2 min read

VirtualBox zero-day flaw released on Github; working exploit available but no patch

Filip TRUȚĂ

November 08, 2018

VirtualBox zero-day flaw released on Github; working exploit available but no patch

An independent researcher has turned a bit rogue, disclosing a zero-day vulnerability in the popular VirtualBox virtualization software while expressing deep disagreement with the state of security research, and bug bounty standards in particular.

In a meticulously crafted post on Github, Sergey Zelenyuk uses a default VirtualBox configuration to demonstrate a previously-unknown vulnerability that occurs due to memory corruption issues in Intel PRO / 1000 MT Desktop (82540EM) network cards (E1000) when the network mode is set to NAT (Network Address Translation).

“The E1000 has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv,” Zelenyuk explains.

Ring 0 refers to the host machine, where the malicious program would essentially “escape” to execute arbitrary code. The exploit is replicable on Windows too, albeit with a few configuration exceptions. The flaw affects all current versions of VirtualBox (up to 5.2.20).

Zelenyuk not only wrote out a complete guide on how to replicate the attack, he even posted a demonstration video of him exploiting the flaw.

VirtualBox E1000 Guest-to-Host Escape from Sergey Zelenyuk on Vimeo.

In spite of the unethical nature of his disclosure, Zelenyuk is thoughtful enough to include a fix with his post.

“Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can’t, change the mode from NAT to another one. The former way is more secure,” he writes.

As for his reasons for disclosing a zero-day publicly before Oracle gets a chance to patch the bug, the researcher expressed dissatisfaction with the infosec community – in particular, the rules enforced by contemporary bug bounty programs. While some may resonate with Zelenyuk”s arguments, publishing a zero-day openly for the whole Internet before the vendor can release a patch is nonetheless considered irresponsible disclosure. However, in cases where the vendor has been notified of the flaw months in advance and has failed to deliver (for one reason or another), such disclosures can get the ball rolling sooner rather than later. Hopefully Oracle delivers before bad actors exploit the bug, now that a working exploit is available. But the fact that there is now a window of opportunity for hackers is still an issue.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read