Bypassing Virtualbox Procedure Hardening On Windows

Posted yesteryear James Forshaw,

Processes on Windows are securable objects, which prevents 1 user logged into a Windows machine from compromising some other user’s processes. This is a pretty of import safety feature, at to the lowest degree from the perspective of a non-administrator user. The safety prevents a non-administrator user from compromising the integrity of an arbitrary process. This safety barrier breaks downward when trying to protect against administrators, specifically administrators alongside Debug privilege, as enabling this privilege allows the administrator to opened upwards whatsoever procedure regardless of the safety applied to it.

There are cases where applications or the operating organization desire to actively defend processes from users such as administrators or even, inwards some cases, the same user as the running procedure who’d unremarkably conduct hold total access. Protecting the processes is a pretty hard challenge if done solely from user vogue applications. Therefore many solutions utilisation pith back upwards to perform the protection. In the bulk of cases these sorts of techniques soundless conduct hold flaws, which nosotros tin exploit to compromise the “protected” process.

This spider web log transportation service volition describe the implementation of Oracle’s VirtualBox protected procedure in addition to particular 3 different, but at 1 time fixed, ways of bypassing the protection in addition to injecting arbitrary code into the process. The techniques I’ll introduce tin as hold upwards applied to similar implementations of “protected” processes inwards other applications.

Oracle VirtualBox Process Hardening

Protecting processes solely inwards user vogue is pretty much impossible, at that spot are only as good many ways of injecting content into a process. This is peculiarly truthful when the procedure you’re trying to protect is running nether the same context as the user you’re trying to block. An aggressor could, for example, opened upwards a handgrip to the procedure alongside PROCESS_CREATE_THREAD access in addition to straight inject a novel thread. Or they could opened upwards a thread inwards the procedure alongside THREAD_SET_CONTEXT access in addition to straight modify the Instruction Pointer to bound to an arbitrary location. These are only the direct attacks. The aggressor could also modify the registry or surroundings the procedure is running under, so strength the procedure to charge arbitrary COM objects, or Windows Hooks. The listing of possible modifications is almost endless.

Therefore, VirtualBox (VBOX) enlists the aid of the pith to essay to protect its processes. The source code refers to this as Process Hardening. VBOX tries to protect the processes from the same user the procedure is running under. Influenza A virus subtype H5N1 detailed rationale in addition to technical overview is provided inwards source code comments. The TL;DR; is the protection gates access to the VBOX pith drivers, which due to blueprint conduct hold a number of methods which tin hold upwards used to compromise the kernel, or at to the lowest degree lift privileges. This is why VBOX tries to forestall the electrical flow user compromising the process, getting access to the VBOX pith driver would hold upwards a road to Kernel or System privileges. As we’ll regard though spell some protections also forestall administrators compromising the processes that’s non the aim of the hardening code.

Multiple examples of issues alongside the driver in addition to protection from device access were discovered yesteryear my colleague Jann inwards VBOX on Linux. On Linux, VBOX limits access to the VBOX driver to root only, in addition to uses SUID binaries to allow the VBOX user processes to larn access to the driver before dropping privileges. On Windows instead of SUID binaries the VBOX driver uses pith APIs to essay to halt users in addition to administrators opening protected processes in addition to injecting code.

The core of the pith ingredient is inwards the Support\win\SUPDrv-win.cpp file. This code registers alongside ii callback mechanisms supported yesteryear modern Windows kernels:

1. PsSetCreateProcessNotifyRoutineEx - Driver is notified when a novel procedure is created.
2. ObRegisterCallback - Driver is notified when Process in addition to Thread handles are created or duplicated.

The notification from PsSetCreateProcessNotifyRoutineEx is used to configure the protection structures for a novel process. When the procedure after tries to opened upwards a handgrip to the VBOX driver the hardening volition only permit access after the next verification steps are performed inwards the telephone phone to supHardenedWinVerifyProcess:

1. Ensure at that spot are no debuggers attached to the process.
2. Ensure at that spot is only a unmarried thread inwards the process, which should hold upwards the 1 opening the driver to forestall in-process races.
3. Ensure at that spot are no executable retention pages exterior of a modest laid of permitted DLLs.
4. Verify the signatures of all loaded DLLs.
5. Check the primary executable’s signature in addition to that it is of a permitted type of executable (e.g. VirtualBox.exe).

