Slashdot Mirror
Disgruntled Security Researcher Publishes Major VirtualBox 0-Day Exploit (zdnet.com)
"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet.
According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."
The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."
"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."
The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."
"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."
So submit the patch instead of waiting for someone else to for 15 months.
There is no need for Virtualbox in Federal Prison.
They use FreeBSD Jails instead.
If more bugs were called out like this, the programmers would spend more time testing their software instead of taking the "we'll fix it if we get caught" attitude.
We must demand the same from the damn government!
What is it about VMware Player that makes you think it is immune to this kind of internal targeted leak of its security flaws? You're living in some kind of fantasy land if you think some freeware from a company is more secure no reason other than one costs money (but it's free, so it doesn't cost money)
ZIP
How many? Did you tell any one how many are not? Did those you informated believe your attestation? Would you do your work again understanding same circumstances?
I have to disagree... I've seen VMware products do a lot of nasty things, even in environments with high end paid support. The answers from VMW TAC were, to say the least, very unsatisfactory (destroy the VM and start over, it does that sometimes).
I use Virtualbox a lot. No, the polish of VMware isn't there, but ya know, there is NOTHING VMware/VSphere does that I can't do with Virtualbox... If I don't mind fiddling around with it for a while. Sometimes I mind. Other times, not so much.
Just my two scheckles worth
Zero day means something. It doesn't mean what tech "reporters" think it means.
vbox is seductively easy to use on windows, but shit it's rotten software. Even something simple like the "cli" is clearly "designed" by windows-only idiots who just don't get proper CLI at all. And mysql is the same kind of idiocy with a different face on it. Both of them dying would be a good thing. Take docker and php with it while at it, please.
Though realistically even should mysql die there's still mariadb, natch. For vbox, there's several alternatives you might use. Someone'll whip up a front-end on windows and off you go.
Anyhoo. I really don't understand what sun was thinking when they bought mysql, and I don't know what oracle was thinking when they bought sun. Both really don't "get" lots of things they bought (cobalt raq, anyone?), though they're far from the only ones to buy stuff and then strangle it from sheer incompetence with the stuff they bought. Or buying a company with a good product just for "the ip" and then abandoning the product alienating a loyer customer base. I bet you too can name a few.
As for this "security researcher", he's saying some of the same things others, including me, have been saying for years: The security industry is terribly immature and ineffective. The "responsible disclosure" folderol and all the bickering about what makes your disclosure responsible and the other guy's not, makes it only moreso.
(Though honestly, if you've found a hole in a FOSS project, kindly do email them first. Not even trying with a big fat bureaucracy I get, but FOSS projects do deserve a chance, or at least a heads-up in their security contact's inbox.)
And in closing, this is old news. I saw this announced on tuesday on a not particularly up-to-date website in a different language, translated from the original Security Industry Standard Hollibru Engrish. EditorDavid apparently was too busy reading drivel to notice actual news for nerds, stuff that matters. To me, more proof that these editors are entirely irrelevant and outdated. Maybe they ought to get jobs at oracle.
How good or poor is opengl support in vmware workstation?
I found it glitchy when I tried it a few years ago, but still far better than virtualbox. If workstation had bulletproof opengl support I'd license it.
Apple is another company that happily wait many months to fix critical security issues of the kind that can give an attacker control over the system. Do you think it's a coincidence? They won't do anything until the NSA court order says the can.
Just another occasion to be reminded of the lesson that if you use software from American vendors, there will always be a way into your system.
we saw this a few days ago
This vulnerability requires root level privileges inside a guest os, and for that guest os to be running with very specific configuration (must have e1000 nic and be configured in nat mode)...
Incidentally nat mode doesnt support ipv6, rendering it useless for me.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
One of my VMs did indeed use the Intel PRO/1000 MT Desktop (82540EM) driver (thankfully not set to NAT).
There are several links in the article summary, and it would be a shame if readers overlooked the particular link to the researcher's actual excellent work:
https://github.com/MorteNoir1/virtualbox_e1000_0day
And, as mentioned in the detailed report in the GitHub project, the rules in the "bug bounty" economy need to be clarified and made reliable so that researchers have the incentive and confidence to make the significant investment to do this kind of great work. Maybe bounty cash should be put in escrow, with independent arbiters of whether exploits meet requirements.
