A zero-day vulnerability in VirtualBox was publicly disclosed by an independent vulnerability researcher and exploit developer Sergey Zelenyuk. VirtualBox is a famous open sourced virtualization software which has been developed by Oracle. This recently discovered vulnerability can allow a malicious program to escape virtual machine and then execute code on OS of the host machine.
This vulnerability tends to occur because of memory corruption issues and impacts Intel PRO/1000 MT Desktop network card (E1000) when the NAT (Network Address Translation) is the set network mode.
The issue tends to be independent of the OS type that is being used by the host and virtual machines since it resides in a shared code base.
According to technical explanation of this vulnerability described on GitHub, the vulnerability affects all the current versions of VirtualBox and is present on Virtual Machine (VM) default configuration. The vulnerability allows a malicious program or an attacker with administrator rights or root in the guest OS to execute and escape arbitrary code in the application layer of the host operating system. It is used for running code from majority of the user programs with the least of privileges. Zelenyuk said, “The E1000 has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring 3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv.” A video demonstration of the attack on Vimeo has also been released.
There is no security patch yet available for this vulnerability. According to Zelenyuk, his exploit is completely reliable which he concluded after testing it on Ubuntu version 16.04 and 18.04×86-46 guests. However, he also thinks that this exploit works against Windows platform as well.
Even though the exploit provided by him is quite difficult to execute, the following explanation provided by him can help those who may want to make it work:
“The exploit is Linux kernel module (LKM) to load in a guest OS. The Windows case would require a driver differing from the LKM just by an initialization wrapper and kernel API calls.
Elevated privileges are required to load a driver in both OSs. It’s common and isn’t considered an insurmountable obstacle. Look at Pwn2Own contest where researcher use exploit chains: a browser opened a malicious website in the guest OS is exploited, a browser sandbox escape is made to gain full ring 3 access, an operating system vulnerability is exploited to pave a way to ring 0 from where there are anything you need to attack a hypervisor from the guest OS. The most powerful hypervisor vulnerabilities are for sure those that can be exploited from guest ring 3. There in VirtualBox is also such code that is reachable without guest root privileges, and it’s mostly not audited yet.
The exploit is 100% reliable. It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account. It works at least on Ubuntu 16.04 and 18.04 x86_64 guests with default configuration.”
Zelenyuk decided to go public with this latest discovery of vulnerability because he was in “disagreement with [the] contemporary state of infosec, especially of security research and bug bounty,” that he faced last year when he had responsibly reported a flaw in VirtualBox to Oracle. He also expressed his displeasure with the way the vulnerability release process is marketed and the way they are highlighted by security researchers in conferences every year.
Even though there is yet no security patch available for this vulnerability, the users can protect themselves against it by changing their network card from virtual machines to either Paravirtualized Network or PCnet.