VirtualBox

Ticket #19263 (closed enhancement: fixed)

Opened 2 months ago

Last modified 6 weeks ago

Possibility to infect VMs BIOS

Reported by: Benus Owned by:
Component: EFI Version: VirtualBox 6.0.16
Keywords: Cc:
Guest type: all Host type: all

Description

This issue was initially reported to the security team, but after some discussion it was mentioned that I should open this in the public bug tracking system (seems strange to me, but...).

Just for reference, follow the final conclusion from the security team:

"Admin rights give a user the power to do anything on the system. An "evil admin" is more a social component of this bug than a product's security abilities (or its lack thereof). However, we get your point and think that the "validation/check" proposed by you may be an enhancement feature in the product. Since our team (SecAlert) only deals with security vulnerabilities in the product, we will not be able to help you on this further. You could log an enhancement request on VirtualBox's public bug tracker: https://www.virtualbox.org/wiki/Bugtracker "

So the bad use of this knowledge is not my fault.

The case is that it is possible to replace the BIOS that is going to be used by all VMs, and with this all of them would be infected, in a way that the host system and the guest would not detect. It is possible to add a service to run in parallel with the OS, like a RuntimeService or a SMM Interrupt.

This affects all versions 6.0.x and 5.x.

The attached file has the details about how to do it.

Attachments

Steps to hack a VirtualBox BIOS_v2.zip Download (355.1 KB) - added by Benus 2 months ago.

Change History

Changed 2 months ago by Benus

comment:1 Changed 2 months ago by Benus

Just noticed I didn't add my name to the report. It is Rafael R. Machado

comment:2 Changed 6 weeks ago by aeichner

  • Status changed from new to closed
  • Resolution set to fixed

The EFI image is part of the signed VirtualBox binaries now, so it is not possible to alter official VirtualBox releases anymore even by the admin.

However I think that this report is not security relevant because an admin has much more powerful attack vectors than changing the firmware image. For example an admin might just inject a kernel driver into the host extracting the necessary information or install a custom VirtualBox build which was modified...

Closing as fixed as the firmware is now incorporated into the signed binaries but the real solution would be invalid imho.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use