Exploit developer and vulnerability researcher Sergey Zelenyuk decided to publicly disclose a Virtualbox zero-day vulnerability and the exploit that goes with it because of disagreeing with the current state of bug bounty programs and security research.
As detailed in his GitHub-based disclosure, the security issue chains multiple bugs and it affects all VirtualBox virtual machines with the requirement of them using the default configuration that sets the network card to Intel PRO/1000 MT Desktop (82540EM) and the networking mode to NAT.
Moreover, the zero-day also affects all possible combinations of guest or host operating systems running inside the targeted virtual machines.
Following successful exploitation of the zero-day Virtualbox vulnerability, attackers can gain elevated privileges on the target system allowing for an escape from the guest operating system running in the virtual machine to the host OS.
According to the security researcher, the exploit he describes in detail in his write-up is 100% reliable and “it either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account.”
Zelenyuk started his write-up by detailing the reasons behind the public disclosure of the vulnerability and exploit, with a previously discovered Virtualbox security issue he disclosed to Oracle and was fixed in 15 months probably being the catalyst behind his decision.
Submitted by: Arnfried Walbrecht