Zero-Day VirtualBox Weakness and Exploit Circulated

Particulars of a zero-day VirtualBox weakness have been circulated online together with a step by step activity.

The weakness in the Oracle open source hosted hypervisor was circulated on GitHub by Russian safety scientist, Sergey Zelenyuk, instead of being disclosed to Oracle to permit the bug to be repaired. The decision was affected by an earlier weakness that he found in VirtualBox that was disclosed to Oracle but took the company 15 months to repair.

Zelenyuk described the decision to go public with the weakness and exploit was because of frustration with Oracle and the bug revelation and bug bounty procedure – “I like VirtualBox and it has nothing to do with why I circulate a 0day weakness. The purpose is my disagreement with current state of infosec, particularly of safety research and bug bounty,” wrote Zelenyuk.

The weakness is a series of bugs that can be abused to allow malevolent code to dodge the virtual machine and perform on the original operating system. The exploit activates a buffer surplus situation using packet descriptors which allow malevolent code to be run in kernel ring 3, which is used for most user programs. It is possible to merge the exploit with kernel privilege growth bugs to gain access to kernel ring 0.

As per Zelenyuk, the exploit is 100% dependable and works irrespective of the host or original operating system and affects all VirtualBox releases.

The weakness is specifically disturbing for malware scientists as VirtualBox is a popular selection for studying and reverse engineering malware in a secure atmosphere. If malware authors were to insert the exploit into their malware, it would be possible to flee the VM and infect the safety researcher’s machine.

It remains to be seen how swiftly VirtualBox will be repaired. With the weakness and abuse now in the public domain, it is possible that Oracle will not wait 15 months to create a repair.