Custom Query (16363 matches)
Results (1387 - 1389 of 16363)
| Ticket | Resolution | Summary | Owner | Reporter |
|---|---|---|---|---|
| #21349 | fixed | Buffer Over-Read: Malformed Dependency String in Windows Service VBoxAutostartSvc => fixed in SVN/next 7.0.x maintenance | ||
| Description |
In VirtualBox 7.0.4 for Windows, the service generated by command VBoxAutostartSvc.exe install is not startable, due to the malformed lpDependencies string for CreateServiceW(); which reads: Winmgmt Á¿î ноÑÑаРwhere it must be: Winmgmt RpcSs
(lines are separated by single null characters)
Because in this event the service depends on the nonexistent objects such as "Á¿î", it can never come up. It is rooted on the code VirtualBox-7.0.4\src\VBox\Frontends\VBoxAutostart\VBoxAutostart-win.cpp:777: com::Bstr bstrDependencies("Winmgmt\0RpcSs\0\0");
SC_HANDLE hSvc = CreateServiceW(hSCM, /* hSCManager */
bstrServiceName.raw(), /* lpServiceName */
bstrDisplayName.raw(), /* lpDisplayName */
SERVICE_CHANGE_CONFIG | SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG, /* dwDesiredAccess */
SERVICE_WIN32_OWN_PROCESS, /* dwServiceType ( | SERVICE_INTERACTIVE_PROCESS? ) */
SERVICE_AUTO_START, /* dwStartType */
SERVICE_ERROR_NORMAL, /* dwErrorControl */
bstrCmdLine.raw(), /* lpBinaryPathName */
NULL, /* lpLoadOrderGroup */
NULL, /* lpdwTagId */
bstrDependencies.raw(), /* lpDependencies */
bstrUserFullName.raw(), /* lpServiceStartName (NULL => LocalSystem) */
bstrPwd.raw()); /* lpPassword */
Although "Winmgmt\0RpcSs\0\0" is correct format for lpDependencies[1] if it were un-encoded text, it is completely broken because it is a ascii string and com::Bstr takes a null-terminated ascii-like string, not null-in-the-middle strings. This cause CreateServiceW to indefinitely scan the memory to find a double null(\0\0) terminator since in no way bstrUserFullName can contain \0\0 on its own. This can result in huge information leakage from the heap memory (please remember the Heartbleed incident in OpenSSL) and/or crash of the process. That is why I consider this a SECURITY DEFECT. In either way, of course, users cannot use the feature they want, auto-starting their VM. I belive this is a relatively easy fix, so please consider resolving it with high priority. Regards [1] https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicew |
|||
| #452 | fixed | Bug -- Renaming Snapshots | ||
| Description |
A potential bug exists in VirtualBox that is preventing snapshots from being renamed. If a snapshot is renamed, the changes appear to have no effect, but the usage of that snapshot is blocked until VirtualBox is completely closed. The bug is only known to occur on host OS Ubuntu 7.04; however, other operating systems may be affected. |
|||
| #8326 | obsolete | Bug 4381 affects Solaris VirtualBox 4.0.2 vboxsvr | ||
| Description |
Same problem as Ticket 4381. Guess the fix wasn't propagated to the solaris portions. Host filesystem is on ZFS. |
|||

