Hardening Problem with VirtualBox and Outpost Firewall (#13659)

Discussions related to using VirtualBox on Windows hosts.

Hardening Problem with VirtualBox and Outpost Firewall (#13659)

Postby Todd Almighty » 24. Oct 2019, 16:19


ModEdit; related ticket: #13659: Hardened protection incorrectly get name of injected signed (!) dll and can't verify signature, so rejecting it

My Windows 8.1 x64 systems are affected by the bug reported here originally against VirtualBox 4.3.20 (2014?). I've updated the bug report several times, including my most recent comment confirming that the latest VirtualBox 6.0.14r133895 still has the problem. Others have attached logs to the report, and I attached a portion of the hardening log from 6.0.14 related to WL_HOOK.DLL, which is the DLL that Outpost wants to inject.

This is becoming very urgent. For some reason, Windows 7 doesn't seem to be affected by this issue for me, but Windows 7 is EOL in a few months, so I need Windows 8.1 to work. Can someone from Oracle fix the problem? In Explorer, I opened the properties for the DLL and it reports that the digital signature is OK, so there should be no problem...yet it's rejected by VB.

I really don't want to have to build VB myself in order to disable hardening. (Or more likely, if I went to all that trouble, I'd probably leave hardening on and just create an exception for that one DLL. It's already protected from modification by Outpost itself.)

[BTW, anyone know how to change your screen name? I'm not seeing any way.]
Last edited by socratis on 25. Oct 2019, 11:12, edited 1 time in total.
Reason: Added ticket related information.
Todd Almighty
 
Posts: 37
Joined: 13. Nov 2013, 13:44

Re: Hardening Problem with VirtualBox and Outpost Firewall

Postby scottgus1 » 24. Oct 2019, 16:42

The Bugtracker ticket does seem to have interaction from the developers. That it's not fixed would seem to indicate it cannot be fixed by the developers.

Has anyone contacted Outpost or tried the Microsoft tools suggested in the Bugtracker ticket?

Also, as a test, try a different hard drive in your PC and a fresh install of the OS and Virtualbox. Then add a fresh download & install of Outpost and see if Virtualbox still runs. Sometimes a bit flips and things go south, but a fresh install may work.

FWIW there are other firewalls, and Windows' own firewall works rather OK, and no troubles with Virtualbox. FWIW2, Windows 8 will go EOL in just three years. Surprising how quick three years flies by. Try Windows 10?
scottgus1
Site Moderator
 
Posts: 11362
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Hardening Problem with VirtualBox and Outpost Firewall

Postby Todd Almighty » 24. Oct 2019, 17:31

scottgus1 wrote:The Bugtracker ticket does seem to have interaction from the developers. That it's not fixed would seem to indicate it cannot be fixed by the developers.

I wouldn't necessarily say that they can't. Evidently, they won't, but I'm not sure why. The fault definitely appears to be with VirtualBox, since the DLL has valid signatures.

Has anyone contacted Outpost or tried the Microsoft tools suggested in the Bugtracker ticket?

Agnitum is gone, has been gone for more than two years. If you're referring to "sigcheck" as the "microsoft tool," why exactly would that be more valid than the OS telling me that the file has valid digital signatures? Not sure why there would be a difference.

Also, as a test, try a different hard drive in your PC and a fresh install of the OS and Virtualbox. Then add a fresh download & install of Outpost and see if Virtualbox still runs. Sometimes a bit flips and things go south, but a fresh install may work.

Hmm. I guess that's something to try.

FWIW there are other firewalls, and Windows' own firewall works rather OK, and no troubles with Virtualbox. FWIW2, Windows 8 will go EOL in just three years. Surprising how quick three years flies by. Try Windows 10?

Outpost isn't just a FW, it's HIPS software. It can and does block software from outbound access, unlike Windows firewall. In fact I use it to prevent Windows from accessing the internet except when I want. There are few replacements. I would be skeptical about domestic software having backdoors for government access unless it's open source.

