关联漏洞
标题:Oracle Virtualization 安全漏洞 (CVE-2024-21111)Description:Oracle Virtualization和Oracle VM VirtualBox都是美国甲骨文(Oracle)公司的产品。Oracle Virtualization是一套虚拟化解决方案。该产品用于统一管理从应用程序到磁盘的整个硬件和软件体系,可实现从桌面到数据中心的虚拟化。Oracle VM VirtualBox是一款虚拟机管理软件。 Oracle Virtualization 的 Oracle VM VirtualBox存在安全漏洞。攻击者利用该漏洞导致 Oracle VM VirtualBox 被
Description
Oracle VirtualBox Elevation of Privilege (Local Privilege Escalation) Vulnerability
介绍
# CVE-2024-21111
Oracle VirtualBox Prior to 7.0.16 is vulnerable to Local Privilege Escalation via Symbolic Link Following leading to Arbitrary File Delete and Arbitrary File Move.
VirtualBox attempts to move log files as NT AUTHORITY\SYSTEM in C:\ProgramData\VirtualBox (which all users can write to) to backup themselves by an ordinal, but MAX 10 logs. VirtualBox will also try to delete the 11th log as NT AUTHORITY\SYSTEM exposing itself to 2 bugs that lead to privilege escalation. Finding this bug was very interesting :)
## Arbitrary File Delete
https://github.com/mansk1es/CVE-2024-21111/assets/74832816/54a78fa6-82b2-441a-8b37-ad411fbc6e33
## Arbitrary File Move
https://github.com/mansk1es/CVE-2024-21111/assets/74832816/85430839-bb51-4c8e-b6c4-9fd38b256ff8
Fun fact me and @filip_dragovic (Wh04m1001) found this bug each independently :D shout out to him!
### Report Timeline
* 19/3/2024 - Vulnerability Reported to Oracle
* 21/3/2024 - Oracle Confirms Vulnerability
* 13/4/2024 - Oracle Notified About Public Advisory
* 16/4/2024 - CVE-2024-21111 Publicized && Public Advisory on Oracle Critical Patch Updates
文件快照
[4.0K] /data/pocs/f96e60e3b7b18ed2f19d034923785a12bff1115b
├── [1.1K] README.md
├── [4.0K] VirtualBoxLPE_del
│ ├── [558K] cmd.rbs
│ ├── [2.3K] def.h
│ ├── [4.3K] FileOplock.cpp
│ ├── [ 986] FileOplock.h
│ ├── [184K] Msi_Rollback.msi
│ ├── [ 436] resource.aps
│ ├── [ 514] resource.h
│ ├── [1.6K] resource.rc
│ ├── [ 15K] Source.cpp
│ ├── [1.4K] VirtualBoxLPE_del.sln
│ ├── [6.8K] VirtualBoxLPE_del.vcxproj
│ ├── [1.5K] VirtualBoxLPE_del.vcxproj.filters
│ └── [ 168] VirtualBoxLPE_del.vcxproj.user
└── [4.0K] VirtualBoxLPE_move
├── [2.3K] def.h
├── [4.3K] FileOplock.cpp
├── [ 986] FileOplock.h
├── [ 13K] Source.cpp
├── [1.4K] VirtualBoxLPE_move.sln
├── [6.7K] VirtualBoxLPE_move.vcxproj
├── [1.3K] VirtualBoxLPE_move.vcxproj.filters
└── [ 168] VirtualBoxLPE_move.vcxproj.user
2 directories, 22 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →