An attacker could escape the virtual environment of the guest machine and reach the Ring 3 privilege layer, used for running code from most user programs.
PUBLISH DATE: 08-11-2018
The issue is present in a shared code base of the virtualization software, available on all supported operating systems. Exploiting this issue, an attacker can reach the ring 3 privilege layer in virtual box by escaping the virtual environment of the guest machine.
Sergey Zelenyuk, the researcher who found and exposed this vulnerability on the internet with a step-by-step guide to exploit it, found that the security bug can be leveraged on virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode, the default setup that allows the guest system to access external networks.
The researcher revealed this vulnerability in a recent write-up:
“The [Intel PRO/1000 MT Desktop (82540EM)] has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv,”.
The researcher has also explained how to trigger the necessary conditions to obtain a buffer overflow to be exploited for escaping confinements of the virtual operating system.
First, an integer underflow condition is caused using packet descriptors – data segments that allow the network adapter to track network packet data in the system memory. This could be leveraged to read data from the guest OS and cause an overflow condition that could lead to overwriting function pointers; or to cause a stack overflow condition.
Later, E1000 will be initialized by the Linux kernel module (LKM) to leak the information where LKM disables E1000 loopback mode to make stack buffer overflow code unreachable.
“Here the LKM uses the integer underflow vulnerability to make the heap buffer overflow. The heap buffer overflow allows for use E1000 EEPROM to write two any bytes relative to a heap buffer in 128 KB range. Hence the attacker gains a write primitive.”
Researcher summarized the process in following words:
VirtualBox 5.2.20 and prior versions are said to be affected.
5.2.20 is the latest version, released on October 16 – and it can be exploited on any host or guest operating system as the underlying bugs affect shared code.
(Ubuntu 16.04 and 18.04 x86-64 guests were used to test this vulnerability, but the researcher believes it also works against windows).
There are no patches available as yet for fixing this vulnerability.
If you think you’re the victim of a cyber-attack, immediately send an email to firstname.lastname@example.org for a quick response.