Zero-day flaw in VirtualBox details go public

News by Rene Millman

Security researchers have discovered a flaw in virtual machine software VirtualBox which enables threat actors to leave the virtual environment of the guest machine.

Security researchers have discovered a flaw in virtual machine software VirtualBox which enables threat actors to leave the virtual environment of the guest machine.

The vulnerability lets hackers reach the Ring 3 privilege layer, which is used for running application code with the least amount of privilege.

According to a posting on Github, the problem affects VirtualBox 5.2.20 and prior versions. The problem affects any host OS or guest OS with a VM configuration in the default setting.

The flaw was posted by vulnerability researcher Sergey Zelenyuk, the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv.

The bug can be used on virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode. This mode enables the guest system to access external networks.

He added that the bug works because of how the software processes context descriptors before data descriptors. The flaw requires a buffer overflow, this then lets an attacker leave a virtual operating system.

Zelenyuk described how the exploit is used in a Linux kernel module (LKM) to load a guest OS. The LKM disables E1000 loopback mode to make stack buffer overflow code unreachable. This then uses the integer underflow vulnerability to make the heap buffer overflow. The heap buffer overflow allows for use E1000 EEPROM to write two any bytes relative to a heap buffer in 128 KB range. Hence the attacker gains a write primitive.

After a few more steps the LKM enabled E1000 loopback mode makes stack buffer overflow code reachable.

"This then uses the integer underflow vulnerability to make the heap buffer overflow and the stack buffer overflow. Saved return address (RIP/EIP) is overwritten. The attacker gains control," said the researcher.

Afterwards a ROP chain is executed to execute a shellcode loader. This shellcode loader copies a shellcode from the stack next to itself and the shellcode is executed.

Finally, the attacker unloads the LKM and loads e1000.ko back to allow the guest to use network.

The researcher has posted a video online showing how the exploit can be carried out.

Zelenyuk said that until the patched VirtualBox build is out, "you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualised Network".

"If you can't, change the mode from NAT to another one. The former way is more secure," he added.

The researcher said that the reason for his publishing of the zero day vulnerability had nothing to do with VirtualBox rather he has a disagreement with contemporary state of infosec, especially of security research and bug bounty. He said that he was exhausted with waiting half a year for patches to vulnerabilities to be implemented as well as issues in submitting flaws to bug bounty programs as there is no guidance from companies about which bugs are required and how much is likely to be paid out to security researchers.

He also lambasted the "delusions of grandeur" surrounding the naming of vulnerabilities and the websites created for them.

"I'm exhausted of the first two, therefore my move is full disclosure. Infosec, please move forward," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events