1. IT-Security >
  2. Hacking >
  3. CVE-2020-7454: Killing Two Birds with One Bug in libalias

ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

CVE-2020-7454: Killing Two Birds with One Bug in libalias


Hacking vom | Direktlink: thezdi.com Nachrichten Bewertung

At the beginning of February 2020, the ZDI received a submission detailing a bug in Oracle VirtualBox that could lead to an out-of-bounds access in the libalias packet aliasing library. It was reported to us by the researcher Vishnu Dev TJ and eventually assigned CVE-2020-7454 when patched. When analyzing the submission, I found the bug existed in FreeBSD as well. This blog covers CVE-2020-7454 on both VirtualBox and FreeBSD and shows how the maintenance of third-party or shared code can be a difficult task.

For those not familiar, libalias is a library for the aliasing and de-aliasing of IP packets. It is also intended for masquerading and network address translation (NAT). With its masquerading and NAT features, it’s understandable why it would be used by VirtualBox for various functions. However, libalias originates from FreeBSD. VirtualBox maintains its own fork of the library. Unfortunately, this vulnerability is shared between the versions. It leads to an out-of-bounds (OOB) access in the FreeBSD kernel and user mode. The bug was addressed in VirtualBox 6.1.6 and FreeBSD-SA-20:12.

Looking at Oracle VirtualBox

The following analysis is based on VirtualBox 6.1.4. The root cause of the bug is in the AliasHandleUdpNbtNS() function, which is responsible for parsing the NetBIOS Name Service packet on UDP port 137. The relevant part is shown below in simplified form.

At (1) in the code snippet above, uh_ulen is the UDP header length field, which is sent from the untrusted guest OS. The maximum possible value is 0xFFFF. By using a large uh_ulen value, an attacker can generate an overly large ‘pmaxvalue. Next, if the UDP packet contains Answer Resource Records and its type is specified as NetBIOS General Service, execution will reach theAliasHandleResourceNB()` function:

At (2) in the code snippet above, the while loop attempts to look for the old address in the packet and replace it with the new address until pmax. Since pmax is a large value, an out-of-bounds read will occur at (3). Furthermore, it may also write OOB at (4) if the old address is found.

An attacker on the guest OS can construct an invalid UDP header length to trigger the OOB access on the host OS. The UDP port 137 is open in the default configuration of VirtualBox. To address this bug, Oracle added a validation for the UDP header length shown at (1) in Snippet 1 above.

Looking at FreeBSD 12.1

As mentioned above, the libalias library originates from FreeBSD. While analyzing the submission in Oracle VirtualBox, I discovered this bug also affects FreeBSD when using ipfw for NAT. The ipfw packet filter contains two different methods of accomplishing NAT: one in kernel and one in user space. Both implementations use the same functions provided by libalias. This means that the bug can be triggered either in the kernel or in the userland program (natd), depending on the NAT configuration.

Here is the related configuration for FreeBSD 12.1 Release needed to trigger the bug in the kernel:

The OOB access happens in alias_nbt.ko, which is a loaded kernel module.

If the NAT configuration is based on userland, the OOB access happens in libalias_nbt.so in the context of the natd process. Both scenarios may be triggered remotely without authentication.

During my analysis I found an additional surprise. The libalias library in FreeBSD contains another variant of the same bug within the handling of CuSeeMe protocol, which listens on UDP port 7648 by default.

However, this bug does not exist in VirtualBox, which means the patch for FreeBSD is different than the one for VirtualBox. A validation is added in both the UdpAliasIn() and UdpAliasOut() functions, which is the appropriate level to handle UDP packets. It effectively patches any protocol that contains this kind of bug.

Conclusion

This case study shows that the maintenance of third-party or shared code is a difficult task. Even if the source code is patched or updated, those changes must be made to the upstream products as well. And even when you are in sync with the third-party, a vulnerability in the shared code has twice the impact since it affects both products. Oracle VirtualBox is becoming more popular with user and security researchers alike. Thanks again to Vishnu Dev TJ for reporting this and other VirtualBox bugs. We look forward to seeing more from him in the future.

Until then, you can find me on Twitter @_wmliang_, and follow the team for the latest in exploit techniques and security patches.

...

Externe Webseite mit kompletten Inhalt öffnen



https://www.thezdi.com/blog/2020/6/29/cve-2020-7454-killing-two-systems-with-one-bug-in-libalias

Team Security Social Media

➤ Weitere Beiträge von Team Security | IT Sicherheit

  • The March 2020 Security Update Review

    vom 565.21 Punkte ic_school_black_18dp
    March is upon us, and it brings a bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for March 2020Oddly, Adobe
  • The February 2020 Security Update Review

    vom 560.41 Punkte ic_school_black_18dp
    February is here, and with it comes some significant security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2020The Adobe
  • The June 2020 Security Update Review

    vom 559.4 Punkte ic_school_black_18dp
    June is here, and it brings with it a record number of security patches from Microsoft, and a few from Adobe as well. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe
  • The May 2020 Security Update Review

    vom 556.49 Punkte ic_school_black_18dp
    May is upon us, and with it brings another bumper crop of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for May 2020The Adobe updat
  • The April 2020 Security Update Review

    vom 549.83 Punkte ic_school_black_18dp
    April is here, and it brings another cornucopia of security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.Adobe Patches for April 2020For April, Ad
  • USN-3415-1: tcpdump vulnerabilities

    vom 542.46 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3415-1 13th September, 2017 tcpdump vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixe
  • USN-3415-2: tcpdump vulnerabilities

    vom 542.46 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3415-2 13th September, 2017 tcpdump vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Several security issues were fixed in tcpdump Software description tcpdump
  • CVE-2020-7454: Killing Two Birds with One Bug in libalias

    vom 385.44 Punkte ic_school_black_18dp
    At the beginning of February 2020, the ZDI received a submission detailing a bug in Oracle VirtualBox that could lead to an out-of-bounds access in the libalias packet aliasing library. It was reported to us by the researcher Vishnu Dev TJ and eventua
  • The January 2020 Security Update Review

    vom 323.59 Punkte ic_school_black_18dp
    Welcome to the new year, and welcome to the first Patch Tuesday of 2020. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for January 2020Adobe begins the ye
  • USN-3131-1: ImageMagick vulnerabilities

    vom 310.41 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3131-1 21st November, 2016 imagemagick vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several sec
  • USN-3131-1: ImageMagick vulnerabilities

    vom 310.41 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3131-1 21st November, 2016 imagemagick vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several sec
  • Movierulz 2020 | Download Watch Telugu Bollywood and Hollywood Full Movies Online Free

    vom 292.93 Punkte ic_school_black_18dp
    Movierulz - Download watch latest Bollywood Hollywood Hindi English Telugu Tamil Malayalam Dubbed Kannada Marathi Punjabi movies online free movierulz torrent8Movierulz.ws- Download Watch Telugu Bollywood and Hollywood Full Movies Online FreeThe torre

Team Security Diskussion über CVE-2020-7454: Killing Two Birds with One Bug in libalias