Zero-Day VirtualBox Vulnerability and Exploit Published

Particulars of a zero-day VirtualBox vulnerability have been published online together with a step by step activity.

The vulnerability in the Oracle open source hosted hypervisor was published on GitHub by Russian safety scientist, Sergey Zelenyuk, instead of being disclosed to Oracle to permit the bug to be repaired. The decision was affected by an earlier vulnerability that he found in VirtualBox that was disclosed to Oracle but took the company 15 months to repair.

Zelenyuk described the decision to go public with the vulnerability and exploit was because of frustration with Oracle and the bug revelation and bug bounty procedure – “I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The purpose is my disagreement with current state of infosec, particularly of safety research and bug bounty,” wrote Zelenyuk.

The vulnerability is a series of bugs that can be abused to allow malevolent code to dodge the virtual machine and perform on the original operating system. The exploit activates a buffer surplus situation using packet descriptors which allow malevolent code to be run in kernel ring 3, which is used for most user programs. It is possible to merge the exploit with kernel privilege growth bugs to gain access to kernel ring 0.

As per Zelenyuk, the exploit is 100% dependable and works irrespective of the host or original operating system and affects all VirtualBox releases.

The vulnerability is specifically disturbing for malware scientists as VirtualBox is a popular selection for studying and reverse engineering malware in a secure atmosphere. If malware authors were to insert the exploit into their malware, it would be possible to flee the VM and infect the safety researcher’s machine.

It remains to be seen how swiftly VirtualBox will be repaired. With the vulnerability and abuse now in the public domain, it is possible that Oracle will not wait 15 months to create a repair.