Ticket #19263: Steps to hack a VirtualBox BIOS

January 25, 2020 ~ hucktech ~ Leave a comment

There’s a new VirtualBox bug report, about ability of attacker to replace the Vbox firmware. The bug report had a link to a zipped DOCX file. It appears, from Oracle’s response, that they consider firmware root-of-trust a future enhancement, not a current bug. Virtualized firmware is interesting for attackers with OS root access: in that the firmware is more accessable, it is merely files on a disk, instead of flash-based, not just the files on the ESP.

This issue was initially reported to the security team, but after some discussion it was mentioned that I should open this in the public bug tracking system (seems strange to me, but…). Just for reference, follow the final conclusion from the security team:

“Admin rights give a user the power to do anything on the system. An “evil admin” is more a social component of this bug than a product’s security abilities (or its lack thereof). However, we get your point and think that the “validation/check” proposed by you may be an enhancement feature in the product. Since our team (SecAlert) only deals with security vulnerabilities in the product, we will not be able to help you on this further. You could log an enhancement request on VirtualBox’s public bug tracker: https://www.virtualbox.org/wiki/Bugtracker “

https://www.virtualbox.org/ticket/19263

https://www.virtualbox.org/attachment/ticket/19263/Steps%20to%20hack%20a%20VirtualBox%20BIOS_v2.zip

VirtualBox E1000 Guest-to-Host Escape zero day

November 7, 2018 ~ hucktech ~ Leave a comment

Apparent VirtualBox exploit dropped on GitHub to stick it to infosec https://t.co/d10cOQCBCW pic.twitter.com/bQNtjgk4Zg

— Joseph Cox (@josephfcox) November 7, 2018

Full disclosure: Guest-to-Host escape from VirtualBox (0day)

EN: https://t.co/mbmP1F0BJj
RU: https://t.co/CbBoU7VNBQ #VirtualBox #0day pic.twitter.com/SqgAFKCiXP

— r0 Crew (@reverse4you_org) November 7, 2018

Great write-up on a VirtualBox (<=5.2.20) zero day.
Admin on Guest to Userland on Hosthttps://t.co/MwxLfdM2Kb

— Nico Waisman (@nicowaisman) November 7, 2018

https://github.com/MorteNoir1/virtualbox_e1000_0day

VirtualBox 6.0 Beta 1 released

October 24, 2018October 24, 2018 ~ hucktech ~ Leave a comment

Oracle VM VirtualBox 6.0 Beta 1 now released! Discover here the latest updates and enhancements: @virtualbox #OracleVM https://t.co/w8JYUvuN7K pic.twitter.com/77twmGMMfk

— Oracle Linux (@OracleLinux) October 23, 2018

https://forums.virtualbox.org/viewtopic.php?f=1&t=89946

https://blogs.oracle.com/virtualization/oracle-vm-virtualbox-60-beta-1-released

Hmm, it looks like the ChangeLog is not up-to-date yet, unclear what firmware changes have occured:

https://www.virtualbox.org/wiki/Changelog

Niklas Baumstark: Unboxing your VirtualBox

June 10, 2018 ~ hucktech ~ Leave a comment

My Insomni'hack slides about VirtualBox hacking: https://t.co/uvCVSQFSVQ There will be video on YouTube next week.

— Niklas B (@_niklasb) March 23, 2018

Click to access unboxing_your_virtualboxes.pdf

VBoxHardenedLoader

August 21, 2016 ~ hucktech ~ Leave a comment

VirtualBox Hardened Loader 1.6.5 released https://t.co/i3Wm50XDWd

— Frank Denis (@jedisct1) August 19, 2016

[…]What we will target:
– DMI Information;
– IDE/AHCI devices (harddisks, cd-rom’s);
– ACPI OEM Information;
– Ethernet Adapter MAC address;
– PXE Boot data;
– ACPI DSDT (Differentiated System Description Table);
– ACPI SSDT (Secondary System Descriptor Table);
– VGA Video BIOS data;
– BIOS data;
– VM splashscreen (optional, just for nice looking).
[…]

https://github.com/hfiref0x/VBoxHardenedLoader

http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478

It requires Visual Studio and only targets Microsoft Windows. No Linux, FreeBSD, Mac OS X support. 😦

Somewhat related, there are also these 2 projects:

https://firmwaresecurity.com/2016/02/07/uefi-virtualbox-tutorial/

https://firmwaresecurity.com/2015/12/24/virtualbox-hardened-loader/

UEFI VirtualBox tutorial

February 7, 2016 ~ hucktech ~ Leave a comment

There’s another new Github project related to UEFI, this one is a turorial using UEFI undre VirtualBox. Most use of virtualized UEFI occurs under QEMU, but VirtualBox also supports UEFI’s OVMF (Open Virtual Machine Firmware) format, so it is nice to see more documentation on using UEFI with VirtualBox, not only QEMU.

Tutorial on making UEFI with CMake and VirtualBox

UEFI Bare Bone Exercise

by Emanuele Ruffaldi using CMake,mxe and VirtualBox/Qemu

Related instructiosn from OSDEV: http://wiki.osdev.org/UEFI_Bare_Bones Other related project (Make+QEmu): – https://github.com/tqh/efi-example – http://www.rodsbooks.com/efi-programming/hello.html

Requirements:
* GCC Cross Compiler x86_64-w64-mingw32. MXE is fine
* MTools
* GNU-efi

[…]

https://github.com/eruffaldi/uefiboot

VirtualBox 5.0.14 released

February 1, 2016 ~ hucktech ~ Leave a comment

Oracle VM @virtualbox 5.0.14 Available!https://t.co/lHbx6J2cMr pic.twitter.com/3IrOWopNHg

— Oracle Sys Dev (@OracleSysDev) January 20, 2016

5.0.14 is a maintenance release. The prior release, 5.0.12, had a fix to their EFI support.

More information:
https://blogs.oracle.com/virtualization/entry/oracle_vm_virtualbox_5_013
https://www.virtualbox.org/
https://www.virtualbox.org/wiki/Changelog

VirtualKD 3.0 released

January 2, 2016 ~ hucktech ~ Leave a comment

If you do Windows kernel debugging in VMWare/VirtualBox VMs, and don’t know about VirtualKD, this will be exciting for you:

Nice! VirtualKD v3.0 Added support for Windows 10 and VirtualBox 5.x. https://t.co/2GreqabrbB

— powertool (@ithurricanept) December 29, 2015

http://securityblog.gr/3092/faster-windows-kernel-debugging-with-virtual-machines/

VirtualBox hardened loader

December 24, 2015 ~ hucktech ~ Leave a comment

VBoxAntiVMDetectHardened UEFI patch guide https://t.co/yPW8I5Ifa9 and loader updated for for VirtualBox 5.0.12 https://t.co/PMkpdNsdVl

— FireF0X (@hFireF0X) December 24, 2015

http://www.kernelmode.info/forum/viewtopic.php?f=11&p=27460#p27460
https://github.com/hfiref0x/VBoxHardenedLoader
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478

“VirtualBox Hardened VM detection mitigation loader: VBoxAntiVMDetectHardened is a complex of methods implemented to reduce VM detection possibilities of the common malware.”

Interesting, there are UEFI patches for this, as well!

VirtualBox 5.02 released

August 27, 2015 ~ hucktech ~ Leave a comment

A few days ago Oracle released a new version of VirtualBox. It is a maintenance release, no huge new features I noticed, but lots of bugfixes, many related to hardware security issues, though no CVEs that I noticed.

https://blogs.oracle.com/virtualization/entry/oracle_vm_virtualbox_5_08

.@Oracle has just released Oracle VM VirtualBox 5.0.2 to improve stability & fix regressions http://t.co/zh0OXEbwBf #virtualization

— Oracle IT Infrastructure (@Infrastructure) August 25, 2015

https://www.virtualbox.org/wiki/Changelog

VirtualBox 5.0 released

July 10, 2015 ~ hucktech ~ Leave a comment

Oracle relased version 5.0 of VirtualBox yesterday. I don’t see any firmware features listed in the press, and I’ve not had a chance to do a code review of the new code yet. It has improved CPU and USB 3.0 support, at minimum.

QEMU is the main platform for running UEFI’s virtual firmware: OVMF. But Xen, KVM, and VirtualBox also support OVMF, to some degree. VirtualBox can also be recompiled with EFI-specific build directives to enable additional UEFI diagnostics.

https://www.oracle.com/corporate/pressrelease/oracle-vm-virtualbox-5-070915.html

https://blogs.oracle.com/virtualization/entry/oracle_vm_virtualbox_5_07

(In somewhat related news, back in March, Oracle’s Linux distro got Secure Boot support.)

https://blogs.oracle.com/wim/entry/secure_boot_support_with_oracle

CrowdStrike announces Venom vulnerability

May 13, 2015 ~ hucktech ~ Leave a comment

As reported by Robert Hackett at Fortune, Crowdstrike has research on a new vulnerability that impacts virtualization. Venom stands for “virtualized environment neglected operations manipulation”. It impacts QEMU, Xen, KVM, and VirtualBox, among others.

(It must be a big deal, as it already has an icon. I think Heartbleed took longer for it’s icon.)

More information:
http://venom.crowdstrike.com/
http://fortune.com/2015/05/13/venom-vulnerability/