Sergej Zeleniuk has posted a security vulnerability for VirtualBox VirtualBox and Oracle has been very frustrated with the process of handling bugs and reporting and disclosing security loopholes. Manufacturer Oracle does not provide patches, so it is a zero day gap. In the so-called Disclosure and the various bug bounty programs of large IT companies, this is somewhat unusual. But Zeleniuk justifies the approach to bad experience that was created earlier in this process.
He liked VirtualBox and noted that hackers in St. Petersburg climbed to the zero-day gap. He interrupts him. "Current state of Infosec"Although Zeleniuk does not explicitly state the person responsible, he explicitly mentions Oracle, the manufacturer of Virtualbox. Obviously, it's okay to spend a year and a half to patch security holes. Zeleniuk is critical.
He also treats buggy speculation as transparent and volatile. One day, manufacturers are interested in what they lack in their software. When a hacker finds this, the manufacturer suddenly does not care anymore. It will also take a long time for the software manufacturer to determine the difference and decide whether to purchase the information. Finally, security researchers stay in the dark to see what price gap they can achieve.
His complete disclosure of the niche is seen by Zeleniuk as a reaction to a poor IT security situation. It is not the first time Zeleniuk found a hole in his Virtualbox. The hacker discovered another guest-to-host gap this year on VirtualBox's VRDP server. The published gap is probably a response to the Oracle experience.
Guest outbreak possible
The hole itself affects all OS host systems and VirtualBox guests, and allows guest exits on the host system. The default network card contains a short E1000 with NAT mode corresponding to the transfer descriptor of the Intel PRO / 1000 MT desktop (82540EM). To take advantage of this gap, the user must load a malformed kernel module for the virtual network card in the guest OS. Fortunately, this problem can be prevented very easily. According to Zeleniuk, this workaround is to change the virtual network card or to avoid NAT mode.
The packet size of the data descriptor should be smaller than the maximum packet size of the so-called context descriptor. The latter usually arrives first on the network card. In order for the network card to receive descriptors, the guest system writes to a so-called TX ring, which is a ring buffer with a fixed address in main memory. When all descriptors have been collected there, the guest system updates the transmit descriptor tail TDT register and instructs the host to take care of the new descriptor.
Here is a tricky part that the Github page explains in detail. Simplified Simplification: Certain combinations of data and context descriptors with preset data lengths can be accessed through code in the file "Src / of VBOX / Devices / Network / DevE1000.cp" Generates an integer underflow. Doing so may exceed certain limits on buffer size. This in turn can be exploited in buffer overflows for the heap and stack, and ultimately can be used for guest outbreaks.
As mentioned earlier, Oracle does not have to provide a patch for Virtualbox. Affected administrators must implement this quickly.