Signature verification inwards the pith is done using custom runtime code compiled into the driver. Only a express laid of Trusted Roots are permitted to hold upwards verified at this step, primarily Microsoft’s OS in addition to Authenticode certificates as good as the Oracle certificate that all VBOX binaries are signed with. You tin discovery the listing of permitted certificates inwards the source repository.

The ObRegisterCallback notification is used to bound the maximum access whatsoever other user procedure on the organization tin hold upwards granted to the protected process. The ObRegisterCallback API was designed for Anti-Virus to protect processes from existence injected into or terminated yesteryear malicious code. VBOX uses a similar approach in addition to limits whatsoever handgrip to the protected procedure to the next access rights:

• PROCESS_TERMINATE
• PROCESS_VM_READ
• PROCESS_QUERY_INFORMATION
• PROCESS_QUERY_LIMITED_INFORMATION
• PROCESS_SUSPEND_RESUME
• DELETE
• READ_CONTROL
• SYNCHRONIZE

The permitted access rights give the user most of the typical rights they’d expect, such as existence able to read memory, synchronize to the procedure in addition to terminate it but does non allow injecting novel code into the process. Similarly, access to threads is restricted to the next access rights to forestall alteration of a thread’s context or similar attacks.

• THREAD_TERMINATE
• THREAD_GET_CONTEXT
• THREAD_QUERY_INFORMATION
• THREAD_QUERY_LIMITED_INFORMATION
• DELETE
• READ_CONTROL
• SYNCHRONIZE

We tin verify this access limitation yesteryear opening the VirtualBox procedure in addition to 1 of its threads in addition to regard what access rights we’re granted. For illustration the next pic highlights the procedure in addition to thread granted access.

While the pith callbacks forestall direct alteration of the procedure as good as a user trying to compromise the integrity of the procedure at startup they produce really picayune against runtime DLL injection such as through COM. The hardening implementation needs to create upwards one's hear on what modules it’ll allow to hold upwards loaded into the process. The decision, fundamentally, is based on Authenticode code signing.

There are mitigation options to enable loading only Microsoft signed binaries (such as PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY). However, this policy isn’t really flexible. Therefore, protected VBOX processes install hooks to a distich of internal functions inwards user-mode to verify the integrity of whatsoever DLL which is existence loaded into memory. The hooked functions are:

1. LdrLoadDll - Called to charge a DLL into memory.
2. NtCreateSection - Called to create an Image Section object for a PE file on disk.
3. LdrRegisterDllNotification - This is a quasi-officially supported callback which notifies the application when a novel DLL is loaded or unloaded.

These hooks expand the permitted laid of signed DLLs which tin hold upwards loaded. The pith signature verification is okay for bootstrapping the procedure as only Oracle in addition to Microsoft code should hold upwards present. However, when it comes to running a non-trivial application ( VirtualBox.exe is sure enough non-trivial) you’re probable to demand to charge third-party signed code such as GPU drivers. As the hooks are inwards user vogue it’s easier to telephone phone the organization WinVerifyTrust API which volition verify certificate chains using the organization certificate stores as good as treatment the verification of files signed inwards a Catalog file.

If the DLL existence loaded doesn’t run across VBOX’s expected criteria for signing so the user-mode hooks volition spend upwards loading that DLL. VBOX soundless doesn't completely trust the user; WinVerifyTrust volition chain certificates dorsum to a root certificate inwards the user’s CA certificates. However, VBOX volition only trust organization CA certificates. As a non-administrator cannot add together a novel trusted root certificate to the system’s listing of CA certificates this should severely bound the injection of malicious DLLs.

You tin larn a existent code signing certificate which should also hold upwards trusted, but the supposition is malicious code wouldn’t desire to become downward that route. Even if the code is signed the loader also checks that the DLL file is owned yesteryear the TrustedInstaller user. This is checked inwards supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar. Influenza A virus subtype H5N1 normal user should non hold upwards able to modify the possessor of a file to anything but themselves, thence it should bound the impact of the behaviour to allow whatsoever signed file to load.

The VBOX code does conduct hold a component subdivision which is supposed to trammel what certificates are permitted supR3HardenedWinIsDesiredRootCA as roots. In official builds the function’s whitelist of specific CAs is commented out. There’s a blacklist of certificates, however, unless your companionship is called “U.S. Robots in addition to Mechanical Men, Inc” the blacklist won’t conduct upon you.

Even alongside all this protection the procedure isn’t secure against an administrator. While an administrator can’t bypass the safety on opening the process, they tin install a local machine Trusted Root CA certificate in addition to sign a DLL, laid its possessor in addition to strength it to hold upwards loaded. This volition bypass the icon verification in addition to charge into the verified VBOX process.

In summary the VBOX hardening is attempting to render the next protections:

1. Ensure that no code is injected into protected binaries during initialization.
2. Prevent user processes from opening “writable” handles to protected processes or threads which would allow arbitrary code injection.
3. Prevent injection of untrusted DLLs through normal loading routes such as COM.

This whole procedure is probable to conduct hold some bugs in addition to border cases. There’s so many dissimilar verification checks which must all fit together. So, assuming nosotros don’t desire to larn a code signing certificate in addition to nosotros don’t conduct hold administrator rights how tin nosotros larn arbitrary code running within a protected VBOX process? We’ll focus primarily on the 3rd protection inwards the list, as this is possibly the most complex component subdivision of the protection in addition to thence is probable to conduct hold the most issues.

Exploiting the Chain-of-Trust inwards COM Registration

The commencement bug I’m going to describe was fixed as CVE-2017-3563 inwards VBOX version 5.0.38/5.1.20. This number exploits the chain-of-trust for DLL loading to describe a fast 1 on VBOX into loading Microsoft signed DLLs which only move on to allow untrusted arbitrary code execution.

If y'all run Process Monitor against the protected VBOX procedure you’ll notice that it uses COM, specifically it uses the VirtualBoxClient degree which is implemented inwards the VBoxC.dll COM server.

The squeamish thing most COM server registration, at to the lowest degree from the perspective of an attacker, is the registration for a COM object tin hold upwards inwards 1 of ii places, the user’s registry hive, or the local machine registry hive. For reasons of compatibility the user’s hive is checked first, before falling dorsum to the local machine hive. Therefore it’s possible to override a COM registration alongside a normal user’s permission, so when an application tries to charge the designated COM object the application volition instead charge whatever DLL we’ve overridden it with.

Hijacking COM objects is non a novel technique, it’s been known for many years peculiarly for the purposes of Malware persistence. It’s seen a resurgence of tardily because of the renewed involvement inwards all things COM. However, it’s rare that COM hijacking is of importance for elevation of privilege exterior of UAC bypasses.

As an aside, the connector betwixt UAC in addition to COM hijacking is the COM runtime actively tries to forestall the hijack existence used as an EoP road yesteryear disabling sure User registry lookups if the electrical flow procedure is elevated. Of course of teaching it wasn’t ever AppLocker bypass as good as existence loaded from HTTP URLs. What’s of most involvement inwards this illustration is they tin also hold upwards registered as a COM object.

A registered WSC consists of ii parts:

1. The WSC runtime scrobj.dll which acts as the in-process COM server.
2. A file which contains the implementation of the Scriptlet inwards a compatible scripting language.

When an application tries to charge the registered degree scrobj.dll gets loaded into memory. The COM runtime requests a novel object of the required degree which causes the WSC runtime to become dorsum to the registry to lookup the URL to the implementation Scriptlet file. The WSC runtime so loads the Scriptlet file in addition to executes the embedded script contained inwards the file in-process. The key hither is that as long as scrobj.dll (and whatsoever associated script linguistic communication libraries such as JScript.dll) are valid signed DLLs from VBOX’s perspective so the script code volition run as it tin never hold upwards checked yesteryear the hardening code. This would larn arbitrary code running within the hardened process. First let’s banking company check that scrobj.dll is probable to hold upwards allowed to hold upwards loaded yesteryear VBOX. The next screenshot shows the DLL is both signed yesteryear Microsoft in addition to is also owned yesteryear TrustedInstaller.

