Home

CVE-2020-2703

20 February 2020

Hi!

Recently I discovered an issue in the VirtualBox VM hypervisor. This famous piece of software can be extended by using the so-called VirtualBox extension packs. This packs enable the platform to have enhanced features and one of them is the PCIe pass-through.

I'm an avid user of the PCIe pass-through in KVM and I wanted to try this kind of feature also in the VirtualBox hypervisor.

This feature can be activated by using the --pci-attach flag and specifying a PCI bus to attach to the virtual machine.
Obviously, this feature must be regulated by some kind of group or super-user only access, but that is not the case.

In this case this can lead to two problematics:

• Any unprivileged user on the machine can pass a device of the machine causing (at least) a denial of service.
• Any unprivileged user on the machine can steal data from devices excluding them from the host.

First, I have tried to pass a critical device in the virtual machine, this nuked my running system, stealing a device from the host. Then, I've tried to pass a disk which was a part of a software RAID-1 into the virtual machine, placing the disks on different PCI buses. This experiment can lead to the leak of /etc/shadow files or analogous leaks.

In the end I've sent a PoC to the oracle security team, which replied immediately to this issue, fixing the hypervisor.

Bye,
D.

---