Ticket #21349 (closed defect: fixed)

Opened 7 weeks ago

Last modified 3 weeks ago

Buffer Over-Read: Malformed Dependency String in Windows Service VBoxAutostartSvc => fixed in SVN/next 7.0.x maintenance

Reported by: cos Owned by:
Component: VM control Version: VirtualBox-7.0.4
Keywords: Cc:
Guest type: all Host type: Windows


In VirtualBox 7.0.4 for Windows, the service generated by command

VBoxAutostartSvc.exe install

is not startable, due to the malformed lpDependencies string for CreateServiceW(); which reads:


where it must be:


(lines are separated by single null characters)

Because in this event the service depends on the nonexistent objects such as "Á¿î", it can never come up.

It is rooted on the code VirtualBox-7.0.4\src\VBox\Frontends\VBoxAutostart\VBoxAutostart-win.cpp:777:

com::Bstr bstrDependencies("Winmgmt\0RpcSs\0\0");

SC_HANDLE hSvc = CreateServiceW(hSCM,                            /* hSCManager */
                                bstrServiceName.raw(),           /* lpServiceName */
                                bstrDisplayName.raw(),           /* lpDisplayName */
                                SERVICE_CHANGE_CONFIG | SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG, /* dwDesiredAccess */
                                SERVICE_WIN32_OWN_PROCESS,       /* dwServiceType ( | SERVICE_INTERACTIVE_PROCESS? ) */
                                SERVICE_AUTO_START,              /* dwStartType */
                                SERVICE_ERROR_NORMAL,            /* dwErrorControl */
                                bstrCmdLine.raw(),               /* lpBinaryPathName */
                                NULL,                            /* lpLoadOrderGroup */
                                NULL,                            /* lpdwTagId */
                                bstrDependencies.raw(),          /* lpDependencies */
                                bstrUserFullName.raw(),          /* lpServiceStartName (NULL => LocalSystem) */
                                bstrPwd.raw());                  /* lpPassword */

Although "Winmgmt\0RpcSs\0\0" is correct format for lpDependencies[1] if it were un-encoded text, it is completely broken because it is a ascii string and com::Bstr takes a null-terminated ascii-like string, not null-in-the-middle strings. This cause CreateServiceW to indefinitely scan the memory to find a double null(\0\0) terminator since in no way bstrUserFullName can contain \0\0 on its own.

This can result in huge information leakage from the heap memory (please remember the Heartbleed incident in OpenSSL) and/or crash of the process. That is why I consider this a SECURITY DEFECT. In either way, of course, users cannot use the feature they want, auto-starting their VM.

I belive this is a relatively easy fix, so please consider resolving it with high priority.




VBoxAutostart-win.cpp Download (51.4 KB) - added by cos 7 weeks ago.

Change History

Changed 7 weeks ago by cos

comment:1 Changed 7 weeks ago by aeichner

  • Summary changed from Buffer Over-Read: Malformed Dependency String in Windows Service VBoxAutostartSvc to Buffer Over-Read: Malformed Dependency String in Windows Service VBoxAutostartSvc => fixed in SVN/next 7.0.x maintenance

Thanks for the report and the detailed analysis! This will be fixed in the next maintenance release, I agree that it can be viewed as a security issue (for which you should've not used the public bugtracker but communicated that to secalert_us@…). However this requires administrative privileges on the host because you can't install the service as a normal user. Furthermore the process is only very short lived when installing the service, the only sensible information in that process is the password of the user given when invoked.

comment:2 Changed 3 weeks ago by galitsyn

  • Status changed from new to closed
  • Resolution set to fixed


We just released VirtualBox 7.0.6. This issue should be fixed in this version. You can download it from

Note: See TracTickets for help on using tickets.
ContactPrivacy policyTerms of Use