Ranting researcher publishes VM-busting zero-day without warning

A security researcher has published a zero-day flaw in a commonly-used virtual machine management system without notifying the vendor, justifying it with a scathing critique of the infosecurity industry.

St Petersburg-based Sergey Zelenyuk dropped the bug, which affects Oracle’s VirtualBox software, on GitHub this week

We’re linking to the bug here because Zelenyuk provides a workaround, and attackers will be at an advantage if they see it and you don’t. The vulnerability lies in the way that default VirtualBox virtual machines treat network communications. The virtual network card lets an attacker with administrative privileges escape to the host operating system.

To exploit the flaw, an attacker first turns off the E1000 virtual network card in the guest OS. They then load their own Linux kernel module (LKM), which is a piece of code that extends Linux’s functionality without having to reboot the system. This LKM, which contains the exploit code, starts its own E1000 virtual network card. The LKM then exploits a buffer overflow vulnerability in the virtual network card, which enables it to gain access to the host system. After that, the attacker can unload the LKM and restart the original E1000 virtual network card so that they can use the network again.

There are some caveats to this attack. The first is that the attacker must have escalated (administrative) privileges on the guest OS. As Zelenyuk points out, though, this is workable, as other exploits can escalate user privileges.

The other caveat is that the attack only gives the hacker access to what’s usually known as “userland” on the host computer, rathen that access to the host operating system itself.

Nevertheless, the ability to escape from a virtual machine (VM) to the host computer that’s in charge of the VM has serious consequences – especially if the host is running VMs on behalf of a bunch of different users.

The VirtualBox bug is notable in its own right, but equally interesting is Zelenyuk’s approach. Although he didn’t publish an actual proof of concept executable, he provided extensive details of the exploit without telling Oracle first – a blurt-it-out-publicly approach known as full disclosure.

These days, full disclosure is widely frowned upon in cybersecurity circles, with many researchers following a gentler approach known as responsible disclosure, telling the vendor first and giving them time to fix it.

The researcher said:

I like VirtualBox and it has nothing to do with why I published a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty:

  1. Wait half a year until a vulnerability is patched is considered fine.

In point two, he claims that bug bounty programs take too long to verify vulnerabilities, change their minds, and don’t provide enough information about the types of vulnerabilities they are interested in or how much they are willing to pay.

Finally, he goes on a hyperbolic rant about the industry in general:

Delusion of grandeur and marketing bullshit: naming vulnerabilities and creating websites for them; making a thousand conferences in a year; exaggerating importance of own job as a security researcher; considering yourself “a world saviour”. Come down, Your Highness.

We asked Oracle, which wouldn’t comment, but instead directed us to its disclosure policies, which say that for a researcher to be credited, “they must follow responsible disclosure practices”. One of these is:

They do not publish the vulnerability prior to Oracle releasing a fix for it.