This kind of research is also being done by state actors and criminal organizations, of course, but their ambitions rely on breeding, nurturing, and exploiting bugs -- for wealth and power. Grossly unethical, and not a path to feeling loved.
How good or poor is opengl support in vmware workstation?
I found it glitchy when I tried it a few years ago, but still far better than virtualbox. If workstation had bulletproof opengl support I'd license it.
They're both crap. VMWare is slightly better than Virtualbox, but it's still crap.
I'm a minority race. Save your vitriol for white people.
There's a lot of bitching and moaning on this so far but nothing on what I believe a simple fix for this security problem. The emphasis I saw was that the default settings on the emulated network were vulnerable. So, if you are running VBox now go change the settings to something not vulnerable. The publishers of this software can change the defaults on the next release with a note that changing them to what was default before comes with the potential for some malware to exploit it.
My question is, what settings do I have to change to avoid this problem? Complaining about Oracle possibly being slow on a fix does not prevent people from fixing it themselves for now. I want to know what a secure setting might be.
My guess is that simply changing the emulated NIC is sufficient. Another fix that I expect would work is to use USB or PCI passthrough to a real hardware NIC. If the problem is in the NAT then change to a different kind of network. I don't recall all the options on VBox networking but something has to work.
I haven't used VBox in a while so I'm a bit fuzzy on the specifics but I do recall having network troubles with it. I learned that I could get better networking from my VMs with a USB Ethernet adapter for each machine that needed network access. I bought a couple for $30 each, and now there's certainly cheaper ones available that I'm sure work just as well. That's pretty cheap to get a good network connection for a desktop setup but is inconvenient on a laptop. Unless this security problem exists with this kind of setup, which seems doubtful given the description of the bug, then I'd recommend that. Make some coffee and toast for breakfast for a couple days instead of going to Starbucks and you can buy a USB Ethernet adapter, and you'll probably lose a pound or two in the process.
I'm an engineer by trade and training so I like to discuss solutions, not complain until someone else fixes it for me. I thought this website was for the do-it-yerself types. I guess not.
What's the virtual box alternative to vCenter?
"Security researcher" sounds so much more serious, official and professional than "Nerd who can't get laid wasting his life with computers in his mother's basement".
https://www.virtualbox.org/wiki/Changelog
I don't understand the details of the vulnerability, but the originator of the repo linked in TFS says VirtualBox 5.2.22 "looks like a solid fix".
See https://github.com/MorteNoir1/virtualbox_e1000_0day/issues/12
YMMV
It is pretty obvious that virtuabox is basically on lifesupport and no real updates in years. VMWare at least has updates. I use virtualbox because I am cheap...
well... There are PHPVirtualbox, remotebox and hyperbox, that I know of and have used or do use. There may be others now, but I stopped looking when I found some that I liked (why is it that my keys are always in the last place I look? because I stop looking!) .
As I said, they can take some fiddling but are well worth the time/effort.
Add OpenVswitch (NICs for which are supported by Virtualbox VM guests) to the mix for a distributed switch fabric and a VirtualBox based "Vcenter" becomes very doable. Yes, you DO have to roll it yourself, unlike VMware, but...
Just like Vcenter, shared storage is necessary for moving running VMs for host to host.
Other than VMware, Virtualbox has the most pre-rolled "stuff". KVM CAN XEN do all of this stuff, but there is a lot more that has to be done for integration.
All of that said, I've also found that when importing an OVA into Virtualbox, low level details of the guest DO get changed. Nothing huge, but some things DO check for those details and do various unpleasant things when they don't match. I haven't found any I can't change back, if I know what they are.
Like I said, it CAN be a wee tad fiddly.
Folks can't touch what doesn't exist: You're a BETTER programmer than I quoted saying it below? WHERE'S PROOF OF WORK YOU DO EVEN /.ers LIKE & USE?
It's NOT!
"I'm a much better programmer than APK, as has been proven." - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082)
FROM https://yro.slashdot.org/comme...
* I have DOZENS of /.ers saying they like & use my work - praising it & it's good effects on more speed, security, reliability & anonymity PLUS 100,000++ users of it worldwide - DO YOU??
