﻿id	summary	reporter	owner	description	type	status	component	version	resolution	keywords	cc	guest	host
21349	Buffer Over-Read: Malformed Dependency String in Windows Service VBoxAutostartSvc => fixed in SVN/next 7.0.x maintenance	cos		"In VirtualBox 7.0.4 for Windows, the service generated by command
{{{
VBoxAutostartSvc.exe install
}}}
is not startable, due to the malformed lpDependencies string for CreateServiceW();
which reads:
{{{
Winmgmt
ÁÂ¿î
Ð½Ð¾ÑÑÐ°Ð

}}}
where it must be:
{{{
Winmgmt
RpcSs

}}}
(lines are separated by single null characters)[[BR]]

Because in this event the service depends on the nonexistent objects such as ""ÁÂ¿î"", it can never come up.[[BR]]

It is rooted on the code
VirtualBox-7.0.4\src\VBox\Frontends\VBoxAutostart\VBoxAutostart-win.cpp:777:
{{{
com::Bstr bstrDependencies(""Winmgmt\0RpcSs\0\0"");

SC_HANDLE hSvc = CreateServiceW(hSCM,                            /* hSCManager */
                                bstrServiceName.raw(),           /* lpServiceName */
                                bstrDisplayName.raw(),           /* lpDisplayName */
                                SERVICE_CHANGE_CONFIG | SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG, /* dwDesiredAccess */
                                SERVICE_WIN32_OWN_PROCESS,       /* dwServiceType ( | SERVICE_INTERACTIVE_PROCESS? ) */
                                SERVICE_AUTO_START,              /* dwStartType */
                                SERVICE_ERROR_NORMAL,            /* dwErrorControl */
                                bstrCmdLine.raw(),               /* lpBinaryPathName */
                                NULL,                            /* lpLoadOrderGroup */
                                NULL,                            /* lpdwTagId */
                                bstrDependencies.raw(),          /* lpDependencies */
                                bstrUserFullName.raw(),          /* lpServiceStartName (NULL => LocalSystem) */
                                bstrPwd.raw());                  /* lpPassword */
}}}
Although ""Winmgmt\0RpcSs\0\0"" is correct format for lpDependencies[1] if it were un-encoded text, it is completely broken because it is a ascii string and com::Bstr takes a null-terminated ascii-like string, not null-in-the-middle strings. This cause CreateServiceW to indefinitely scan the memory to find a double null(\0\0) terminator since in no way bstrUserFullName can contain \0\0 on its own.[[BR]]

This can result in huge information leakage from the heap memory (please remember the Heartbleed incident in OpenSSL) and/or crash of the process. That is why I consider this a '''SECURITY DEFECT'''. In either way, of course, users cannot use the feature they want, auto-starting their VM.

I belive this is a relatively easy fix, so please consider resolving it with high priority.

Regards

[1] https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicew"	defect	closed	VM control	VirtualBox-7.0.4	fixed			all	Windows
