VirtualBox zero-day flaw released on Github; working exploit available but no patch

An independent researcher has turned a bit rogue, disclosing a zero-day vulnerability in the popular VirtualBox virtualization software while expressing deep disagreement with the state of security research, and bug bounty standards in particular.

In a meticulously crafted post on Github, Sergey Zelenyuk uses a default VirtualBox configuration to demonstrate a previously-unknown vulnerability that occurs due to memory corruption issues in Intel PRO / 1000 MT Desktop (82540EM) network cards (E1000) when the network mode is set to NAT (Network Address Translation).

“The E1000 has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv,” Zelenyuk explains.

Ring 0 refers to the host machine, where the malicious program would essentially “escape” to execute arbitrary code. The exploit is replicable on Windows too, albeit with a few configuration exceptions. The flaw affects all current versions of VirtualBox (up to 5.2.20).

Zelenyuk not only wrote out a complete guide on how to replicate the attack, he even posted a demonstration video of him exploiting the flaw.

VirtualBox E1000 Guest-to-Host Escape from Sergey Zelenyuk on Vimeo.

In spite of the unethical nature of his disclosure, Zelenyuk is thoughtful enough to include a fix with his post.

“Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can’t, change the mode from NAT to another one. The former way is more secure,” he writes.

As for his reasons for disclosing a zero-day publicly before Oracle gets a chance to patch the bug, the researcher expressed dissatisfaction with the infosec community – in particular, the rules enforced by contemporary bug bounty programs. While some may resonate with Zelenyuk’s arguments, publishing a zero-day openly for the whole Internet before the vendor can release a patch is nonetheless considered irresponsible disclosure. However, in cases where the vendor has been notified of the flaw months in advance and has failed to deliver (for one reason or another), such disclosures can get the ball rolling sooner rather than later. Hopefully Oracle delivers before bad actors exploit the bug, now that a working exploit is available. But the fact that there is now a window of opportunity for hackers is still an issue.

Leave a Reply