Skip to main content

Flaw discovered in VirtualBox. Unpatched VirtualBox Zero-Day Vulnerability and Exploit Released Online.

Automated Publishing.


An independent exploit developer and vulnerability researcher has publicly disclosed a zero-day vulnerability in VirtualBox—a popular open source virtualization software developed by Oracle—that could allow a malicious program to escape virtual machine (guest OS) and execute code on the operating system of the host machine.


The vulnerability occurs due to memory corruption issues and affects Intel PRO / 1000 MT Desktop (82540EM) network card (E1000) when the network mode is set to NAT (Network Address Translation).


The flaw is independent of the type of operating system being used by the virtual and host machines because it resides in a shared code base.


VirtualBox Zero-Day Exploit and Demo Video Released.


Sergey Zelenyuk  published Wednesday a detailed technical explanation of the zero-day flaw on GitHub, which affects all current versions (5.2.20 and prior) of VirtualBox software and is present on the default Virtual Machine (VM) configuration.


According to Zelenyuk, the vulnerability allows an attacker or a malicious program with root or administrator rights in the guest OS to escape and execute arbitrary code in the application layer (ring 3) of the host OS, which is used for running code from most user programs with the least privileges.


Following successful exploitation, the researcher believes an attacker can also obtain kernel privileges (ring 0) on the host machine by exploiting other vulnerabilities.


"The E1000 has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring 3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv," Zelenyuk said.




Along with the details of the zero-day vulnerability, Zelenyuk also wrote down the complete exploit chain and released a video demonstration of the attack on Vimeo.


No Security Patch Yet Available, Here's How to Protect Yourself.


The researcher claims his exploit is "100% reliable." Zelenyuk tested his exploit on Ubuntu version 16.04 and 18.04 x86-64 guests, but he believes the exploit also works against the Windows platform.


While the exploit released by the researcher is not simple to execute, full details of how to execute it are provided.


Zelenyuk decided to publicly disclose the zero-day vulnerability and the exploit due to his "disagreement with [the] contemporary state of infosec, especially of security research and bug bounty," which he experienced over a year ago when he responsibly reported another VirtualBox flaw to Oracle.


The researcher also expressed his displeasure with the "delusion of grandeur and marketing bullshit" with the vulnerability release process by "naming vulnerabilities and creating websites for them," and security researchers putting themselves in front of "a thousand conferences in a year."


So, this time the researcher publicly disclosed the flaw, and thus, there is no patch yet available.


However, until it is patched, users can protect themselves against potential cyber attacks by changing the network card of their "virtual machines to PCnet (either of two) or to Paravirtualized Network."


Though the researcher stressed that the above approach is more secure, in case if you are unable to do that, you can change the mode from NAT to another one.


Comments

Post a Comment

Popular posts from this blog

Vurra Constituency MP Adriko Yovan gets six months imprisonment for failing to repay loan.

📸: Hon Adriko Yovan. Story By Andrew Cohen Amvesi. ARUA . Yovan Adriko, the Vurra County Member of Parliament (MP) in Arua district has been committed to six months civil prison for failing to clear debts amounting to shs55,677,400. Adriko was on Thursday evening sent to Arua government prison to serve six months shortly after his arrest at Slumberland hotel in Arua City. MP Adriko warrant of committal judgement debtor to jail. Paul Mawa of T/A Vitality Associates, the court bailiff assigned to arrest the MP, duped him to come and pick some money for a land transaction at Slumberland hotel where he picked him like a baby after a long hunt. Adriko was immediately arraigned before Her Worship Karungi Leo, the Deputy Registrar of Arua High Court who later committed him to imprisonment not exceeding six months. Part of Adriko’s warrant of arrest issued b court Adriko was sent to the coolers for failing to clear shs48m which is the princip
1 comment
Read more

Arrested Arua City Officials Taken to Kampala this Night.

Wednesday 8-November-2023. 📸: The arrest of Arua City Physical Planner Mr Findru Moses on 6-Nov-2023 at around 2pm. 📸: Mr Jobile Cornelius the City Deputy town clerk who was arrested on 7-Nov-2023 at around 4pm. 📸: Mrs Lillian Aleni (in red cloth) and Mr Edoni Benard being handcuffed by police officer on 6-Nov-2023 at around 6pm. The bail that was to be issued last night 8pm 7-Nov-2023 to release the arrested City Deputy town clerk Mr Jobile Cornelius and CFO Mr Sam Adriko over mismanagement of government properties and monies was canceled, and by this time of the night 11pm, highly placed sources leaked that, all the arrested suspects (Mr Findru Moses the Arua City Physical Planner, Mr Jobile Cornelius the Deputy City clerk, Mr Adriko Sam the CFO, Mr Edoni Benard the PDM BOG Chairperson for Pangisa ward and Mrs Lillian Aleni the parish chief for Pangisa ward) are being transported by State House Anti-corruption Unit officers who will soon be reac
Post a Comment
Read more

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nile re
Post a Comment
Read more