So what does a valid Scriptlet file expression like? It’s a unproblematic XML file, I’m non going to become into much particular most what each XML chemical element means, other than to dot out the script block which volition execute arbitrary JScript code. In this illustration all this Scriptlet volition produce when loaded is start the Calculator process.

<scriptlet>
 <registration
   description ="Component"
   progid="Component"
   version="1.00"
   classid="{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}"
 />
 <public/>
 <script language = "JScript" >
 <![CDATA[
 new ActiveXObject('WScript.Shell').Exec('calc');
 ]]>
 </script>
</scriptlet>

If you’re written much code inwards JScript or VBScript y'all mightiness at 1 time notice a problem, these languages can’t produce that much unless it’s implemented yesteryear a COM object. In the illustration Scriptlet file nosotros can’t create a novel procedure without loading the WScript.Shell COM object in addition to calling its Exec method. In club to beak to the VBOX driver, which is whole purpose of injecting code inwards the commencement place, we’d demand a COM object which gives us that functionality. We can’t implement the code inwards some other COM object as that wouldn’t transcend the icon signing checks we’re trying to bypass. Of course, there’s ever memory corruption bugs inwards scripting engines but, as everyone already knows yesteryear now, I’m non a fan of exploiting retention corruptions so nosotros demand some other way of getting fully arbitrary code execution. Time to convey inwards the big guns, the .NET Framework.

The .NET runtime loads code into retention using the normal DLL loading routines. We can’t thence charge a .NET DLL which isn’t signed into retention as that would soundless larn caught yesteryear VBOX’s hardening code. However, .NET does back upwards loading arbitrary code from an in-memory array using the Assembly::Load method in addition to 1 time loaded this code tin basically deed as if it was native code, calling arbitrary APIs in addition to inspecting/modifying memory. As the .NET framework is signed yesteryear Microsoft all nosotros demand to produce is somehow telephone phone the Load method from our Scriptlet file in addition to nosotros tin larn total arbitrary code running within the process.

Where produce nosotros fifty-fifty start on achieving this goal? From a previous spider web log post it’s possible to expose .NET objects as COM objects through registration in addition to yesteryear abusing Binary Serialization nosotros tin charge arbitrary code from a byte array. Many core .NET runtime classes are automatically registered as COM objects which tin hold upwards loaded in addition to manipulated yesteryear a scripting engine. The big enquiry tin at 1 time hold upwards asked, is BinaryFormatter exposed as a COM object?

Why, yes it is. BinaryFormatter is a .NET object that a scripting engine tin charge in addition to interact alongside via COM. We could at 1 time accept the in conclusion binary flow from my previous transportation service in addition to execute arbitrary code from memory. In the previous spider web log transportation service the execution of the untrusted code had to occur during deserialization, inwards this illustration nosotros tin interact alongside the results of deserialization inwards a script which tin brand the serialization gadgets nosotros demand much simpler.

In the destination I chose to deserialize a Delegate object which when executed yesteryear the script engine would charge an Assembly from retention in addition to render the Assembly instance. The script engine could so instantiate an instance of a Type inwards that Assembly in addition to run arbitrary code. It does audio unproblematic inwards principle, inwards reality at that spot are a number of caveats. Rather than bog downward this spider web log transportation service alongside to a greater extent than particular than necessary the tool I used to generate the Scriptlet file, DotNetToJScript is available so y'all tin read how it works yourself. Also the PoC is available on the number tracker here. The chain from the JScript ingredient to existence able to telephone phone the VBOX driver looks something similar the following:

I’m non going to become into what y'all tin at 1 time produce alongside the VBOX driver 1 time you’ve got arbitrary code running the hardened process, that’s sure enough a topic for some other post. Although y'all mightiness desire to expression at 1 of Jann’s issues which describes what y'all mightiness produce on Linux.

