Oracle VirtualBox Elevation of Privilege Vulnerability (CVE-2024-21111): PoC Published

Security researcher Naor Hodorov has made public a proof-of-concept (PoC) exploit for a severe vulnerability (CVE-2024-21111) in Oracle VirtualBox. This vulnerability plagues VirtualBox versions before 7.0.16 and allows attackers with basic access to a Windows system running VirtualBox to escalate their privileges.

How It Works

The vulnerability exploits a flaw in how VirtualBox manages log files. Attackers can trick VirtualBox into misusing its high-level system privileges for deleting or moving files. This grants attackers the ability to manipulate critical files and potentially take complete control of the affected system.

CVE-2024-21111 allows an attacker with low-level access to the host machine to escalate their privileges to NT AUTHORITY\SYSTEM, the highest level of permissions on Windows systems. The exploit takes advantage of VirtualBox’s handling of log files, where the software attempts to move logs in C:\ProgramData\VirtualBox to backup positions by appending an ordinal number. However, due to a flaw in how more than ten logs are managed, VirtualBox inadvertently exposes itself to symbolic link attacks leading to arbitrary file deletion or movement.

Credit: mansk1es

Risk Factors

• Easy to Exploit: The vulnerability is considered easy to exploit, increasing the risk of widespread attacks.
• Targets Windows: This specific exploit affects only Windows-based systems running VirtualBox.
• Full System Compromise: Successful exploitation could give attackers full control over the compromised system.

The Fix: Oracle’s Patch

Oracle has thankfully addressed the vulnerability in its recent Critical Patch Update (April 2024). This patch update is particularly notable as it addresses a total of 441 security vulnerabilities across various Oracle products, not just VirtualBox.

In this latest patch cycle, Oracle Communications received the lion’s share of attention, with 93 patches making up approximately 21% of the total patches released. This was closely followed by Oracle Fusion Middleware and Oracle Financial Services Applications, which saw 51 and 49 patches, respectively.

If you use Oracle VirtualBox on a Windows machine, it is imperative that you update to version 7.0.16 or later immediately.