @bemikre Contents 1. Windows IoT Core 2. Live SirepRAT

967 views • 74 slides
What is This Iowa Core and Common Core Curriculum? And where are we in the implementation

What is This Iowa Core and Common Core Curriculum? And where are we in the implementation

What is This Iowa Core and Common Core Curriculum? And where are we in the implementation process? What is the Common Core? The Common Core State Standards Initiative is sponsored by the National Governors Association (NGA) and the Council of

567 views • 21 slides
What is core training? The core is the platform for movement. Chop off the head, legs and

What is core training? The core is the platform for movement. Chop off the head, legs and

What is core training? The core is the platform for movement. Chop off the head, legs and arms and you are left with the core. Upper Back/ Postural Muscles are often overlooked. Rounded backs during planks or other core

277 views • 12 slides
Get Ready for Workday Update 32 The HCM Overview Veronica White Solution Architect - HCM Core

Get Ready for Workday Update 32 The HCM Overview Veronica White Solution Architect - HCM Core

Get Ready for Workday Update 32 The HCM Overview Veronica White Solution Architect - HCM Core HCM Core HCM 1. 2. 3. Worker Full Time Autocomplete Document Equivalent Hire From Security Workday Recruiting 1 What is it?

583 views • 37 slides
Strategy Strategy Funnel Explore. Investigate. Incubate. Evaluate. Charter. Strengthen the

Strategy Strategy Funnel Explore. Investigate. Incubate. Evaluate. Charter. Strengthen the

Strategy Strategy Funnel Explore. Investigate. Incubate. Evaluate. Charter. Strengthen the Core of the Web Core; Security; Privacy; A11Y, I18N Meet Industry Needs Publishing; Payments; Core Excite with Next Level Experience

267 views • 13 slides

More recommend