ret2plt Security Research

Hacking the Planet

VTube Studio Local Vulnerabilities

admin

, , ,

Introduction

VTube Studio is a freeware program that allows people to VTube. Essentially if you have an RTX card or if you have an iPhone, you hook it up to your PC and you can then control a VTuber Avatar. An example of a VTuber Avatar is seen below.

Raki Kazuki 1st Outfit
Note that all vulnerabilities have been discussed and disclosed to denchi, developer of VTS, one requires a malicious collab participant, two require an executable already running on your computer, in which case you can be considered "already compromised".


Collab Model Ripping


Scenario: a malicious participant in a VTuber collab can rip the models of all other participants, unencrypted.

Access to model files is not possible unless you have been invited to the collab and have the session password. 

The process, in a simple way, would be as such:
  • Join a Live2D Vtuber Collab
  • Once everyone’s models have been loaded, the malicious pariticpant (Alice) takes a minidump from Task Manager of the running VTube Studio process.
  • Later, with a debugger, Alice is able to load the minidump in WinDbg and, with JavaScript or PyKd, carve out the asset files compositing all the models.
It's a bit more technically complicated than that. There's an indicator that can be used akin to egg-finder shellcode to find the SHA256sums of the models in memory. From there, an experienced reverse engineer can find the offsets to other function pointers which will assist in finding the model files. From there, they can be carved out.

It's also worth noting that VTube Studio's Assembly-CSharp.dll can be hooked at runtime to bypass all of this, which will also give you the decryption keys. No minidump needs to be taken, nothing. Eventually, I plan to write a PoC for this.

Given the worth of VTuber models this is relatively severe but only affects you if you have a malicioius actor in your collab. A proof-of-concept exploit will likely be released sometime soon on my GitHub.

VTube Studio Permissions Bypass

Scenario: You have installed a new VTube Studio plugin and it is able to bypass permission checks for risky API calls, potentially doing something malicious within VTube Studio.

Note that if you have installed a malicious VTube Studio plugin, they are *not* limited to interfering with the API. A malicious actor may drop a trojan, stealer, miner, and/or escalate to `NT AUTHORITY/SYSTEM` alongside this. Please vet your plugins carefully!

From reverse engineering how `.vtsauth files are created (VTube Studio's interal authenticator that permission has been granted for risky API access) I've discovered it's possible to reimplement their code to forge a .vtsauth file for your plugin before accessing the risky endpoint. .vtsauth files contain metadata about the plugin and are encrypted with AES-256 with a static 16-byte key and salt. These can either be changed at runtime, to change what it is comparing to, or it can be forged outright and placed in the correct directory 

The reference code for how VTube Studio handles .vtsauth files is seen here:




private void CreateOrDeletePluginAuthFile(PluginEntry plugin, bool createNewAuth)
	{
		VTubeStudioAPI.APIDebug("Scanning for existing tokens for plugin \"" + plugin.Name + "\".", false);
		EncryptionHelper.SimpleAes simpleAes = new EncryptionHelper.SimpleAes();
		string pluginsFolderPath = IOHelper.GetPluginsFolderPath();
		foreach (PluginEntry pluginEntry in Executor_AuthenticationTokenRequest.GetAllPluginEntriesAndDeleteInvalidOnes(null))
		{
			if (Executor_AuthenticationTokenRequest.checkIfSameNameAndDeveloper(pluginEntry, plugin))
			{
				VTubeStudioAPI.APIDebug("Removing old authentication data for plugin \"" + plugin.Name + "\". Old token was invalidated.", false);
				IOHelper.DeleteIfExists(Path.Combine(pluginsFolderPath, pluginEntry.ID + ".vtsauth"));
			}
		}
		if (createNewAuth)
		{
			string unencrypted = JsonUtility.ToJson(plugin);
			string text = simpleAes.Encrypt(unencrypted);
			IOHelper.WriteTextFile(Path.Combine(pluginsFolderPath, plugin.ID + ".vtsauth"), text);
			VTubeStudioAPI.APIDebug(string.Concat(new string[]
			{
				"Authenticated plugin \"",
				plugin.Name,
				"\" by developer \"",
				plugin.Developer,
				"\". Returning token.",
			}), false);
		}
		simpleAes.Dispose();
		APIPermissionData.ReloadPermissionsFromDisk();
		SingletonMonoBehaviour<CustomDataItemWhitelistManager>.Instance().ClearWhitelistForPlugin(plugin.Name, plugin.Developer);
	}
Some bits have been omitted. This enough, plus the AES key and salt, is enough to forge your own `.vtsauth` file. However, the patch is just as easy.

