Privilege escalation in Oracle Virtualbox

1) Privilege escalation

EUVDB-ID: #VU15740

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to gain elevated privileges on the target system.

The weakness exists in a shared code base of the virtualization software on virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode due to default setup that may lead to multiple boundary errors. An adjacent attacker can trigger an integer underflow condition using packet descriptors - data segments that allow the network adapter to track network packet data in the system memory, to read data from the guest OS to cause heap-based buffer overflow that may lead to overwriting function pointers; or to cause a stack overflow condition. 

Successful exploitation of the vulnerability allows an adjacent attacker with root/administrator privileges to escape the virtual environment of the guest machine and reach the Ring 3 privilege layer to escalate privileges to ring 0 via /dev/vboxdrv.

Mitigation

Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can't, change the mode from NAT to another one. The former way is more secure.

Vulnerable software versions

Oracle VM VirtualBox: 5.0.7 - 5.2.20

External links

http://github.com/MorteNoir1/virtualbox_e1000_0day

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.