Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-3456 PoC — QEMU Floppy Disk Controller 缓冲区错误漏洞

Source
https://github.com/vincentbernat/cve-2015-3456
Associated Vulnerability
Title:QEMU Floppy Disk Controller 缓冲区错误漏洞 (CVE-2015-3456)
Description:QEMU(又名Quick Emulator)是法国程序员法布里斯-贝拉(Fabrice Bellard)所研发的一套模拟处理器软件。该软件具有速度快、跨平台等特点。 Xen 4.5.x及之前版本和KVM中使用的QEMU 2.3.0及之前版本中的Floppy Disk Controller(FDC)存在安全漏洞。本地虚拟机端攻击者可借助特定的命令(FD_CMD_READ_ID或FD_CMD_DRIVE_SPECIFICATION_COMMAND等)利用该漏洞造成拒绝服务(越边界写入和虚拟机崩溃),或执行任意
Description
Experiments related to CVE-2015-3456
Readme
# Experiments related to CVE-2015-3456

There is:

 - `exploit/` is an "exploit" (it just crashes QEMU).
 - `mock/` contains a stripped down version of QEMU. Only the
   vulnerability remains.
 - `patch/` contains a program to patch a running instance of
   QEMU. The main point is to not need debug symbols, nor the original
   executable on disk. Therefore, some information have to be provided
   for this program to work as expected.

The main idea around all the live patching is to modify the
`command_to_handler` array to make each command point to the "not
implemented" function. While the process is partially stopped by
ptrace (only the main thread), this seems a safe way to fix the
vulnerability (as long as you don't care the floppy controller not
working anymore).

This kind of patching works because `command_to_handler` is a static
uninitialized variable and therefore ends up in the BSS segment which
is writable. Also, except for PIE, the position of this segment in
memory is known at compile time. Unfortunately, QEMU is usually
compiled as PIE and therefore, that's not the case.

Of course, use at your own risk: modifying a running process could
wreak havoc on the world!

More detailed information is available here: http://vincent.bernat.im/en/blog/2015-hotfix-qemu-venom.html

To better understand live patching, here are some links:

 - http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/
 - https://lwn.net/Articles/631631/
 - http://www.openbsd.org/papers/nycbsdcon08-pie/index.html
 - https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html
 - http://phrack.org/issues/59/8.html
 - http://www.hick.org/code/skape/papers/needle.txt
File Snapshot

 [4.0K]  /data/pocs/c6ccca09816c6cccb438eb2556cf15964ade85b4
├── [4.0K]  exploit
│   ├── [ 838]  exploit.c
│   └── [ 188]  Makefile
├── [ 108]  Makefile
├── [4.0K]  mock
│   ├── [4.3K]  fdc.c
│   ├── [ 476]  Makefile
│   └── [ 537]  not-qemu.c
├── [4.0K]  patch
│   ├── [ 748]  gdb-fix
│   ├── [1.4K]  helpers.c
│   ├── [ 221]  Makefile
│   └── [ 17K]  patch.c
└── [1.7K]  README.md

3 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.