How did Oracle cook the issue? They added a blacklist of DLLs which are non allowed to hold upwards loaded yesteryear the hardened VBOX process. The only DLL currently inwards that listing is scrobj.dll. The listing is checked after the verification of the file has taken house in addition to covers both the electrical flow filename as good as the internal Original Filename inwards the version resources. This prevents y'all only renaming the file to something else, as the version resources are component subdivision of the signed PE information in addition to so cannot hold upwards modified without invalidating the signature. In fairness to Oracle I’m non sure at that spot was whatsoever other sensible way of blocking this assail vector other than a DLL blacklist.

Exploiting User-Mode DLL Loading Behavior

The minute bug I’m going to describe was fixed as CVE-2017-10204 inwards VBOX version 5.1.24. This number exploits the behaviour of the Windows DLL loader in addition to some bugs inwards VBOX to describe a fast 1 on the hardening code to allow an unverified DLL to hold upwards loaded into retention in addition to executed.

While this põrnikas doesn’t rely on exploiting COM loading as such, the per-user COM registration is a convenient technique to larn LoadLibrary called alongside an arbitrary path. Therefore we’ll move on to utilisation the technique of hijacking the VirtualBoxClient COM object in addition to only utilisation the in-process server path as a agency to charge the DLL.

LoadLibrary is an API alongside a number of good known, but foreign behaviors. One of the to a greater extent than interesting from our perspective is the behaviour alongside filename extensions. Depending on the extension the LoadLibrary API mightiness add together or take the extension before trying to charge the file. I tin summarise it inwards a table, showing the file cite as passed to LoadLibrary in addition to the file it genuinely tries to load.

Original File Name	Loaded File Name
c:\test\abc.dll	c:\test\abc.dll
c:\test\abc	c:\test\abc.dll
c:\test\abc.blah	c:\test\abc.blah
c:\test\abc.	c:\test\abc

I’ve highlighted inwards greenish the ii of import cases. These are the cases where the filename passed into LoadLibrary doesn’t jibe the filename which eventually gets loaded. The occupation for whatsoever code trying to verify a DLL file before loading it is CreateFile doesn’t follow these rules so inwards the highlighted cases if y'all opened the file for signature verification using the master file cite you’d verify a dissimilar file to the 1 which eventually gets loaded.

In Windows there’s usually a clear separation betwixt Kernel32 code, which tends to bargain alongside the many weird behaviors Win32 has built upwards over the years in addition to the “clean” NT layer exposed yesteryear the pith through NTDLL. Therefore as LoadLibrary is inwards Kernel32 in addition to LdrLoadDll (which is the component subdivision the hardening hooks) is inwards NTDLL so this weird extension behaviour would hold upwards handled inwards the former. Let’s expression at a really simplified version of LoadLibrary to regard if that’s the case:

HMODULE LoadLibrary(LPCWSTR lpLibFileName)
{
 UNICODE_STRING DllPath;
 HMODULE ModuleHandle;
 ULONG Flags = // Flags;

 RtlInitUnicodeString(&DllPath, lpLibFileName);  
 if (NT_SUCCESS(LdrLoadDll(DEFAULT_SEARCH_PATH,
     &Flags, &DllPath, &ModuleHandle))) {
   return ModuleHandle;
 }
 return NULL;
}

We tin regard inwards this code that for all intents in addition to purposes LoadLibrary is only a wrapper only about LdrLoadDll. While it’s genuinely to a greater extent than complex than that inwards reality the takeaway is that LoadLibrary does non modify the path it passes to LdrLoadDll inwards whatsoever way other than converting it to a UNICODE_STRING. Therefore possibly if nosotros specify a DLL to charge without an extension VBOX volition banking company check the extension-less file for the signature but LdrLoadDll volition instead charge the file alongside the .DLL extension.

