Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

VirtualBox - Cooperating VMs can Escape from Shared Folder Exploit

🗓️ 14 Mar 2017 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 29 Views

VirtualBox Security Issue: Coop VMs Escape from Shared Folde

Code
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1037
 
There is a security issue in the shared folder implementation that
permits cooperating guests with write access to the same shared folder to
gain access to the whole filesystem of the host, at least on Linux hosts.
 
The issue is that, when the host checks whether a given path escapes the root
directory of the shared folder in vbsfPathCheckRootEscape(), the function
assumes that the directory hierarchy is static: E.g. the path
"base/a/b/c/../../.." is assumed to be equivalent to "base/a/b/../..",
"base/a/.." and "base". However, at least on Linux, renames can occur at the
same time as path traversal.
 
This means that, if VM A attempts to open "base/a/b/c/../../../foo" while
VM B is moving "base/a/b/c" to "base/c_", VM A might actually end up opening
"base/../../foo" instead of "base/foo".
 
To demonstrate the issue, on a Linux host with Virtualbox 5.1.10:
 
 - Place a file called "real_root_marker" in the root directory of the Linux
   host, containing some secret text. The VMs will attempt to obtain
   the contents of this file.
 
   [email protected]st:/# echo "this is secret text in the host fs" > /real_root_marker
 
 - Create two Linux VMs with a shared writable folder.
 - In the VMs, install the guest extensions, with the attached patch
   vboxsf_new.patch applied.
 - In the VMs, ensure that the new vboxsf kernel module is loaded and that
   the shared folder is mounted.
 - In VM A, compile and run the attached file openspam.c:
 
   [email protected]:/media/sf_vboxshared# gcc -o openspam openspam.c -std=gnu99
   [email protected]:/media/sf_vboxshared# ./openspam
   entering directory...
   entered directory and prepared folders, racing...
 
 - In VM B, compile and run the attached file renamespam.c:
 
   [email protected]:/media/sf_vboxshared# gcc -o renamespam renamespam.c -std=gnu99
   [email protected]:/media/sf_vboxshared# ./renamespam
 
Now, in VM A, you should see the contents of the host's /real_root_marker
within seconds:
 
    SUCCESS
    this is secret text in the host fs
    EOF
 
Note: The exploit assumes that the shared folder isn't more than nine levels
away from the filesystem root.

#  0day.today [2018-01-08]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Mar 2017 00:00Current
6.8Medium risk
Vulners AI Score6.8
virtualboxsecuritycoop vmsshared folderexploitlinuxhostfilesystemvm avm bguest extensionskernel modulevulnerability
29