Details of a zero-day VirtualBox vulnerability have been published online along with a step by step exploit.
The vulnerability in the Oracle open source hosted hypervisor was published on GitHub by Russian security researcher, Sergey Zelenyuk, rather than being disclosed to Oracle to allow the bug to be fixed. The decision was influenced by a previous vulnerability that he found in VirtualBox that was disclosed to Oracle but took the firm 15 months to fix.
Zelenyuk explained the decision to go public with the vulnerability and exploit was due to frustration with Oracle and the bug disclosure and bug bounty process – “I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty,” wrote Zelenyuk.
The vulnerability is a series of bugs that can be exploited to allow malicious code to escape the virtual machine and execute on the underlying operating system. The exploit triggers a buffer overflow condition using packet descriptors which allows malicious code to be run in kernel ring 3, which is used for most user programs. It is possible to combine the exploit with kernel privilege escalation bugs to gain access to kernel ring 0.
According to Zelenyuk, the exploit is 100% reliable and works regardless of the host or underlying operating system and affects all VirtualBox releases.
The vulnerability is particularly worrying for malware researchers as VirtualBox is a popular choice for analyzing and reverse engineering malware in a safe environment. If malware authors were to embed the exploit into their malware, it would be possible to escape the VM and infect the security researcher’s machine.
It remains to be seen how quickly VirtualBox will be patched. With the vulnerability and exploit now in the public domain, it is probable that Oracle will not wait 15 months to develop a patch.