public class Plugin : BaseUnityPlugin
{
    internal static new ManualLogSource Logger;

    public class SecureAESInstance : IDisposable
    {
        private RijndaelManaged _rijndael;
        private ICryptoTransform _encryptor;
        

        public SecureAESInstance(byte[] key)
        {
            this._rijndael = new RijndaelManaged();
            this._encryptor = this._rijndael.CreateEncryptor(key, this._rijndael.IV);
            key = SymmetricAlgorithm.Create("AES").Key;
            
        }

        public void Dispose()
        {
            _encryptor?.Dispose();
            _rijndael?.Dispose();
        }

        public byte[] Encrypt(byte[] buffer)
        {
            byte[] second = _encryptor.TransformFinalBlock(buffer, 0, buffer.Length);
            return _rijndael.IV.Concat(second).ToArray();
            
        }
        
        
    }
    //...
     private void Awake()
    {
        // Plugin startup logic
        Logger = base.Logger;
        Logger.LogInfo($"Plugin {MyPluginInfo.PLUGIN_GUID} is loaded!");
        
        var harmony = new Harmony("org.ret2plt.Marathon");
        Logger.LogInfo($"Harmony {harmony.Id} is loaded!");

        [HarmonyPatch(typeof(EncryptionHelper.SimpleAes), "Encrypt")]
        [HarmonyPrefix]
        string EncryptPrefix(string input)
        {
            
            SecureAESInstance aes = new SecureAESInstance(SymmetricAlgorithm.Create("AES").Key);
            return Convert.ToBase64String(aes.Encrypt(Encoding.UTF8.GetBytes(input)));
            
        }
This enough in a BepInEx plugin, called Marathon, will patch out the vulnerability and the following, more severe vulnerability.

Subshell Powershell Code Execution from Signed App

In VTube Studio exists a defunct antivirusInstalled function. This contains a TOCTOU for executing a .ps1 file that essentially turns VTS into a LOLBIN for executing code at the user level from a signed process.

Again, this requires a malicious plugin to already be installed on your PC. This is also not a vulnerability in the plugins itself, but rather a TOCTOU in a .ps1 file created for when VTS checks your antivirus. The code for checking your antivirus is also never called in VTS, and must be called by an attacker.

Let's look at the code, shall we?


private void antivirusInstalled()
	{
		if (Application.isEditor)
		{
			Debug.Log("Skipping antivirus check in editor.");
			return;
		}
		try
		{
			string text = Path.Combine(Application.dataPath, "Check_AV", "query_av_name_windows.ps1");
			text = new DirectoryInfo(text).FullName;
			Debug.Log("Running antivirus app query. Script path: \"" + text + "\"");
			string arguments = "-NoProfile -ExecutionPolicy unrestricted -File \"" + text + "\"";
			Process process = new Process();
			process.StartInfo.UseShellExecute = false;
			process.StartInfo.CreateNoWindow = true;
			process.StartInfo.FileName = "powershell.exe";
			process.StartInfo.Arguments = arguments;
			process.StartInfo.RedirectStandardOutput = true;
			process.StartInfo.RedirectStandardError = true;
			string text2 = null;
			string errorString = null;
			process.ErrorDataReceived += delegate(object sender, DataReceivedEventArgs e)
			{
				errorString += e.Data;
			};
			try
			{
				process.Start();
				process.BeginErrorReadLine();
				text2 = process.StandardOutput.ReadToEnd();
				process.WaitForExit();
			}
			catch (Exception ex)
			{
				Debug.LogError("Antivirus check run error: " + ex.ToString());
				throw ex;
			}
			finally
			{
				text2 = ((text2 == null || text2.Equals("")) ? "-" : text2);
				errorString = ((errorString == null || errorString.Equals("")) ? "-" : errorString);
			}
			Debug.Log("Result from antivirus check:\n" + text2 + " \nErrors:\n" + errorString);
		}
		catch (Exception ex2)
		{
			Debug.Log("Failed to query antivirus apps: " + ex2.Message);
		}
	}
An enterprising threat actor can check if the binary is installed, hook it using Mono, and forcibly execute this function while providing their own malicious .ps1 file. Given that PowerShell can elevate to NT AUTHORITY/SYSTEM, I'd say this is an issue.

Proof of concepts for the first and latter vulnerability will be out on GitHub soon. If you like my work, you can support me by buying me a Ko-Fi.

Be on the lookout on https://github.com/impost0r for the proof of concept tooling. Adieu!

Leave a Reply

Your email address will not be published. Required fields are marked *