QEMU escape: Part 3 Information Leakage (CVE-2015-5165)

Screenshot from 2018-03-08 11-14-48


This post will give some more debugging details on CVE-2015-5165. Based on the poc code in [1], we make some modification to the code according to the information of local machine.
As we know, QEMU is an application running on the host machine. The goal of the VM escape in the guest machine is that we have to retrieve the base address of text segment of QEMU application on the host machine and the base address of the virtual memory that are mapped to emulate the physical memory of guest machine.
The final result of the information leakage is given as the cover image of this post.

Analysis on CVE-2013-2551


This vulnerability is an integer overflow vulnerability, which involves a signed comparison between a signed integer and an unsigned integer and results in out-of-bound read. The analysis on root cause has already been available online [2][3]. But these talk few about how they locate the root cause in the binary starting from zero knowledge. In this post, I hope to log how I locate the root cause of the vulnerability starting from the crash. Therefore, the post may look tedious but I will try to demonstrate every step I take in my analysis. (more…)