Independent vulnerability researcher Sergey Zelenyuk has made public a zero-day vulnerability he discovered in VirtualBox, the popular open source virtualization software developed by Oracle.
Sergey Zelenyuk found that the security bug can be leveraged on virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode, the default setup that allows the guest system to access external networks.
Along with the details about the flaw, which allows attackers to escape the virtual machine and gain access to the underlying OS (a so-called Guest-to-Host escape), Zelenyuk also wrote down the entire exploit chain and released a video demo of the attack:
The exploit Zelenyuk wrote relies on the two overflow conditions. Since it provides access to Ring 3 level of permissions, privilege escalation is needed to take control over the host operating system.
Although this is not impossible, an attacker has to chain another vulnerability that would grant them increased privileges on the system.
The steps described by the researcher for exploiting the zero-day he uncovered in VirtualBox are definitely not script-kiddie-friendly as they require more advanced technical knowledge.
Buffer overflows are not always stable and most of the times they result in crashing the target. However, Zelenyuk says that his exploit is “100% reliable,” and it “it either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account.”
He tested his work on Ubuntu 16.04 and 18.04, both 86- and 64-bit with the default configuration. Proof of the success is the following video that shows the exploit running in the guest OS and executing a shell on the host OS
This is not the researcher’s first vulnerability disclosure in VirtualBox. Earlier this year, he reported another security bug in VirtualBox. It was reported responsibly for version 5.2.10 of the software. For some reason, though, Oracle fixed the problem silently in version 5.2.18 of its hardware virtualization software and did not give credit to the researcher for finding and reporting the vulnerability.
At the beginning of today’s report, Zelnyuk clearly states the reasons that drove him to publicly announcing the full details for the current zero-day, before informing the developer of the issue. Oracle’s past reaction to his reporting seems to have played a part in this.