A researcher has disclosed the details of a zero-day vulnerability affecting Oracle’s VirtualBox virtualization software. The flaw appears serious as exploitation can allow a guest-to-host escape.
Russian researcher Sergey Zelenyuk discovered the security hole and he decided to make his findings public before giving Oracle the chance to release a patch due to his “disagreement with [the] contemporary state of infosec, especially of security research and bug bounty.”
According to Zelenyuk, the vulnerability affects VirtualBox 5.2.20 and prior versions – 5.2.20 is the latest version, released on October 16 – and it can be exploited on any host or guest operating system as the underlying bugs affect shared code. The expert has tested his exploit, which he claims is “100% reliable,” on Ubuntu 16.04 and 18.04 x86-64 guests, but he believes the attack also works against Windows.
An attack can only be carried out against virtual machines using an Intel PRO/1000 MT Desktop (82540EM) network card (E1000), with network address translation (NAT) enabled, which is the default configuration.
The security hole, caused by memory corruption bugs, allows an attacker with root or administrator privileges to the guest system to escape to the host userland (ring 3). From there, they may be able to obtain kernel privileges (ring 0) on the host by exploiting other vulnerabilities. Exploitation starts by loading a Linux kernel module (LKM) in the guest operating system.
“Elevated privileges are required to load a driver in both OSs. It’s common and isn’t considered an insurmountable obstacle. Look at Pwn2Own contest where researchers use exploit chains: a browser opened a malicious website in the guest OS is exploited, a browser sandbox escape is made to gain full ring 3 access, an operating system vulnerability is exploited to pave a way to ring 0, where there is anything you need to attack a hypervisor from the guest OS,” the researcher explained in a post on GitHub.
“The most powerful hypervisor vulnerabilities are for sure those that can be exploited from guest ring 3. There in VirtualBox is also such code that is reachable without guest root privileges, and it’s mostly not audited yet,” he added.
While some agree with Zelenyuk regarding the current state of bug bounty programs, others questioned his decision.
Contacted by SecurityWeek, Oracle declined to comment and instead pointed to its vulnerability disclosure policies.
Until a patch is made available, users can protect themselves against potential attacks by changing the network card on their virtual machines to AMD PCnet or a paravirtualized network adapter. Another mitigation involves avoiding the use of NAT, Zelenyuk said.
The researcher has published a video showing the exploit in action:
VirtualBox E1000 Guest-to-Host Escape from Sergey Zelenyuk on Vimeo.
*Updated with response from Oracle