Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:92961
HistoryApr 17, 2017 - 12:00 a.m.

VirtualBox: cooperating VMs can escape from shared folder (CVE-2017-3538)

2017-04-1700:00:00
Root
www.seebug.org
24

0.001 Low

EPSS

Percentile

18.2%

JSON

There is a security issue in the shared folder implementation that permits cooperating guests with write access to the same shared folder to gain access to the whole filesystem of the host, at least on Linux hosts.

The issue is that, when the host checks whether a given path escapes the root directory of the shared folder in vbsfPathCheckRootEscape(), the function assumes that the directory hierarchy is static: E. g. the path “base/a/b/c/…/…/…” is assumed to be equivalent to “base/a/b/…/…”, “base/a/…” and “base”. However, at least on Linux, renames can occur at the same time as path traversal.

This means that, if VM A attempts to open “base/a/b/c/…/…/…/foo” while VM B is moving “base/a/b/c” to “base/c_”, VM A might actually end up opening “base/…/…/foo” instead of “base/foo”.

To demonstrate the issue, on a Linux host with Virtualbox 5.1.10:

  • Place a file called “real_root_marker” in the root directory of the Linux host, containing some secret text. The VMs will attempt to obtain the contents of this file.

root@host:/# echo “this is secret text in the host fs” > /real_root_marker

  • Create two Linux VMs with a shared writable folder.
  • In the VMs, install the guest extensions, with the attached patch vboxsf_new. patch applied.
  • In the VMs, ensure that the new vboxsf kernel module is loaded and that the shared folder is mounted.
  • In VM A, compile and run the attached file openspam. c:

root@vmA:/media/sf_vboxshared# gcc-o openspam openspam. c-std=gnu99 root@vmA:/media/sf_vboxshared# ./ openspam entering directory… entered directory and prepared folders, racing…

  • In VM B, compile and run the attached file renamespam. c:

root@vmB:/media/sf_vboxshared# gcc-o renamespam renamespam. c-std=gnu99 root@vmB:/media/sf_vboxshared# ./ renamespam

Now, in VM A, you should see the contents of the host’s /real_root_marker within seconds:

SUCCESS
this is the secret text in the host fs
EOF

Note: The virus assumes that the shared folder isn’t more than nine levels away from the filesystem root.

Attachment: vboxsf_new. patch

openspam. c

renamespam. c

Related

debiancve 1
openvas 6
nessus 4
prion 1
cve 1
ubuntucve 1
kaspersky 1
mageia 1
suse 2
oracle 1
debiancve
debiancve
CVE-2017-3538
2017-04-24 19:59:00
openvas
openvas
Oracle Virtualbox Security Bypass Vulnerability - 01 (Apr 2017) - Linux
2017-04-25 00:00:00
Oracle Virtualbox Security Bypass Vulnerability - 01 (Apr 2017) - Mac OS X
2017-04-25 00:00:00
Oracle Virtualbox Security Bypass Vulnerability - 01 (Apr 2017) - Windows
2017-04-25 00:00:00
nessus
nessus
Oracle VM VirtualBox 5.0.x < 5.0.34 / 5.1.x < 5.1.16 Shared Folder Implementation Information Disclosure
2017-04-05 00:00:00
Oracle VM VirtualBox 5.0.x < 5.0.38 / 5.1.x < 5.1.20 (April 2017 CPU)
2017-04-20 00:00:00
openSUSE Security Update : virtualbox (openSUSE-2017-534)
2017-05-03 00:00:00
prion
prion
Design/Logic Flaw
2017-04-24 19:59:00
cve
cve
CVE-2017-3538
2017-04-24 19:59:00
ubuntucve
ubuntucve
CVE-2017-3538
2017-04-24 00:00:00
kaspersky
kaspersky
KLA11028 A read/write local files vulnerability in Oracle VM Virtual Box
2017-04-24 00:00:00
mageia
mageia
Updated virtualbox packages fixes security vulnerabilities
2017-03-23 10:19:23
suse
suse
Security update for virtualbox (important)
2017-05-02 15:09:05
Security update for virtualbox (important)
2017-05-02 15:09:19
oracle
oracle
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00

0.001 Low

EPSS

Percentile

18.2%

JSON
Related for SSV:92961
debiancve1openvas6nessus4prion1cve1ubuntucve1kaspersky1mageia1suse2oracle1