Buffer Over-Read: Malformed Dependency String in Windows Service VBoxAutostartSvc => fixed in SVN/next 7.0.x maintenance

[cos]

In VirtualBox 7.0.4 for Windows, the service generated by command

VBoxAutostartSvc.exe install

is not startable, due to the malformed lpDependencies string for CreateServiceW(); which reads:

Winmgmt
Á¿î
ноÑÑаÐ

where it must be:

Winmgmt
RpcSs

(lines are separated by single null characters)

Because in this event the service depends on the nonexistent objects such as "Á¿î", it can never come up.

It is rooted on the code VirtualBox-7.0.4\src\VBox\Frontends\VBoxAutostart\VBoxAutostart-win.cpp:777:

com::Bstr bstrDependencies("Winmgmt\0RpcSs\0\0");

SC_HANDLE hSvc = CreateServiceW(hSCM,                            /* hSCManager */
                                bstrServiceName.raw(),           /* lpServiceName */
                                bstrDisplayName.raw(),           /* lpDisplayName */
                                SERVICE_CHANGE_CONFIG | SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG, /* dwDesiredAccess */
                                SERVICE_WIN32_OWN_PROCESS,       /* dwServiceType ( | SERVICE_INTERACTIVE_PROCESS? ) */
                                SERVICE_AUTO_START,              /* dwStartType */
                                SERVICE_ERROR_NORMAL,            /* dwErrorControl */
                                bstrCmdLine.raw(),               /* lpBinaryPathName */
                                NULL,                            /* lpLoadOrderGroup */
                                NULL,                            /* lpdwTagId */
                                bstrDependencies.raw(),          /* lpDependencies */
                                bstrUserFullName.raw(),          /* lpServiceStartName (NULL => LocalSystem) */
                                bstrPwd.raw());                  /* lpPassword */

Although "Winmgmt\0RpcSs\0\0" is correct format for lpDependencies[1] if it were un-encoded text, it is completely broken because it is a ascii string and com::Bstr takes a null-terminated ascii-like string, not null-in-the-middle strings. This cause CreateServiceW to indefinitely scan the memory to find a double null(\0\0) terminator since in no way bstrUserFullName can contain \0\0 on its own.

This can result in huge information leakage from the heap memory (please remember the Heartbleed incident in OpenSSL) and/or crash of the process. That is why I consider this a SECURITY DEFECT. In either way, of course, users cannot use the feature they want, auto-starting their VM.

I belive this is a relatively easy fix, so please consider resolving it with high priority.

Regards

[1] ​https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicew

[aeichner]

Thanks for the report and the detailed analysis! This will be fixed in the next maintenance release, I agree that it can be viewed as a security issue (for which you should've not used the public bugtracker but communicated that to secalert_us@…). However this requires administrative privileges on the host because you can't install the service as a normal user. Furthermore the process is only very short lived when installing the service, the only sensible information in that process is the password of the user given when invoked.

[galitsyn]

Hello,

We just released VirtualBox 7.0.6. This issue should be fixed in this version. You can download it from https://www.virtualbox.org/wiki/Downloads.