Not a fan of Windows 10. Lots of telemetry spying on you that's difficult to disable and it continues the tradition of dumbing down your control over your own system like Windows 8. UWP and DCH drivers trying to redouble control over all users. No, I'll probably go to Linux instead of Windows 10. Windows 7 was truly a great OS. If only it could have been updated forever.
Todd Almighty
 
Posts: 37
Joined: 13. Nov 2013, 13:44

Re: Hardening Problem with VirtualBox and Outpost Firewall

Postby socratis » 24. Oct 2019, 18:16

Todd Almighty wrote:The fault definitely appears to be with VirtualBox, since the DLL has valid signatures.
Not quite. Please read really carefully the following FAQ: Diagnosing VirtualBox Hardening Issues.

VirtualBox compares the signatures of the DLL with the Windows Certificate Database. If there's a mismatch, the DLL is thrown away. It has absolutely nothing to do with the DLL itself having valid signatures or not. It's that they don't match with what's expected.

If the company is gone, you have a decision to make; either Outpost, or VirtualBox. Quite simple... but rather difficult. :?
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
socratis
Site Moderator
 
Posts: 27690
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Hardening Problem with VirtualBox and Outpost Firewall

Postby Todd Almighty » 24. Oct 2019, 20:20

socratis wrote:
Todd Almighty wrote:The fault definitely appears to be with VirtualBox, since the DLL has valid signatures.
Not quite. Please read really carefully the following FAQ: Diagnosing VirtualBox Hardening Issues.

VirtualBox compares the signatures of the DLL with the Windows Certificate Database. If there's a mismatch, the DLL is thrown away. It has absolutely nothing to do with the DLL itself having valid signatures or not. It's that they don't match with what's expected.

Well, I did read it carefully and didn't pick up that meaning. From this section:
WHAT CAN CAUSE A HARDENING RELATED FAILURE?: The root cause of most hardening failures (see note) is an invalid certificate in a DLL which has been loaded into the VirtualBox execution space. An invalid certificate can be due to one of four things (1) the DLL never had a certificate - e.g. malware, free software, or the vendor forgot, (2) the DLL has been hacked, invalidating the signature, (3) the Windows certificates database has been damaged by host corruption or a buggy Windows update, (4) something, most likely your antivirus, is blocking VirtualBox's attempts to access the executable to check its certificate.

Since #1, #2, and #4 don't apply, that would imply that the "Windows certificates database has been damaged" ... but I don't think so. I.e., I don't think you're saying it was "damaged" in this case, but that it's just (correctly?) rejecting the signed Outpost DLL. It never says in the article that you might have a DLL with a valid digital signature that reports "OK" in Windows Explorer, but which fails to pass muster according to the "Windows certificates database." What's the difference between how Explorer evaluates a certificate, and the "Windows certificates database" is used by VB?

If the company is gone, you have a decision to make; either Outpost, or VirtualBox. Quite simple... but rather difficult. :?

Nah, I'm like Captain Kirk. I don't accept "no win" situations. I'll just rig the game so I can win...I mean I'll just build VB from source with whatever change I need.

But first I'd like to understand the problem. I'm not getting your implied distinction between what Windows Explorer reports as valid and the "Windows certificate database." Apparently, you're saying the latter can reject something that reports OK in Explorer.

Did you look at the hardening log I attached to the bug report? Does the error code match the scenario where the certificate is not being accepted?
Todd Almighty
 
Posts: 37
Joined: 13. Nov 2013, 13:44

Re: Hardening Problem with VirtualBox and Outpost Firewall

Postby Todd Almighty » 25. Oct 2019, 05:18

I compared the hardening logs of the two machines - the Windows 7 machine where it's working, and the Windows 8.1 machine where it's not.

On the Windows 7 machine, I see "supHardenedWinVerifyImageByHandle: -> 0" for wl_hook64.dll, so clearly successful.

