Independent vulnerability researcher Sergey Zelenyuk has made public a zero-day vulnerability he discovered in VirtualBox, the popular open source virtualization software developed by Oracle.
About the vulnerability
The vulnerability affects VirtualBox 5.2.20 and earlier, and is present on the default VM configuration. “The only requirement is that a network card is Intel PRO/1000 MT Desktop (82540EM) and a mode is NAT,” Zelenyuk says.
Along with the details about the flaw, which allows attackers to escape the virtual machine and gain access to the underlying OS (a so-called Guest-to-Host escape), Zelenyuk also wrote down the entire exploit chain and released a video demo of the attack:
He claims that the exploit is “100% reliable.”
“It either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account. It works at least on Ubuntu 16.04 and 18.04 x86_64 guests with default configuration.”
This exploit only allows attackers to escape the virtual environment. They also need to exploit a privilege escalation vulnerability to gain kernel-level access (aka “ring 0” access).
Why not go the responsible disclosure route?
Zelenyuk has responsibly disclosed to Oracle (via the SecuriTeam Secure Disclosure program) another VirtualBox vulnerability over a year ago, but apparently Oracle took a very long time to fix it and ultimately failed to credit Zelenyuk for the discovery.
He says the reasons for publicly releasing this latest VirtualBox zero-day are his dissatisfaction with the long time it takes companies to plug reported security holes and with the fact that many bug bounty programs make it difficult for bug hunters to have a good idea of whether their vulnerability reports will be accepted and to know what reward they are going to get.
He also expressed his displeasure with the “delusion of grandeur and marketing bullshit” accompanying the vulnerability release process.