STE WILLIAMS

An infosec researcher has expressed his frustration with disclosure processes by going public with a zero-day in VirtualBox, Oracle’s open-source hypervisor.

The vulnerability was published at GitHub by “MorteNoir1” accompanied by a demonstration video on Vimeo posted by Sergey Zelenyuk.

In the GitHub post, MorteNoir1 expressed frustration with bug disclosure processes, which impose delays (“half a year is fine”), subject researchers to the indignities of bounty processes (which flip between interested and not interested), the “marketing bullshit” of “naming vulnerabilities and creating websites for them”, and researchers putting themselves in front of “a thousand conferences in a year”.

The flaw affects VirtualBox up to 5.2.20 on any guest or host operating system – the bug is “in a shared code base” – and “the only requirement is that a network card is Intel PRO/1000 MT Desktop (82540EM) and a mode is NAT”.

Until it is patched, he wrote, admins can change either the network card or the VM to PCnet or to paravirtualized network; or move off NAT mode, although “the former way is more secure”.

If the attacker has root/admin as a guest, they can “escape to a host ring 3”, after which existing attack techniques let them “escalate privileges to ring 0 via /dev/vboxdrv”.

“We turned an integer underflow to a classical stack buffer overflow,” the post said. That occurs in the VirtualBox networking code and can be exploited either by reading data from the guest into a heap buffer, leading to a “function pointers overwrite”, or abusing a function that allocates an attacker-addressable buffer. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/07/virtualbox_0day_github/