HELL NO!
You also LIED trying to "take credit" for a SOLUTION to C++ string buffer overflow issues I SOLVED WAY BEFORE YOU https://tech.slashdot.org/comm... proof's right there scumbag punk you are.
I also shot you to pieces on your github LIE @ the root of all that too (yes that's you too scumbag) https://yro.slashdot.org/comme...
APK
P.S.=> CodeSigning you "praise" (I don't for GOOD REASONS & I use something better) can & HAS been STOLEN & ABUSED https://www.helpnetsecurity.co... MY METHOD CAN'T BE (upmodded +2 INTERESTING in CODING FOR DEFCON no less) https://it.slashdot.org/commen... ... apk
See subject: I pity c6gunner caught impersonating me (his name's the submitter signing "APK") https://linux.slashdot.org/com...
* He tried to INSULT me & so I made him a COMPLETELY FAIR CHALLENGE he couldn't meet or beat by showing me he's done better work in the past prior to his impersonating me there.
(You shouldn't throw stones when you live in a glass house boys - especially vs. me)
APK
P.S.=> Hosts stop portsmash https://it.slashdot.org/commen... not Spectre/Meltdown - so cut your lies as you IMPERSONATE me you pitiful loser... apk
fucking kill yourself and never spam this again you piece of shit
ZIP you already committed public suicide everyone can read about here (lmao) https://developers.slashdot.or...
* RoTfLmAo!
(Have your "TaNtRuMz" elsewhere - try your mommy, she may respond to your crybaby bullshit orders - I don't - especially vs. WORMS like you!)
APK
P.S.=> I didn't write the post you replied to so you know, the morons who oppose me here & lose STUPIDLY (lol, see link above as an "example proof thereof") are IMPERSONATING me & then STALKING me by UNIDENTIFIABLE anonymous as you are now (so 'brave', lol - not)... apk
ZIP gets called out for his blowhard bragging he can't backup! APK makes ZIP "Run, Forrest: RUN" https://developers.slashdot.or... and ZIP tried to down moderate "hide" that when it was posted before 2 times out of his shame https://developers.slashdot.or... https://developers.slashdot.or...
i have no idea what you're talking about (you might not either) - Virtualbox devs release frequent updates, continually improving the thing (no useless gui updates) - they even fixed an issue I reported (it only took them a month to fix two issues related to the problem I reported) - it's good software being produced during a time when many other projects or companies are releasing messes
If you have to use WIndows upgrade to pro under "This PC" and enable Hyper-V. It supports Linux and even FreeBSD at the kernel level without guest tools automatically. If you run linux KMS is there and qemu if you want a gui. Shoot even pfsense ran under Hyper-V natively without any hacks or packages out of the iso!
Both KMS and Hyper-V are type-1 hypervisors unlike the shitty VmWare Workstation and virtualbox. No guest tools and run bare metal near native speeds.
http://saveie6.com/
When you tell them that they suck and really doesn't understand IT, they called you "disgruntled"...may be he have to follow some gayish COC.
Be VERY careful with Virtualbox. Yes, VBox itself is licensed openly... but if you want stuff like working video, USB drivers, or other items, and you download and install the add-on pack, boom... you now are using licensed commercial software which does report back to Oracle, and they will want their cut.
Because of this, you might as well just use VMWare Workstation or Fusion, because they at least keep updating it.
You are so INCREDIBLY predictable, Alex. You're like the hamster running inside the little wheel.
Mostly.
(The hamster eventually figures out how to get off.)
Happy Armistice Day from Stockholm!
Il n'y a pas de Planet B.
You told people to block GitHub and GitLab—permanently, FFS.
I remember a couple of years ago when you were so proud of yourself because your string routines pegged the fucking CPU. You only changed your tune about this after about 200 people here on Slashdot mocked you for it, and rightly so.
And you continue to indulge in your classic "Pick on someone until you get a reaction, then claim they're picking on you" which is about what I'd expect of Donald Trump or someone else with the mentality of a 12-year-old bully.
So how'd it turn out for you with trying to run that Zontar character off the board, eh? Are you still living in your mother's basement? And how's the weather in Syracuse today?
