Researcher Published VirtualBox Zero-day with POC Exploits

A Russian Security researcher, Sergey Zelenyuk have found a zero-day bug for VirtualBox and published the POC with the exploit code on GitHub. The vulnerability resides in the share code-base of the virtualization software which affects the latest version of the VirtualBox 5.2.20 also. The vulnerability is critical as it allows an attacker to escape the virtual environment of the guest machine and reach the Ring 3 privilege layer, used for running code from most user programs, with the least privileges.

Zelenyuk found that bug can be triggered on the default setup of the guest system on Network Address Translation (NAT) mode which is used to access external network in the virtual machine with the Intel PRO/1000 MT Desktop (82540EM) network adapter.

The network adapter [Intel PRO/1000 MT Desktop (82540EM)] has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/ vboxdrv.

Working of the Bug - Chaining Two bugs

To exploit the system and get a full takeover, an attacker needs to chain a couple of the bug. On the detail POC of the bug,  Zelenyuk explains that initially, he caused an integer underflow condition using packet descriptors - data segments that allow the network adapter to track network packet data in the system memory. Later it was leveraged to read data from the guest OS to into a heap buffer and cause an overflow condition that could lead to overwriting function pointers or to cause a stack overflow condition.
Successful exploitation of the bug gives an attacker access to Ring 3 Level of permission, privilege escalation is needed to take control over the host operating system.

Video POC of VirtualBox Zero-day

The researcher has also published the video demonstration of the bug showing getting the shell on the exploited box.
Researcher have tested the bug on Ubuntu 16.04 and 18.04, both 86- and 64-bit with the default configuration. 

This is not the first time  Zelenyuk have found the bug on VirtualBox. Earlier also on the month of August, he had found the bug on VirtualBox 5.2.10 and reported to Oracle. Although Oracle has fixed the bug, but they didn't give credit to the researcher for his findings.
So because of his past experience, he has dropped this current zero-day publicly with full details.
With ❤️ Cyber Kendra