Show Notes

90 - HyperKit Bugs & an Open5GS Stack Overflow

00:00:19
Spot The Vuln - Mind the Sign - Solution
Additional Links: https://blog.mozilla.org/attack-and-defense/2021/09/29/fixing-a-security-bug-by-changing-a-function-signature/
00:00:51
Spot The Vuln - Mind the Sign - Solution
00:03:53
In EU no contract can prevent you from decompiling software you bought, if your goal is fixing a bug.
Additional Links: https://curia.europa.eu/juris/document/document.jsf?text=&docid=247056&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=6413406
00:11:05
Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF [CVE-2021-41794]

When parsing session establishment request packets in ogs_fqdn_parse(), the function would take an unmitigated length and pass it directly to memcpy(). The blogpost indicates the destination is a stack buffer, leading to stack overflow. It’s worth noting the build config does enable stack cookies, so it wouldn’t be a straightforward exploit.

Additional Links: https://github.com/open5gs/open5gs/commit/13f1b390ae96b02115932b1548b3768e6903e344#diff-e796016866b62e9841b3a9731577517784047595c2cf96123f22e7c833eef448
00:15:27
Code execution outside the virtualized guest in hyperkit

Four issues in HyperKit, a hypervisor based on bhyve used in docker for macOS.

Issue 1: vi_pci_read null vc_cfgread function pointer dereference (GHSL-2021-054) Various handlers in the virtio table might not be initialized by certain devices. One example is vc_cfgread() in the vtrand device. The vi_pci_read() function doesn’t check if the handler is null and calls it directly, resulting in a null dereference. DoS only.

Issue 2: vi_pci_write null vc_cfgwrite function pointer dereference (GHSL-2021-055) The same root cause as the first issue, but instead in the vi_pci_write path.

Issue 3: vtrnd pci_vtrnd_notify uninitialized memory use (GHSL-2021-056) Identical to a previously reported bhyve issue, where the vtrnd device would fail to check the return value of vq_getchain(), leading to usage of uninitialized iovec objects, which can yield arbitrary read/write. For reference the previously covered bhyve issue: [https://dayzerosec.com/vulns/2021/09/08/code-execution-outside-the-virtualized-guest-in-bhyve-cve202129631.html]

Issue 4: virtio-sock pci_vtsock_proc_tx uninitialized memory use (GHSL-2021-057) Similar to issue 3. pci_vtsock_proc_tx() calls vq_getchain(), and while it asserts the value isn’t too large, it doesn’t check for a fail return (-1). This again leads to using uninitialized iovecs resulting in memory corruption.

Additional Links: https://dayzerosec.com/vulns/2021/09/08/code-execution-outside-the-virtualized-guest-in-bhyve-cve202129631.html https://securitylab.github.com/advisories/GHSL-2021-088_093-freebsd-bhyve/
00:19:45
Disclosure of the host memory into the virtualized guest in hyperkit [CVE-2021-32847]

pci_vtblk_proc handling of incoming virtio descriptiors and the VBH_OP_DISCORD operation has a likely typo that allows for a guest to perform an out of bound memory read.

The problem is the following assert statement:

/* We currently limit the discard to one segment in the initial negotiation
	so expect exactly one correctly-sized payload descriptor. */
assert(iov[1].iov_len = sizeof(struct virtio_blk_discard_write_zeroes));

The comment above the assert indicates that the assert is there to ensure a correct payload descriptor, however the assert itself does not check equality but rather performs an assignment to iov[1].iov_len. Leading to a mismatched, and potentially too long iov_len value being used.

00:30:14
The Challenges of Fuzzing 5G Protocols