支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: f3d0623dd74ee13f598f3842b7ed5929518c7bfd

来源
https://github.com/TERESH1/CVE-2025-12748
关联漏洞
标题:libvirt 安全漏洞 (CVE-2025-12748)
Description:libvirt是libvirt开源的一个用于实现Linux虚拟化功能的Linux API。它支持各种Hypervisor,包括Xen和KVM,以及QEMU和用于其他操作系统的一些虚拟产品。 libvirt存在安全漏洞,该漏洞源于XML文件处理过程中ACL检查前执行解析,可能导致恶意用户通过特制XML文件使主机内存过度消耗,进而导致拒绝服务。
Description
Proof of concept & details for CVE-2025-12748
介绍
# CVE-2025-12748

[Eng](#english) [Rus](#руссский)

- Credit: Svyatoslav Tereshin (@TERESH1), Artem Mukhin (@saladosss)
- Issues: [#687](https://gitlab.com/libvirt/libvirt/-/issues/687),  [#825](https://gitlab.com/libvirt/libvirt/-/issues/825)

## English

### Description
An issue was discovered in the XML file processing procedure.

The processing of the file's content is performed before the [ACL](https://libvirt.org/acl.html) check. This allows a user with limited permissions to submit a specially crafted XML file that can cause too much resource consumption, leading to a potential denial-of-service (DoS) attack.

### Environment Setup
1. OS: Alt Linux P10 server 
2. Install and configure libvirt/qemu as per the [article](https://www.altlinux.org/Libvirt_(Qemu%2BKVM%2BVirt-manager)) (rus lang)
-  summary in eng:
```sh
apt-get install libvirt libvirt-kvm libvirt-qemu
gpasswd -a user vmusers
systemctl enable --now libvirtd
```

3. In /etc/libvirt/libvirtd.conf, replace the content with:
```
listen_tls = 0
listen_tcp = 1
tcp_port = "16509"
listen_addr = "0.0.0.0"
unix_sock_group = "vmusers"
auth_tcp = "none"
access_drivers = ["polkit"]
min_workers = 1
max_workers = 1
prio_workers = 1
admin_min_workers = 1
admin_max_workers = 1

log_outputs="1:file:/var/log/libvirt/libvirtd.log"
log_level = 1
```
4. Add a rule for polkit (`/etc/polkit-1/rules.d/50-libvirt-user.rules`):
```js
polkit.addRule(function(action, subject) {
    polkit.log("action=" + action);
    polkit.log("subject=" + subject);
    if ((action.id == "org.libvirt.api.domain.write" || action.id == "org.libvirt.api.domain.save") &&
        subject.user == "user") {
        return polkit.Result.NO;
    }
    else {
        return polkit.Result.YES;
    }
})
```
5. Restart services: `systemctl restart libvirtd polkit`

### Reproduce
Attempting to access libvirt with a valid XML file:
```sh
virsh --connect qemu://system define ./test.xml
```
The following error will be received:
```
error: Failed to define domain from ./test.xml
error: access denied: access denied "QEMU"
```

And the corresponding polkit log:
```
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.unix.manage']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.connect.getattr' connect_driver='QEMU']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: Unregistered Authentication Agent for unix-process:613904:1401403695 (system bus name :1.113770, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ru_RU.UTF-8) (disconnected from bus)
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.domain.write' domain_name='test-vm' connect_driver='QEMU' domain_uuid='123e4567-e89b-12d3-a456-426614174000']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
```

Attempting to access libvirt with a malicious XML file:
```sh
virsh --connect qemu://system define ./oom.xml
```

The log will be empty due to the server hanging, and increased resource consumption by libvirtd can be observed in `top`.

## Руссский

### Описание
Обнаружена проблема при обработке xml-файла.

Обработка содержимого файла выполняется до проверки [ACL](https://libvirt.org/acl.html). Это позволяет пользователю с ограниченными правами отправить специально сформированный XML-файл, который может вызвать чрезмерное потребление ресурсов, что приводит к потенциальной атаке типа "отказ в обслуживании" (DoS).

### Настройка окружения
1. ОС Alt Linux P10 server
2. установить/настроить libvirt/qemu по [статье](https://www.altlinux.org/Libvirt_(Qemu%2BKVM%2BVirt-manager)) 
3. в `/etc/libvirt/libvirtd.conf` заменить текст на:
```conf
listen_tls = 0
listen_tcp = 1
tcp_port = "16509"
listen_addr = "0.0.0.0"
unix_sock_group = "vmusers"
auth_tcp = "none"
access_drivers = ["polkit"]
min_workers = 1
max_workers = 1
prio_workers = 1
admin_min_workers = 1
admin_max_workers = 1

log_outputs="1:file:/var/log/libvirt/libvirtd.log"
log_level = 1
```
4. добавить правило для polkit (`/etc/polkit-1/rules.d/50-libvirt-user.rules`):
```js
polkit.addRule(function(action, subject) {
    polkit.log("action=" + action);
    polkit.log("subject=" + subject);
    if ((action.id == "org.libvirt.api.domain.write" || action.id == "org.libvirt.api.domain.save") &&
        subject.user == "user") {
        return polkit.Result.NO;
    }
    else {
        return polkit.Result.YES;
    }
})
```

5. перезапустить: `systemctl restart libvirtd polkit`

### Воспроизведение
Обращение к libvirt с валидным xml-файлом:
```sh
virsh --connect qemu://system define ./test.xml
```
Будет получена ошибка:
```
ошибка: Не удалось создать описание домена на основе ./test.xml
ошибка: доступ запрещен: доступ запрещен "QEMU"
```
И соответствующий лог polkit:
```
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.unix.manage']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.connect.getattr' connect_driver='QEMU']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: Unregistered Authentication Agent for unix-process:613904:1401403695 (system bus name :1.113770, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ru_RU.UTF-8) (disconnected from bus)
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.domain.write' domain_name='test-vm' connect_driver='QEMU' domain_uuid='123e4567-e89b-12d3-a456-426614174000']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
```
Обращение к libvirt с вредоносным xml-файлом:
```sh
virsh --connect qemu://system define ./oom.xml
```
Лог будет пустой из-за зависания сервера, в `top` можно проконтролировать увеличение потребляемых ресурсов `libvirtd`.
文件快照

 [4.0K]  /data/pocs/f3d0623dd74ee13f598f3842b7ed5929518c7bfd
├── [1.1K]  oom.xml
├── [7.0K]  README.md
└── [ 697]  test.xml

1 directory, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。