PoC Exploit Released for Critical Oracle VirtualBox Vulnerability

A virtual machine is a computer system that software on a physical computer simulates, and VirtualBox is a software program that enables users to run virtual machines on their computers.

The vulnerability exists in Oracle VirtualBox versions before 7.0.16, and an attacker can exploit this vulnerability to trick VirtualBox into deleting or moving arbitrary files by following symbolic links . 

Arbitrary File move

It allows privilege escalation on Windows and the issue lies in how VirtualBox manages log files, as it attempts to move them with SYSTEM privileges but only keeps a maximum of 10 backups, which means the 11th log deletion is done under SYSTEM as well. 

An attacker can exploit this by placing a symbolic link in the directory that points to a critical system file.

When the 11th log is deleted, the symbolic link is followed, deleting the critical file instead and potentially granting unauthorized access.  

Symbolic links are a type of file that points to another file on the system, and when VirtualBox follows a symbolic link, it treats the linked file as if it were the original file.

An attacker could use this to force VirtualBox to delete or move crucial system files, potentially compromising the system.

Arbitrary File Delete

To exploit this vulnerability, an attacker would need to create a symbolic link that points to a critical system file and then trick a user into running a malicious program that creates or uses the symbolic link . 

Once the attacker tricks VirtualBox into following the symbolic link, VirtualBox will try to delete or move the file that the symbolic link points to.

Because VirtualBox is running with system privileges, it will be able to delete or move the file even if the attacker does not have permission to do so .

An attacker could use the vulnerability in a number of ways to gain unauthorized access to a system.

For example, an attacker could delete a critical system file that is required for the operating system to boot, which would prevent the system from booting up, and the attacker could then exploit another vulnerability to install malware on the system .

The authors at GitHub reported the vulnerability to Oracle on March 19, 2024, and Oracle confirmed the vulnerability on March 21, 2024.

Oracle was notified about a public advisory on April 13, 2024, and the CVE (Common Vulnerabilities and Exposures) identifier for this vulnerability is CVE-2024-21111 .

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here