Oracle VirtualBox had a critical vulnerability (CVE-2024-21111) allowing Privilege Escalation and Arbitrary File Move/Delete, rated 7.8 (High). Oracle promptly patched it and issued a security advisory.
Oracle released a security update in 2024 addressing 372 vulnerabilities. Subsequently, a publicly available exploit proof-of-concept detailing the vulnerability has been published.
PoC Exploit Released
In Oracle Virtualbox versions before 7.0.16, a vulnerability allowed threat actors to escalate privileges to NT AUTHORITY\SYSTEM via Symbolic Link, leading to either arbitrary file deletion or move operations.
Oracle Virtualbox permits all users to write to the installation folder C:\ProgramData\VirtualBox. Additionally, Virtualbox endeavors to move log files from this location as NT AUTHORITY\SYSTEM for backup purposes, with a maximum of 10 logs.
Furthermore, Virtualbox attempts to delete the 11th log from this location as NT AUTHORITY\SYSTEM, thereby creating two vulnerabilities (File Delete and File Move) exploitable for privilege escalation.
In the Proof-of-concept video for File Delete, the researcher employs an EXE file named “VBoxEoP_del.exe” to create a new log file (VBoxSDS.log.11) in the C:\ProgramData\Virtualbox directory and then tries to delete it.
This, along with an MSI file (Config.msi), grants the researcher a new cmd terminal with NT AUTHORITY\SYSTEM permissions.
Similar to the file deletion scenario, the EXE file attempts to move files within the C:\ProgramData\Virtualbox directory in the Arbitrary File Move case.
Updating Virtualbox to the latest version is strongly advised to mitigate the risk of exploitation by threat actors.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment