Rewterz Threat Advisory – Virtual Box zero-day vulnerability exposed

Thursday, November 8, 2018

An attacker could escape the virtual environment of the guest machine and reach the Ring 3 privilege layer, used for running code from most user programs.

 

 

IMPACT:  CRITICAL

 

 

PUBLISH DATE:  08-11-2018

 

 

OVERVIEW

 

 

The issue is present in a shared code base of the virtualization software, available on all supported operating systems. Exploiting this issue, an attacker can reach the ring 3 privilege layer in virtual box by escaping the virtual environment of the guest machine.

 

 

ANALYSIS

 

 

Sergey Zelenyuk, the researcher who found and exposed this vulnerability on the internet with a step-by-step guide to exploit it, found that the security bug can be leveraged on virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode, the default setup that allows the guest system to access external networks.

 

 

 

 

The researcher revealed this vulnerability in a recent write-up:

“The [Intel PRO/1000 MT Desktop (82540EM)] has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv,”.

 

The researcher has also explained how to trigger the necessary conditions to obtain a buffer overflow to be exploited for escaping confinements of the virtual operating system.

 

First, an integer underflow condition is caused using packet descriptors – data segments that allow the network adapter to track network packet data in the system memory. This could be leveraged to read data from the guest OS and cause an overflow condition that could lead to overwriting function pointers; or to cause a stack overflow condition.

 

Later, E1000 will be initialized by the Linux kernel module (LKM) to leak the information where LKM disables E1000 loopback mode to make stack buffer overflow code unreachable.

 

“Here the LKM uses the integer underflow vulnerability to make the heap buffer overflow. The heap buffer overflow allows for use E1000 EEPROM to write two any bytes relative to a heap buffer in 128 KB range. Hence the attacker gains a write primitive.”

Researcher summarized the process in following words:

 

 

 

AFFECTED PRODUCTS

 

 

VirtualBox 5.2.20 and prior versions are said to be affected.

5.2.20 is the latest version, released on October 16 – and it can be exploited on any host or guest operating system as the underlying bugs affect shared code.

(Ubuntu 16.04 and 18.04 x86-64 guests were used to test this vulnerability, but the researcher believes it also works against windows).

 

 

MITIGATION

 

 

There are no patches available as yet for fixing this vulnerability.

 

If you think you’re the victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 15, November 2018 Rewterz Threat Advisory – Microsoft Windows Server 2008 and Windows 7 multiple vulnerabilities
  • 15, November 2018 Rewterz Threat Advisory – CVE-2018- 8416 – Microsoft .NET core security bypass vulnerability
  • 14, November 2018 Rewterz Threat Advisory – CVE-2018-8256 & CVE-2018-8415 – Windows PowerShell Multiple Vulnerabilities
  • 14, November 2018 Rewterz Threat Advisory – Microsoft Windows Server 2019 Multiple Vulnerabilities

Copyright © Rewterz. All rights reserved.