An independent researcher who was disgruntled with traditional bug bounty methods took it upon himself to leak the details of an exploit in Oracle’s Virtual Box without first informing Oracle.
Sergey Zelenyuk discovered a flaw that would allow him to escape from the virtual environment of the guest machine to reach the Ring 3 privilege layer used for running code from most user programs with the least privileges.
The vulnerability exists in VirtualBox 5.2.20 and prior versions.
The bug can be leveraged on virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode.
“The E1000 has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3.” Zelenyuk wrote in a technical write-up posted to his GitHub account in technical write-up. ”Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv.
Zelenyuk said he likes VirtualBox and that he publicly posted the exploit in part because vendors take too long to patch their products, inconsistencies concerning which types of bugs will be compensated for, and the unclear pricing on how much researchers will be paid for their research. Oracle has yet to release and update for the flaw.
After triggering the necessary set of conditions Zelenyuk is able to trigger an integer overflow condition and later a buffer overflow that could be abused to escape the confinements of the virtual operating system.
Zelenyuk described the exploit as “100% reliable,” adding that “it either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account.”
Craig Young, computer security researcher at Tripwire, said the vulnerability is in the implementation of a virtual Intel E1000 compatible network adapter.
“The write-up demonstrates how an attacker with permissions to load Linux kernel modules in a Virtual Box guest environment can achieve low-privileged code execution on the host OS which can then be elevated to gain administrative access to the host,” Young said. “Anyone using Virtual Box for accessing untrusted content (malware analysts for example) should immediately review their machine profiles and at least temporarily discontinue use of the E1000 device in favor of the PCNET adapter.”
Young added that users should avoid running any less than trustworthy applications in any Virtual Box environment with E1000 enabled until Oracle is able to release a fix.