VirtualBox has always been one of the most popular virtualization software on the market. It’s free, open-source and available on all the platforms. VirtualBox is currently developed and maintained by Oracle.
Recently, a Russian vulnerability researcher and exploit dev published detailed info about a zero-day vulnerability in VirtualBox. His explanation includes a step-by-step guide on exploiting the bug. The bug is present on the software itself, allowing all the platforms to be vulnerable.
Using the bug, an attacker would easily escape the virtual environment and reach the Ring 3 privilege layer – a layer for running code from most user programs with the least privileges.
How the vulnerability works
According to Sergey Zelenyuk who identified the bug, shows details on how the bug can be leveraged on virtual machines configured with the “Intel PRO/1000 MT Desktop (82540EM)” network adapter in NAT mode. It’s the default setup of all the guest systems for accessing external networks.
According to a technical write-up by Zelenyuk, the network adapter is vulnerable that allows an attacker with root/admin privilege to escape to the host Ring 3. Then, using existing techniques, the attacker can escalate privileges to Ring 0 via /dev/vboxdrv.
The researcher describes the mechanics in detail, showing how to create the necessary conditions for obtaining a buffer overflow to abuse and escape the virtual confinement.
The exploit Zelenyuk wrote relies on the 2 conditions. Although not impossible, an attacker has to chain another vulnerability for granting them increased privilege on the host system.
Here’s a demo he showed.