On the Windows 8.1 machine, I see " supHardenedWinVerifyImageByHandle: -> 24202: for the same dll. So this is likely related to the problem. Most likely, VirtualBox is refusing to load the DLL. However, this is wrong, because I found the meaning of that code;

We can see all of the hardening error codes here. Here's a snippet:

Code: Select all   Expand viewCollapse view
:
  933 %define VINF_CR_DIGEST_DEPRECATED    (24202)
  934 %define VERR_CR_DIGEST_DEPRECATED    (-24202)
  935 %define VINF_CR_DIGEST_COMPROMISED    (24203)
  936 %define VERR_CR_DIGEST_COMPROMISED    (-24203)
:


Note that 24202, a positive number, is an INFO not an ERROR!!!. It's stating that the digest is deprecated.

In fact, I installed all three certificates from the DLL into the Windows Certificate Store, and I still get status 24202. So it's likely an intrinsic aspect of the chain, but as it's > 0, and is not an error, VB should go ahead and load it.

On Windows 7, I see this: "supR3HardenedWinVerifyCacheProcessWvtTodos: 0 (was 0) fWinVerifyTrust=1",
but on Windows 8.1, I see this: "supR3HardenedWinVerifyCacheProcessWvtTodos: 24202 (was 24202) fWinVerifyTrust=0"

So, can someone fix the VirtualBox source code? You should not be rejecting DLL loading because of INFO messages. (Note that in the ticket linked above, the OP got a different error code, -23021, which was actually an error and justifiably blocked loading the DLL. So this is a different situation.)
Todd Almighty
 
Posts: 37
Joined: 13. Nov 2013, 13:44

Re: Hardening Problem with VirtualBox and Outpost Firewall

Postby mpack » 25. Oct 2019, 13:22

Todd Almighty wrote:It's stating that the digest is deprecated.

"Digest" as in hash code, meaning that the hash calculation uses an algorithm that has been deemed crackable?

Todd Almighty wrote:Note that 24202, a positive number, is an INFO not an ERROR!!!.

You talk like that's an absolute truth. It isn't. It's up to an application (or Windows, if the error comes from there), to decide how seriously to treat warnings. In this case it indicates that if the hash can be cracked then the DLL could be malware, and therefore the trust of the entire application is compromised. IMHO there's no way VirtualBox can justify ignoring that.

Todd Almighty wrote:So, can someone fix the VirtualBox source code?

If you mean can Oracle ignore the deprecation and compromise their code, risk their certification: I'm going to guess not. You could however compile the code yourself and supply your own certificates.
mpack
Site Moderator
 
Posts: 33473
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Hardening Problem with VirtualBox and Outpost Firewall

Postby Todd Almighty » 25. Oct 2019, 15:22

mpack wrote:
Todd Almighty wrote:It's stating that the digest is deprecated.

"Digest" as in hash code, meaning that the hash calculation uses an algorithm that has been deemed crackable?

Nice strawman argument. Nope, it means that it might be at risk in the future. If it were compromised, that would be an actual error code. Any DLL is "potentially" crackable. Do we know what sort of classified technology exists in top secret special compartmentalized quantum computation projects? Nope.

Todd Almighty wrote:Note that 24202, a positive number, is an INFO not an ERROR!!!.

You talk like that's an absolute truth. It isn't. It's up to an application (or Windows, if the error comes from there), to decide how seriously to treat warnings. In this case it indicates that if the hash can be cracked then the DLL could be malware, and therefore the trust of the entire application is compromised. IMHO there's no way VirtualBox can justify ignoring that.

As I mentioned there is no guarantee that any hash is uncrackable. Do you know how much software to this day is still signed with SHA1? This code is simply a warning for the user, not deemed serious enough to be an error.

Moreover, why does VirtualBox on Windows 7 not report it at all, if it's so "risky"?

Todd Almighty wrote:So, can someone fix the VirtualBox source code?

If you mean can Oracle ignore the deprecation and compromise their code, risk their certification: I'm going to guess not. You could however compile the code yourself and supply your own certificates.


"Risk their certification"? Do you have any proof, a link or something, that they're REQUIRED to reject DLLs that pass with deprecations?

Why does VMWare, a product sold for profit, ALLOW this same DLL to be injected, without issue? Wouldn't they be risking even more money if it were so "dangerous"?

