<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Kavita,<br>
<br>
I hope you will forgive us our reluctance to discuss product
security in details in public forums. I can assure you, though,
that the set-uid-to-root approach is a necessary and, to our
knowledge, secure measure. Below I've give a couple of clues to
help you a tiny bit along.<br>
<br>
On 3/14/2014 9:55 PM, Kavita Agarwal wrote:<br>
<blockquote
cite="mid:CAHcj040buvxn3jEWk0rxUCQC_jg3QFv0w5mZdY3rd3w4QzGZYg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div dir="ltr">
<div class="im">There seems to exist a cookie based
authentication mechanism for these requests. However, static
cookie values are used - which may explain the need to
restrict these requests to be issued by only root to avoid
an attacker messing with a running VM.</div>
</div>
</div>
</blockquote>
The cookies are still there for hysterical raisins, dating back to
long before VirtualBox was open sourced (IIRC) and the world was a
different place security wise.<br>
<br>
<blockquote
cite="mid:CAHcj040buvxn3jEWk0rxUCQC_jg3QFv0w5mZdY3rd3w4QzGZYg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div dir="ltr">
<div class="im">
<div style="font-family:arial,sans-serif;font-size:13px">If
the /dev/vboxdrv is opened for access to all, a possible
attack can be that the attacker will guess the pSession
pointer and use that as an argument in pReq to send fake
ioctl requests for other VMs. </div>
</div>
</div>
</div>
</blockquote>
If you study the SUPDrv-linux.c file, you will see that the pSession
pointer is associated with the file descriptor for /dev/vboxdrv.<br>
<br>
<blockquote
cite="mid:CAHcj040buvxn3jEWk0rxUCQC_jg3QFv0w5mZdY3rd3w4QzGZYg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div dir="ltr">
<div class="im">
<div style="font-family:arial,sans-serif;font-size:13px">Please
let us know if we are missing something or is our
understanding correct?</div>
</div>
</div>
</div>
</blockquote>
I'm sorry to have to say this, but I'm afraid your understanding is
far from complete at this point, both with respect to what vboxdrv
is capable of doing and how it works. VirtualBox has become a
relatively complicated affair over the years, so figuring out the
more paranoid parts isn't necessarily straight forward.<br>
<br>
Kind Regards,<br>
bird.<br>
</body>
</html>