Before nosotros tin evidence that we’ve got some other occupation to bargain with, the requirement that the file is owned yesteryear TrustedInstaller. For the file nosotros desire VBOX to signature banking company check all nosotros demand to produce is give an existing valid, signed file a dissimilar filename. This is what hard links were created for; nosotros tin create a dissimilar cite inwards a directory nosotros command which genuinely links to a organization file which is signed in addition to also maintains its master safety descriptor including the owner. The problem alongside hard links is, as I described almost 2 years agone inwards a blog post, spell Windows supports creating links to organization files y'all can’t write to, the Win32 APIs, in addition to yesteryear extension the slow to access “mklink” command inwards the CMD trounce require the file hold upwards opened alongside FILE_WRITE_ATTRIBUTES access. Instead of using some other application to create the link we’ll only re-create the file, yet the re-create volition no longer conduct hold the master safety descriptor in addition to so it’ll no longer hold upwards owned yesteryear TrustedInstaller. To larn only about that let’s expression at the checking code to regard if there’s a way only about it.

The primary banking company check for the Owner is inwards supHardenedWinVerifyImageByLdrMod. Almost the commencement thing that component subdivision does is telephone phone supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar which nosotros saw earlier. However as the comments higher upwards the check indicate the code volition also allow files nether System32 in addition to WinSxS directories to non hold upwards owned yesteryear TrustedInstaller. This is a jitney sized hole inwards the dot of the check, as all nosotros demand is 1 writeable directory nether System32. We tin discovery some yesteryear running the Get-AccessibleFile cmdlet inwards my NtObjectManager PS module.

There are enough to conduct from, we’ll only pick the Tasks folder as it’s guaranteed to ever hold upwards there. So the exploit should hold upwards as follows:

1. Copy a signed binary to %SystemRoot%\System32\Tasks\Dummy\ABC
2. Copy an unsigned binary to %SystemRoot%\System32\Tasks\Dummy\ABC.DLL
3. Register a COM hijack pointing the in-process server to the signed file path from 1.

If y'all essay to start a Virtual Machine you’ll discovery that this describe a fast 1 on works. The hardening code checks the ABC file for the signature, but LdrLoadDll ends upwards loading ABC.DLL. Just to banking company check nosotros didn’t only exploit something else let’s banking company check the hardening log:

\..\Tasks\dummy\ABC: Owner is non trusted installer

\..\Tasks\dummy\ABC: Relaxing the TrustedInstaller requirement for this DLL (it's inwards system32).

supHardenedWinVerifyImageByHandle: -> 0 (\..\Tasks\dummy\ABC)

supR3HardenedMonitor_LdrLoadDll: pName=c:\..\tasks\dummy\ABC [calling]

The commencement ii lines dot the bypass of the Owner banking company check as nosotros expected. The minute ii dot it’s verified the ABC file in addition to thence will telephone phone the master LdrLoadDll, which ultimately volition append the extension in addition to essay to charge ABC.DLL instead. But, wait, how come upwards the other checks inwards NtCreateSection in addition to the loader callback don’t conduct take hold of loading a completely dissimilar file? Let’s search for whatsoever instance of ABC.DLL inwards the residuum of the hardening log to discovery out:

\..\Tasks\dummy\ABC.dll: Owner is non trusted installer

\..\Tasks\dummy\ABC.dll: Relaxing the TrustedInstaller requirement for this DLL (it's inwards system32).

supHardenedWinVerifyImageByHandle: -> 22900 (\..\Tasks\dummy\ABC.dll)

supR3HardenedWinVerifyCacheInsert: \..\Tasks\dummy\ABC.dll

supR3HardenedDllNotificationCallback:  c:\..\tasks\dummy\ABC.DLL

supR3HardenedScreenImage/LdrLoadDll: cache hitting (Unknown Status 22900) on \...\Tasks\dummy\ABC.dll

Again the commencement ii lines dot nosotros bypassed the Owner banking company check because of our file's location. The side yesteryear side line, supHardenedWinVerifyImageByHandle is to a greater extent than interesting however. This component subdivision verifies the icon file. If y'all expression dorsum inwards this spider web log at the before log of this banking company check you’ll discovery it returned the trial -22900, which was considered an error. However inwards this illustration it’s returning 22900, which as VBOX is treating whatsoever trial >= 0 as success the hardening code gets confused in addition to assumes that the file is valid. The negative fault code is VERR_LDRVI_NOT_SIGNED inwards the source code, whereas the positive “success” code is VINF_LDRVI_NOT_SIGNED.

