SentinelOne has explained how a researcher managed to gain authorisation for the execution of arbitrary code on Oracle VirtualBox servers.
Security professional Max van Amerongen works for SentinelLabs, the research arm of security organisation SentinelOne. In March of this year, a Zero Day Initiative annual hacking contest prompted Van Amerongen to hack Oracle VirtualBox. The latter solution entails a hypervisor, which is central to the virtualisation of hardware in the cloud.
Van Amerongen, as an outsider, managed to obtain authorisation to execute code on servers managed by Oracle VirtualBox. Just too late for the Zero Day Initiative live contest, but successful nonetheless.
For the first time since the hack, SentinelOne sets out Van Amerongen’s approach. “Virtualisation is an incredibly interesting target”, the researcher explains. “The complexity involved in both emulating hardware devices and passing data safely to real hardware is astounding. And where there’s complexity — there’s bugs.”
With the latter mantra, Van Amerongen set out. The researcher delved into how Oracle VirtualBox exchanges packets between guests and the host. In the case of virtualisation, the term guest is used to describe workloads that are running on a virtual machine, and therefore have access to the computing power of the server on which the machine runs. The term host is used to describe this server.
There’s good reason for Van Amerongen’s initial interest in the exchange of data between guests and the host. Oracle VirtualBox takes several measures to ensure that a host does not receive malicious information from guests. Even if an organisation installs a malicious application on a virtual machine, the application is rejected at the server’s doorstep. If a rogue application tries to flood the server with packets, be it deliberately or through a code error, a server remains functional. Vulnerabilities in the interaction between guests and a host are opportunities for hackers. Van Amerongen looked for the latter – and Van Amerongen found the latter.
The researcher began by browsing through the code of the function responsible for sending packets from guests to hosts. He spotted a code path for Generic Segmentation Offload (GSO) frames, used to route network traffic efficiently. By using a paravirtualised driver as a network adapter for VirtualBox, Van Amerongen found a way to manipulate the GSO structure of packets.
Oracle VirtualBox’s handling of GSO allowed for two practical methods. In both cases (ZDI-21-455 and ZDI-21-456), Van Amerongen introduced data that the host could not process, which paved the way for authorisation and injection of code at the hypervisor level. Oracle has since patched both vulnerabilities.