I can see it was a waste of time to try to solve this, because you're going to dig in your heels and refuse to admit any mistake, or refuse to let the user have control over his own machine without building from source. Nice of Oracle be such a Nanny State arbiter of my risk.
Todd Almighty
 
Posts: 37
Joined: 13. Nov 2013, 13:44

Re: Hardening Problem with VirtualBox and Outpost Firewall

Postby Todd Almighty » 25. Oct 2019, 18:21

mpack wrote: You could however compile the code yourself and supply your own certificates.

My research indicates it should be sufficient to re-sign the DLL with a self-signed certificate, and then register it with the local machine's certificate store, using the released version of VB, though I haven't actually had time to try it yet. If I did have to build VB from source, I would just exempt that DLL and there would be no need to worry about certificates in that case.

Since you claim to be speaking from a position of authority, why would you suggest a path that requires more work than necessary?
Todd Almighty
 
Posts: 37
Joined: 13. Nov 2013, 13:44

Re: Hardening Problem with VirtualBox and Outpost Firewall

Postby mpack » 25. Oct 2019, 18:26

Todd Almighty wrote:Why does VMWare, a product sold for profit, ALLOW this same DLL to be injected, without issue? Wouldn't they be risking even more money if it were so "dangerous"?

Why ask me that? I know little and care less about VMWare policies, plus I have no idea how much I can rely on your assertions on that score. In any case it's irrelevant: as I already said, it's up to each app to determine how seriously it takes deprecation issues.

I have no doubt that the dev team's attitude is dictated to them by Oracle group policy, and no amount of belly-aching by you will change that - unless of course you're in a position to buy enough Oracle stock that you can influence security policy.
mpack
Site Moderator
 
Posts: 33473
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Hardening Problem with VirtualBox and Outpost Firewall (#13659)

Postby socratis » 25. Oct 2019, 20:36

Todd Almighty wrote:What's the difference between how Explorer evaluates a certificate, and the "Windows certificates database" is used by VB?
Todd Almighty wrote:But first I'd like to understand the problem.

Going round and round with the certificates/signatures won't help you. Relax, don't take an offensive attitude due to your frustration, and try to understand how this works. Mind you, we're all users here, not developers, no one has special authorities. The logic is so simple actually, that it's a joke:

  • An application (DLL) tried to invade VirtualBox's memory space.
  • VirtualBox checks to see if the DLL's signatures match what's in the Windows Certificate Database (WCD).
  • If they match, all is good. If they don't the DLL gets rejected.
Now, things went bad with DLLs that they shouldn't, like trusted antivirus and GPU drivers. Why? Because when these get updated, someone forgot to update the WCD. The simple solution? Download the package and re-install the offending app, that might jolt things in place.

Todd Almighty wrote:I mean I'll just build VB from source with whatever change I need.
Todd Almighty wrote:So, can someone fix the VirtualBox source code?
Todd Almighty wrote:let the user have control over his own machine without building from source
Todd Almighty wrote:If I did have to build VB from source, I would
By all means, go for it, that would make everyone's life easier. The instructions tell you exactly how do do what you want: VBOX_WITHOUT_HARDENING=1.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
socratis
Site Moderator
 
Posts: 27690
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Hardening Problem with VirtualBox and Outpost Firewall (#13659)

Postby Todd Almighty » 25. Oct 2019, 22:32

socratis wrote:By all means, go for it, that would make everyone's life easier. The instructions tell you exactly how do do what you want: VBOX_WITHOUT_HARDENING=1.

It would make "everyone's life easier" for me to give up and just build VB from source? So, you two or three regulars who've been responding to me's time is more important than a potential solution for all the VB customers affected by a similar problem as I reported?

If I had to guess, I think the collective time of all users struggling with similar issues is probably a larger number than whatever any of you had to use responding to me. Of course, I didn't know going in that I would be facing such relentless resistance to what appears common sense to me. That you don't bail out due to a info/warning/deprecation.

So it's hard to take that as anything but an insult.

BTW, I'm assuming I can just self-sign the DLL in question and then register the certificate in the local machine's certificate store, rather than rebuilding VB. If I do have to rebuild it, I won't just be flipping that flag, I'll be adding an exception for that DLL - to do otherwise, would be placing me in great danger :-), right, as my machine would be immediately compromised!
Todd Almighty
 
Posts: 37
Joined: 13. Nov 2013, 13:44

Re: Hardening Problem with VirtualBox and Outpost Firewall

Postby Todd Almighty » 25. Oct 2019, 22:37

mpack wrote:
Todd Almighty wrote:Why does VMWare, a product sold for profit, ALLOW this same DLL to be injected, without issue? Wouldn't they be risking even more money if it were so "dangerous"?

Why ask me that? I know little and care less about VMWare policies, plus I have no idea how much I can rely on your assertions on that score. In any case it's irrelevant: as I already said, it's up to each app to determine how seriously it takes deprecation issues.

I have no doubt that the dev team's attitude is dictated to them by Oracle group policy, and no amount of belly-aching by you will change that - unless of course you're in a position to buy enough Oracle stock that you can influence security policy.


Whatever Oracle's policy, it's completely reasonable to assume that it reflects not a decision made in a vacuum, but one made in full knowledge of their competitors policies - including VMWare. So what VMware is doing is absolutely not "irrelevant," just as Ford probably factors in what Toyota is doing when they make a decision.

I don't think either of us has any evidence that Oracle has actively decided to reject certs because of deprecation warnings, though that's your claim. The interaction on the ticket dealt with an actual error (<0), so it's not the same, though I didn't know that until just a day or so ago.
Todd Almighty
 
Posts: 37
Joined: 13. Nov 2013, 13:44

Re: Hardening Problem with VirtualBox and Outpost Firewall (#13659)

Postby socratis » 25. Oct 2019, 23:07

Todd Almighty wrote:It would make "everyone's life easier" for me to give up and just build VB from source?
Yep! Actually it's you that mentioned it first, and multiple times, as the "Captain Kirk" solution...

Todd Almighty wrote:So, you two or three regulars who've been responding to me's time is more important
Absolutely. Because instead of spending time explaining 5 times what is a simple concept, I could be helping 5 other users instead. So yes, it would be a better investment of my time, don't you think?

Todd Almighty wrote:for all the VB customers affected by a similar problem as I reported?
1) It's actually the VirtualBox customers that asked for this, 2) You are not a customer, you are a freeloader, just like myself.

Todd Almighty wrote:I think the collective time of all users struggling with similar issues is probably a larger number than whatever any of you had to use responding to me.
Haven't done the statistics, but the thing is that most of them (if not all) accept that fact and move on; either update, or uninstall the offending apps.

Todd Almighty wrote:BTW, I'm assuming I can just self-sign the DLL in question and then register the certificate in the local machine's certificate store
I honestly don't have the slightest idea. If you do manage to do it, I'd be interested about the details. But if it was that easy, every "yahoo" out there could sign a malware and stick it in the database as a signed app. Can't be that easy...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
socratis
Site Moderator
 
Posts: 27690
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Hardening Problem with VirtualBox and Outpost Firewall (#13659)

Postby scottgus1 » 26. Oct 2019, 01:31

Todd, I can understand why you may want to avoid Windows 10. I don't let that stop me, though I do turn off all those 'phone home' things during the installation.

Please keep in mind that there may be glitches in your PC, and a test fresh reinstall could show that. Or not, I'm just guessing. Some folks have found that they have got Virtualbox and the formerly-offending software to cooperate after a fresh OS install.

Alternative 2: Dump Windows and go to Linux host. Windows 8 has just a bit more time anyway. I have my Windows tablet in for repair, now using a Linux Mint laptop. It's rather similar and easy to use. Much less Virtualbox hardening on Linux, and you might not need Outpost either. Then keep a Windows PC or VM for those few progs that Wine can't help with, & keep Windows off the internet with Host-Only or the Access Restrictions in the router.
scottgus1
Site Moderator
 
Posts: 11362
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Next

Return to VirtualBox on Windows Hosts

Who is online

Users browsing this forum: fth0, Google [Bot] and 52 guests