This year again we were a sponsor of the GreHack conference. Several consultants from RandoriSec attended the conference. As usual, you can find a quick review of our favorite talks.

Virtualization from an attacker point-of-view : An introduction to VM escapes – Thomas BOUZERAR and Corentin BAYET

Corentin presented to us this talk, which is about virtualization and its attack surfaces. Since this is a deep and complex topic, half of the talk is an introduction to virtualization concepts. The other half is dedicated to describing the common attack surfaces, and their illustrations with a simplified explanation of few CVEs.

He started by introducing concepts specific to virtualization, such as what’s an hypervisor and their different types (bare-metal or hosted), what devices are emulated, different techniques of virtualization (binary translation, para-virtualization, hardware-assisted (Intel’s VT-X, AMD-V)). MMU has to be managed to provide guests with physical memory (can be hardware-accelerated with SLAT)

In the second half of the talk, he introduces major attack surfaces in hypervisors and talk about related CVEs, either found by him and his teammate Thomas or other peoples.

He starts with a non-virtualization bug, CVE-2019-5544. It is an heap-overflow leading to RCE inside VMware ESXi. It’s actually a service running on the host which is vulnerable, and so not directly related to VM-escaping and virtualization.

Going on, he introduces the concept of MMIO and its implementation inside hypervisors, with heavy usage of callbacks. CVE-2021-3750 is a VM escape inside QEMU, which exploits the behavior of the MMIO. By providing a malicious address to the MMIO, an attacker is able to create recursive callbacks and trigger a user-after-free .

Corentin continues brushing the attack surfaces by presenting CVE-2023-21988, which is an unitialized memory read inside virtualbox. This leaks lies inside the memory management code, and can help them defeat ASLR for instance.

CVE-2023-21987 is about a device emulation bug. This is stack a buffer overflow in the TPM emulation code, found by Thomas.

Another surface is nested virtualization: running a VM in a VM. In order for this to work, many hardware mechanisms have to be emulated. CVE-2021-29657 is a race condition (double fetch) which leads to control of the MSR register from the host.

He ends the talk by mentioning that classic CPU bugs (e.g., Spectre, Meltodwn and L1TF) can also affect hypervisors.

Unlocking the Drive: Exploiting Tesla Model 3 – David Berard and Vincent Dehors

In 2023, the Synacktiv team participated in the Pwn2Own competition held in Vancouver. They targeted the Tesla Model 3 car, and achieved an RCE on the infotainment system.

In contrast to 2022, where they focused on the Wi-Fi attack surface, this year they took a look at the Bluetooth attack surface. First they found a bug in the bsa_server process, it was not PIE protected but had many sandboxes enabled (Kafel, AppArmor, Minijail) to prevent malicious behaviours. The bug was laying in the music playback feature, a heap-based buffer overflow occurs in the BIP surface accessible over the OBEX protocol. It allowed them to get code execution in the sandboxed process, after messing up with the heap manager to get an arbitrary write primitive.

They used the code execution in bsa_server to exploit a bug that allowed them to arbitrarily write inside the chipset firmware using the HCI protocol command HCI_BRCM_WRITE_RAM. Because the Bluetooth firmware and Wi-Fi firmware share some memory regions, they could patch the Wi-Fi firmware to inject custom code to exploit another vulnerability in the BCMDHD driver. An out-of-bounds write was occurring in the vmalloc region, so after some spraying they could target process kernel stacks to create a ropchain that copies into poweroff_cmd the root command to execute.

The Security Gateway is a component that ensures a communication is authorized between the Multimedia domain and the Vehicle domain. All CAN messages coming from the infotainment are filtered. If it gets compromised, an attacker can send CAN messages across the CAN buses. David and Vincent managed to find a TOCTOU logic bug allowing them to apply arbitrary updates, thus they could get code execution by patching the bootloader, and reuse the already available functions to send CAN messages.

Tesla gives 1 year SSH access to the board when someone manages to get root on. So after Pwn2Own 2022, Tesla gave them SSH keys to access their board which was very useful for them to develop the exploit and debug the target.

System Introspection applied to Micro-Services Pentests in K8S Clusters – Laluka and Christophe Biguereau

This talk covers the topic of syscall monitoring during pentests. Speakers reminded the audience there are lots of different syscalls, triaging is difficult, even more when it comes to containers. Hopefully, in Linux environments a tool called sysdig comes to the rescue to inspect syscalls. Monitoring agents can be set up using custom LKM (Loadable Kernel Module) or using eBPF probes.

