Full Disclosure mailing list archives
CPU-emulation bug (missing CPL check) allows crashing of VirtualBox guest from unprivileged ring-3 code
From: halfdog <me () halfdog net>
Date: Sat, 08 Sep 2012 03:23:01 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello list-members, According to Oracle, a minor bug allows an unprivileged user to crash the guest system under certain conditions by invoking a task-gate from ring-3 code. The crash occurs due to a CPU-emulation bug when calling the task-gate via IDT (software interrupt) with insufficient privileges (CPL>DPL) and processor is missing VT-x / AMD-V extensions. On real processors or within guest on virtualization-enhanced hardware, that would result in a general protection fault (GPF). In VirtualBox CPL is not checked and incomplete task-switch to double-fault-handler is performed. Invocation on Linux results in DOS, privilege escalation might be possible on systems where suitable ring-0 task-gates exists, although Oracle says, that due to other measures in VirtualBox code, it is not possible to execute arbitrary ring-0 code. The issue was fixed in VirtualBox 4.1.22 and 4.2.0-RC3. See also [1]. hd [1] http://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/ - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBKugQACgkQxFmThv7tq+7HjgCeMml7KpKiAuGSJFzA33jP722O hpwAniyGI00GnYoL1Ci0vpieJSf01DYg =OJhk -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- CPU-emulation bug (missing CPL check) allows crashing of VirtualBox guest from unprivileged ring-3 code halfdog (Sep 07)