We don' need no stinkin' bounties: VirtualBox guest-to-host escape zero-day lands at GitHub

Bug hunter rages at wearisome disclosure process

An infosec researcher has expressed his frustration with disclosure processes by going public with a zero-day in VirtualBox, Oracle's open-source hypervisor.

The vulnerability was published at GitHub by "MorteNoir1" accompanied by a demonstration video on Vimeo posted by Sergey Zelenyuk.

In the GitHub post, MorteNoir1 expressed frustration with bug disclosure processes, which impose delays ("half a year is fine"), subject researchers to the indignities of bounty processes (which flip between interested and not interested), the "marketing bullshit" of "naming vulnerabilities and creating websites for them", and researchers putting themselves in front of "a thousand conferences in a year".

The flaw affects VirtualBox up to 5.2.20 on any guest or host operating system – the bug is "in a shared code base" – and "the only requirement is that a network card is Intel PRO/1000 MT Desktop (82540EM) and a mode is NAT".

Until it is patched, he wrote, admins can change either the network card or the VM to PCnet or to paravirtualized network; or move off NAT mode, although "the former way is more secure".

If the attacker has root/admin as a guest, they can "escape to a host ring 3", after which existing attack techniques let them "escalate privileges to ring 0 via /dev/vboxdrv".

Seeing as some security researchers run malware in VirtualBox guests to prod at them, it is possible a future software nasty could attempt to exploit the above bug to escape from the hypervisor and into the host lab.

"We turned an integer underflow to a classical stack buffer overflow," the advisory stated. That occurs in the VirtualBox networking code and can be exploited either by reading data from the guest into a heap buffer, leading to a "function pointers overwrite", or abusing a function that allocates an attacker-addressable buffer. ®




Biting the hand that feeds IT © 1998–2018