This seems to hold upwards a põrnikas inwards the verification code when calling code inwards the DLL Loader Lock, such as inwards the NtCreateSection hook. The code can’t telephone phone WinVerifyTrust inwards illustration it tries to charge some other DLL, which would drive a deadlock. What would unremarkably move on is VINF_LDRVI_NOT_SIGNED is returned from the internal signature checking implementation. That implementation tin only handgrip files alongside embedded signatures, so if a file isn’t signed it returns that information code to larn the verification code to banking company check if the file is catalog signed. What’s supposed to move on is WinVerifyTrust is called in addition to if the file is soundless non signed it returns the fault code, yet as WinVerifyTrust can’t hold upwards called due to the lock the information code gets propagated to the caller which assumed it’s a success code.

The in conclusion enquiry is why the in conclusion Loader Callback doesn’t conduct take hold of the unsigned file? VBOX implements a signed file cache based on the path to avoid checking a file multiple times. When the telephone phone to supHardenedWinVerifyImageByHandle was taken to hold upwards a success the verifier called supR3HardenedWinVerifyCacheInsert to add together a cache entry for this path alongside the “success” code. We tin regard that inwards the Loader Callback it tries to verify the file but gets dorsum a “success” code from the cache so assumes everything's okay, in addition to the loading procedure is allowed to complete.

Quite a complex laid of interactions to larn code running. How did Oracle cook this issue? They only add the DLL extension if there’s no extension present. They also handgrip the illustration where the filename has a trailing catamenia (which would hold upwards removed when loading the DLL).

Exploiting Kernel-Mode Image Loading Behavior

The in conclusion bug I’m going to describe was fixed as CVE-2017-10129 inwards VBOX version 5.1.24. This isn’t genuinely a põrnikas inwards VBOX as much as it’s an unexpected behaviour inwards Windows.

Through all this it’s worth noting that there’s an implicit race status inwards what the hardening code is trying to do, specifically if y'all could modify the file betwixt the verification dot in addition to the dot where the file is mapped. In theory y'all could produce this to VBOX but the timing window is somewhat short. You could utilisation OPLOCKs in addition to the similar but it’s a combat of a pain, instead it’d hold upwards squeamish to larn the TOCTOU assail for free.

Let’s expression at how icon files are handled inwards the kernel. Mapping an icon file on Windows is expensive, the OS doesn’t utilisation position independent code in addition to so can’t only map the DLL into retention as a unproblematic file. Instead the DLL must hold upwards relocated to a specific retention address. This requires modifying pages of the DLL file to ensure whatsoever pointers are correctly fixed up. This is fifty-fifty to a greater extent than of import when y'all convey ASLR into the mix as ASLR volition almost ever strength a DLL to hold upwards relocated from its base of operations address. Therefore, Windows caches an instance of an icon mapping whenever it can, this is why the charge address of a DLL doesn’t modify betwixt processes on the same system, it’s using the same cached icon section.

The caching is genuinely inwards component subdivision nether command of the filesystem driver. When a file is opened the IO manager volition allocate a novel instance of the FILE_OBJECT construction in addition to transcend it to the IRP_MJ_CREATE handler for the driver. One of the fields that the driver tin so initialize is the SectionObjectPointer. This is an instance of the SECTION_OBJECT_POINTERS structure, which looks similar the following:

struct SECTION_OBJECT_POINTERS {
 PVOID DataSectionObject;
 PVOID SharedCacheMap;
 PVOID ImageSectionObject;
};

The fields themselves are managed yesteryear the Cache manager, but the construction itself must hold upwards allocated yesteryear the File System driver. Specifically the allotment should hold upwards 1 per-file inwards the filesystem; spell each opened upwards instance of a specific file volition conduct hold unique FILE_OBJECT instances the SectionObjectPointer should hold upwards the same. This allows the Cache manager to fill upwards inwards the dissimilar fields in addition to so reuse them if some other instance of the same file tries to hold upwards mapped.