Il n'y a pas de Planet B.
Yup, VMware is some of the worst software I've ever seen. And they still require Flash for their fully-functional UI.
Poor. Intermittent random freezing of kde kwin input, window switching and compositing when hw accel is enabled, plus occasional hard lockups of the whole machine. It's also a really old gl version. Unusable. This is with a well supported radeon RX 580. Spent months of back and forth with their tech "support". They don't seem to care. Was a waste of money (not cheap) and hard to recommend. The quality tanked when they fired their US team and was offshored. It's a maintenance mode cash cow at this point. I would pay good money for a replacement which worked and was actually developed. Look at what was in Workstation 15, I couldn't justify paying to upgrade from 14 when there was nothing compelling and no real hope the showstopper bugs were fixed.
i have no idea what you're talking about (you might not either)
He doesn't.
Heck, they fixed a bug in 5.2.22 (released 2 days ago) that I reported in 5.2.18.
Il n'y a pas de Planet B.
I count: one (new) unsubstantiated allegation and at least two lies (which you've repeated before). Why are you trolling this thread, anyhow?
Il n'y a pas de Planet B.
"The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."
Can I reproduce that exploit? Yes. It will work or not. Funny. It seems the post-truth adaptation of "it works in my machine". Why even caring about saying something appearing to be true anymore, right?
Most of people seem completely incapable of understanding simple concepts. In fact, I am starting to think that well-reasoned-and-validatable-but-long statements are more likely to be assumed wrong or even untruthful by a big number of (usually noisy) individuals; unlikely not saying anything or using simple, short, ideally-repeated-many-times-&-cool-looking expressions with no real meaning.
Although I am not the kind of Schadenfreude guy, I do feel really good with myself and with all what I have (= dignity, honesty, not tolerating arbitrariness, etc.) when I see what the tyranny of the most profound stupidity and fanaticism can bring, mainly online. The saddest part is when those having nothing (from my perspective) aren't aware about that fact and seriously expect their nonsense to prevail when I am around. It is a bit pathetic. But as far as I know that helping/reasoning isn't an option (even if they could understand, they are too ignorant, empty, dishonest and invasive to ever do anything about which I could really care), I will simply focus on enjoying my privileged position.
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
I tried to use VirtualBox in my corporate Windows desktop earlier on this year.
Gave up on frustration of the multitude of bugs I encountered.
I cannot even phantom how people depend on VirtualBox to do some serious work, or how some misguided souls use it to run Linux servers.
Enjoy!!
bazinga!!!
Not smooth at all for all those open source projects which don't support Postgres
VMWare has switched to HTML5.
You say your hosts file engine can protect us from advertising. Can you provide assurance that, should I choose to install and use it, I will stop seeing ads such as the one I am currently replying to?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Read the PUEL. Again, not for commercial use unless you licensed it. I understand you want to ensure your Oracle stock does well, but the stock value isn't going to increase by spreading falsehoods or calling people liars.
I highly recommend not calling someone a liar unless you can show proof. Even with a four digit ID.
See subject & YOUR words BronsCon "I've never tried to belittle (APK's work), I've flat out said it's good - by BronsCon (927697) on Thursday February 11, 2016 @06:48PM (#51491263)
* Thanks for the GREAT review!
APK
P.S.=> I didn't post the post you replied to, so you know (impersonators did)... apk
I'm glad you posted this. APK been dragging your name thru the mud for months. Glad to hear your side.
"I'm a much better programmer than APK, as has been proven." - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082)
FROM https://yro.slashdot.org/comme...
When "ZIP" proves he has dozens of registered /.ers praising/liking/using HIS non-existent work & 100,000++ users of it I have then he can make THAT the truth but he never does, lol!
Instead all he does is STALK me by his "ZIP" ac posts WHEN HE HAS A REGISTERED ACCOUNT & HIDES from me by AC posts + DOWNMOD BOMB my posts
"P.S. => I down-modded a few of your post on other threads to save you some embarrassment. - by Anonymous Coward "ZIP" on Thursday October 11, 2018 @11:31AM (#57461058) FROM https://yro.slashdot.org/comme...
Like the "brave courageous guy" (not) he is, lol!
* ANYONE CAN TALK - very few (like me) actually DO & can back it up!
APK
P.S.=> Then again, like "ZIP"? NEITHER can YOU, lmao... apk
If you're not sending me postcards like the LOON you admittedly are that also makes FAKE ACCOUNTS to STALK me with too.
Going to make more sockpuppets to stalk & troll me with you loon https://slashdot.org/comments.... ?
Sending me postcards with threats too https://slashdot.org/comments.... ?? Your "watch your mailbox" THREAT & you "going postal" (pun intended) that way w/ MORE 'warnings' from you (wow).
See subject: I'm like a hamster? You ARE one-> https://developers.slashdot.or...
APK
P.S.=> Grow up lunatic & ... apk
Take your meds mentalcase - YOU NEED THEM https://slashdot.org/comments.... & You're a druggie too https://slashdot.org/comments....
See subject: I reported FACT on KODI from ESET that proved github hosts malware so into hosts it went https://www.welivesecurity.com... & there is NO DENYING IT!
* ESET/NOD32 = correct.
See for yourself right on their own page in that link there - you lose as always, false accusation LIES as always from you that you now have to EAT YOUR WORDS on loser...
APK
P.S.=> Funny I can show DOZENS of REGISTERED USERS like/use/praise my work (not your notware, lol) https://search.slashdot.org/co... vs. UNIDENTIFIABLE ANONYMOUS LOSERS who harass/STALK & IMPERSONATE me (like you do w/ sockpuppets you made to do it too PROOF - Going to make more sockpuppets to stalk & troll me with you loon https://slashdot.org/comments.... ? )... apk
Going to make more sockpuppets to stalk & troll me with you loon https://slashdot.org/comments.... ?
Sending me postcards with threats too https://slashdot.org/comments.... ?? Your "watch your mailbox" THREAT & you "going postal" (pun intended) that way w/ MORE 'warnings' from you (wow).
Take your meds mentalcase https://slashdot.org/comments.... & You're a druggie too https://slashdot.org/comments....
* Zontar The Mindless (for sure OUT OF YOUR MIND, lol): You're a butthurt loon freak, plain & simple - you did it to yourself, loser...
APK
P.S.=> You're a lunatic mentalcase - period: How about YOU proving hosts & my program that builds them are useless (you FAIL there bigtime, lol) https://slashdot.org/comments.... ? I've plenty of evidence/fact to the CONTRARY right here alone as to hosts efficacy vs. threats AND that folks use/like MY WORK https://search.slashdot.org/co... ... apk
Disgruntled? Focus on the exploit, not ad hominem!
Thanks for saying my work's good BronsCon! Nice to see you can't DENY you say my work ROCKS - & it does!
* I'm not here to win some "highschool popularity contest" - I'm here to WIN (& I clearly am thanks to praise like yours) so EVERYONE wins.
(I could care less if you don't like ME personally)
APK
P.S.=> You saying you didn't say what I quoted in you saying my work's good? apk
Projecting YOUR issues again I see: You have no dick & certainly NO BALLS as you STALK me behind UNIDENTIFIABLE anonymous.
APK
P.S.=> Grow up psycho - accept it - vs. me? You will ALWAYS lose (it's all "your kind" KNOWS how to do in this life, lol)... apk
You don't deny you literally said my work's good then: I'm not here to win a personal popularity contest. I'm here to win & all do gaining by my work.
* Your "seal of approval" on me? I could care less - irrelevant. On my program I do & you spoke well of its quality: FACT!
(Many do worldwide)
APK
P.S.=> Sure seemed like a problem to you IF you had to reply to my irrefutable logic asking if you said my work IS good - you admit you did & it is - thanks... apk
You're missing it, so I'll state it more plainly. I did literally write words similar to what you keep quoting (your edit changes the meaning a fair bit so, no, I did not write that), but it was not an endorsement of your work so much as a preface to an insult. Once again, my words were not an endorsement of your work and the fact that you had to edit them to make them appear to be such should be a dead giveaway of that.
I wouldn't bother replying to irrefutable logic, except to concede or agree, because I'm not an idiot. You, on the other hand, have just had your flawed logic refuted.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.