critical vulnerability details () in the SLIRP handler, which is used by default in QEMU to organize a communication channel between the virtual network adapter in the guest system and the network backend on the QEMU side. The issue also affects KVM-based virtualization systems (in ) and Virtualbox, which use the slirp backend from QEMU, as well as applications that use the user-space networking stack (TCP/IP emulator).
The vulnerability allows code to be executed on the host system side with the rights of the QEMU handler process when sending a specially designed very large network packet from the guest system, which requires fragmentation. Due to an error in the ip_reass() function called when reassembling incoming packets, the first fragment may not fit in the allocated buffer and its tail will be written to the memory areas following the buffer.
For testing already A working prototype of an exploit that bypasses ASLR and executes code by overwriting the memory of the main_loop_tlg array, including a QEMUTimerList list with timer-based handlers.
The vulnerability has already been fixed in ΠΈ , but remains uncorrected in , ΠΈ . In ΠΈ the problem does not appear due to not using slirp. Vulnerability remains unpatched in latest release (the fix is ββstill available as ).
Source: opennet.ru