The of import champaign hither is ImageSectionObject which contains the cached information for the mapped icon section. I’m non going to delve into particular of what the ImageSectionObject pointer contains as it’s non genuinely relevant. The of import thing is if the SectionObjectPointer and yesteryear extension the ImageSectionObject pointers are the same for a FILE_OBJECT instance so mapping that file as an icon volition map the same cached icon mapping. However, as ImageSectionObject pointer is non used when reading from a file it doesn’t follow that what’s genuinely cached soundless matches what’s on disk.

Trying to desynchronize the file information from the SectionObjectPointer seems to hold upwards pretty tricky alongside an NTFS volume, at to the lowest degree without administrator privileges. One scenario where y'all tin produce this desynchronization is via the SMB redirector when accessing network shares. The argue is pretty simple, it’s the local redirector’s responsibleness to allocate the SectionObjectPointer structure when a file is opened on a remote server. As far as the the redirector’s concerned if it opens the file \Share\File.dll on a server twice so it’s the same file. There’s no existent other information the redirector tin utilisation to verify the identity of the file, it has to guess. Any belongings y'all tin recall of, Object ID, Modification Time tin only hold upwards a lie. You could easily modify a re-create of SAMBA to produce this lying for you. The redirector also can’t lock the file in addition to ensure it stays locked. So it seems the redirector only doesn’t bother alongside whatsoever of it, if it looks similar the same file from its perspective it assumes it’s fine.

However this is only for the SectionObjectPointer, if the caller wants to read the contents of the file the SMB redirector volition become out to the server in addition to essay to read the electrical flow state of the file. Again this could all hold upwards lies, in addition to the server could render whatsoever information it likes. This is how nosotros tin create a desynchronization; if nosotros map an icon file from a SMB server, modify the underlying file information so reopen the file in addition to map the icon 1 time again the mapped icon volition hold upwards the cached one, but whatsoever information read from the file volition hold upwards what’s electrical flow on the server. This way nosotros tin map an untrusted DLL first, so supersede the file information alongside a signed, valid file (SMB supports reading the possessor of the file, so nosotros tin spoof TrustedInstaller), when VBOX tries to charge it it volition verify the signed file but map the cached untrusted icon in addition to it volition never know.

Having a remote server isn’t ideal, yet nosotros tin produce everything nosotros demand yesteryear using the local loopback SMB server in addition to access files via the admin shares. Contrary to their names admin shares are non express to administrators if you’re coming from localhost. The key to getting this to piece of work is to utilisation a Directory Junction. Junctions are resolved on the server, the redirector customer knows nix most them. Therefore as far as the customer is concerned if it opens the file \\localhost\c$\Dir\File.dll once, so reopens the same file these could hold upwards ii completely dissimilar files as shown inwards the next diagram:

Fortunately, 1 thing which should hold upwards evident from the previous ii issues is that VBOX’s hardening code doesn’t genuinely aid where the DLL is located as long as it meets its ii criteria, it’s owned yesteryear TrustedInstaller in addition to it’s signed. We tin dot the COM hijack to a SMB portion on the local system. Therefore nosotros tin perform the assail as follows:

1. Set upwards a junction on the C: drive pointing at a directory containing our untrusted file.
2. Map the file via the junction over the c$ admin portion using LoadLibrary, produce non release the mapping until the exploit is complete.
3. Change the junction to dot to some other directory alongside a valid, signed file alongside the same cite as our untrusted file.
4. Start VBOX alongside the COM hijack pointing at the file. VBOX volition read the file in addition to verify it’s signed in addition to owned yesteryear TrustedInstaller, yet when it maps it the cached, untrusted icon department volition hold upwards used instead.

So how did Oracle cook this? They at 1 time banking company check that the mapped file isn’t on a network portion yesteryear comparison the path against the prefix \Device\Mup.

Conclusions

The implementation of procedure hardening inwards VirtualBox is complex in addition to because of that it is quite fault prone. I’m sure at that spot are other ways of bypassing the protection, it only requires people to become looking. Of course of teaching none of this would hold upwards necessary if they didn’t demand to protect access to the VirtualBox pith driver from malicious use, but that’s a blueprint determination that’s likely going to hold upwards hard to cook inwards the brusk term.