On top of sysdig is falco which allows the deployment of rules, for example, to detect data exfiltration, LPE (Local Privilege EscalationProbes). Falco comes with a cost, there’s a learning curve to be able to write and deploy rules, improve your skills to be able to get rid of false positives, but when your training phase is over, you then have an all-in-one tool really handy to :

• increase observability
• diagnose anything infra-related
• have logs on endpoints
• record network traffic (DNS requests, HTTP, etc.)
• reproduce incidents

You can really enrich pentests, but it’s also useful for blue teamers !

Won’t You Please, Please –Help Me ? – Thomas Chauchefoin

In its presentation, Thomas focus on argument injections which is often confused with command injections. This is a kind of a vulnerability where the attacker can control arguments passed to a program. Thomas found argument injections in Packagist. Some of these vulnerabilities are the consequence of command injections patches which ignores the risk behind argument injections. He presented an exploitation technique on Mercurial by using the --config option, which has the priority on other options. Thomas also found argument injections in elFinder using the destination filename which flows to archive command such as zip. zip allows to execute command using the option -TT when we want to test the integrity of a file. To prevent argument injections, one can use -- as defined in the POSIX standard. However it cannot be used in all cases without breaking the wanted feature. For injections with filenames, developers can use a prefix such as / for absolute path or ./ for relative path to prevent argument injection. SonarSource maintain a collaborative list of argument injection vectors on https://sonarsource.github.io/argument-injection-vectors/

Ubuntu Shiftfs: Unbalanced Unlock Exploitation Attempt (CVE-2023-2612) – Jean-Baptiste Cayrou

This presentation is about exploiting a race condition in the shiftfs filesystem on Ubuntu-based distributions for pwn2own. Before we start let’s explain what is shiftfs. shifts act as an overlay on another filesystem and mirrors all operations on the underlying filesystem by shifting the file permissions. shifts is mainly used in containers.

The vulnerability resides in the creation of objects in shifts_create_object which is an helper to create objects in the underlying filesystem. Normally, shift_create_object get a function pointer of the desired operation in the structure loweri_dir_op (which have the type const struct inode_operations *), checks if the pointer is valid (i.e the operation is supported by the underlying filesystem) and then locks the structure. When an operation is not supported by the underlying filesystem (i.e., the function pointer is null), the function take an error label which unlocks loweri_dir_op without having the lock. This bug can lead to a state where 2 processes have locked the structure.

To exploit this bug, the speaker uses the mqueue filesystem which doesn’t support directories. When he wants to create a directory in the shifts (which overlay on the mqueue), the bug will be triggered. The goal is to cause a use after free by decreasing the reference counter of a file by calling 2 simultaneous unlink. To increase the race window, he registers an inotify event handler for file deletion.

Here is how the bug is used to cause a use after free. At the beginning, the target file has a reference counter of 1 (this exploit targets the inode structure of the target file) and we have three processes :

• process A: open twice the target file
• process B: will be used to unlink the target file
• process C: register an inotify event for the deletion of target file and waiting for them. When needed, it will trigger the bug

After all files descriptors have been opened, the reference counter of the target file is 3.

Process A and B both unlink the target file at the same time. Process A locks the directory of the target file in a first time, and proceeds to the unlinking while process B is waiting to acquire the lock. Process A sends an inotify event to the process C, which when received will trigger the bug by calling mkdir. By triggering the bug, process C unlocks the directory which allows process B to lock it and proceed to the unlinking. At this point both process A and B unlink the file, decreasing the reference counter of the file’s inode to 1. Remember that process A still has 2 files descriptors on the target file, so closing one will decrease the reference counter of the inode to zero, leading to the free of the inode. Finally, the remaining file descriptor can be used to access the freed inode causing a use after free. By using inotify events, exploitation attempt has a 1/100 success rate and the exploitation takes few seconds.

After that, the speaker is in a classical use after free exploitation where he puts controlled data in the freed resources and use them using the remaining file descriptor to craft primitives and leak kernel pointers.

Unfortunately, when he tried on an up-to-date VM, the exploit didn’t work because of a patch in the lock source code which put the CPU in an hang state the exploit attempt fails. As a result he can have only 1 try per CPU. At this point he gave up and reported the vulnerability to Ubuntu developers (CVE-2023-2126). But during the preparation of the slides for Grehack, he figured out that he can increase the number of processes listening for an inotify event on the deletion to increase the race window. His exploit success rate is increased by 50% using this technique and he successfully triggers the bug on an up-to-date ubuntu VM (modern problems require modern solutions).