The security expert Sergey Zelenyuk has disclosed the details of a zero-day vulnerability affecting Oracle’s VirtualBox virtualization software that could be exploited by an attacker to make a guest-to-host escape.
Zelenyuk publicly disclosed the vulnerability without waiting for a patch from Oracle because of his “disagreement with [the] contemporary state of infosec, especially of security research and bug bounty.”
“I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty” wrote the expert on GitHub.
“I’m exhausted of the first two, therefore my move is full disclosure. Infosec, please move forward.”
The vulnerability affects the latest VirtualBox 5.2.20 and prior versions, it can be exploited on any host or guest operating system.
Zelenyuk developed an exploit code that works on default configuration, the only requirement is that a network card is Intel PRO/1000 MT Desktop (82540EM) and a mode is NAT.
The expert successfully tested on Ubuntu 16.04 and 18.04 x86-64 guests, but he believes the code also works against Windows. Below a video PoC published by Zelenyuk:
Memory corruption bugs are the root cause of the vulnerability that could be exploited by an attacker with root or administrator privileges in a guest to escape to a host ring3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv.
“The exploit is Linux kernel module (LKM) to load in a guest OS. The Windows case would require a driver differing from the LKM just by an initialization wrapper and kernel API calls.” wrote the expert.
“Elevated privileges are required to load a driver in both OSs. It’s common and isn’t considered an insurmountable obstacle. Look at Pwn2Own contest where researcher use exploit chains: a browser opened a malicious website in the guest OS is exploited, a browser sandbox escape is made to gain full ring 3 access, an operating system vulnerability is exploited to pave a way to ring 0 from where there are anything you need to attack a hypervisor from the guest OS. The most powerful hypervisor vulnerabilities are for sure those that can be exploited from guest ring 3. There in VirtualBox is also such code that is reachable without guest root privileges, and it’s mostly not audited yet.”
The expert suggests users mitigate the issue by changing the network card on their virtual machines to AMD PCnet or a paravirtualized network adapter or by avoiding the use of NAT.
“Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can’t, change the mode from NAT to another one. The former way is more secure.” wrote Zelenyuk.
(Security Affairs – VirtualBox, Zero-Day)